As concern over personal data protections continues to mount, representatives for six major tech and communications companies, including Google, Amazon and Apple, told federal lawmakers today that they supported federal data privacy legislation—so long as it is not nearly as strict as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act.
High-ranking executives for Google, Amazon, Apple, Twitter, Charter Communications and AT&T implored members of the Senate Commerce, Science and Transportation Committee to consider federal consumer data privacy regulations that would give consumers some protections while still allowing for their companies to collect and use personal data.
“The question is no longer whether we need a federal law to protect consumers’ privacy,” said South Dakota Sen. John Thune, a Republican who chairs the Senate committee. “The question is: what shape will that law take?”
Representatives from all of the companies encouraged a federal law that would preempt state-level laws that might impose more restrictions on the companies or may result in a “patchwork” set of rules that vary state-by-state. Leonard Cali, the senior vice president of global public policy at AT&T, urged lawmakers to “strike the right balance” between protecting consumer privacy while still allowing businesses to collect and use personal data. Cali described the GDPR law as “overly prescriptive and extremely burdensome,” and said that the California Consumer Privacy Act was too restrictive when it comes to data collection abilities.
“What we’re urging is a comprehensive federal law that looks at both of these laws, learns from these laws, and does better than them,” Cali said.
Google chief privacy officer Keith Enright and Apple software technology vice president Guy Tribble both discouraged legislators from taking the same steps as GDPR, saying that small and medium-sized businesses might be less able to finance the compliance costs related to strict regulatory frameworks. Damien Kieran, the global data protection officer and associate legal director of Twitter, said that relatively small social media companies would be impacted negatively and disproportionately by GDPR-like legislation.
Andrew DeVoce, Amazon’s vice president and associate general counsel, said that the California privacy bill contained provisions that “do not promote best privacy practices.”
Tech companies are rushing to get a seat at the table for a federal data privacy framework that could have major implications for their businesses. The push for regulation is a reversal from tech companies’ longtime approach to resist regulation, and is an effort to preempt the strict California Consumer Privacy Act, said Omer Tene, the vice president and chief knowledge officer of the nonpartisan International Association of Privacy Professionals.
“Standing alone, California is the fifth biggest economy in the world, and there are probably very few businesses in the U.S. that don’t have California customers,” Tene said. “Effectively, a California law becomes a national standard, and in that case, if it is a strict standard, it is evident why companies want Washington to preempt that with something more lenient.”
During the hearing, Massachusetts Sen. Ed Markey said he was eager to draft a strong national privacy law before preemption was discussed. Similarly, New Mexico Sen. Tom Udall warned against advancing a “weak” law that would prevent states from taking their own action.
“Each one of your companies has said publicly or privately that we must push through federal legislation based on a framework that preempts states from passing their own protections, and I’m here to say we cannot push through a weak federal law that preempts states and leaves consumers, especially children, without the necessary safeguards and protections,” Udall said.
Some lawmakers have signaled that they support the idea of giving the Federal Trade Commission more legal authority to make rules pertaining to data privacy and consumer protection. But when pressed by Florida Sen. Bill Nelson, some representatives balked at the idea that Congress might give the FTC rule-making power.
Nevada Sen. Catherine Cortez Masto indicated that she supported a default opt-in option, which would require consumers to affirmatively consent to sharing personal data with companies. Rachel Welch, Charter Communications’ senior vice president of policy and external affairs, said Charter supported opt-in privacy controls, which she said was a good business decision, but the executives from the other companies disagreed, saying that a default opt-in option may limit their ability to serve their customers certain personalized tools.
The hearing was the first of several as part of the consideration of federal consumer data privacy regulations that come in the wake of GDPR and some state-level consumer privacy rules. The Trump administration has reportedly met with representatives from companies like Facebook and Google to craft federal legislation, but it’s still many months away before a federal privacy legislation is likely to be considered by legislators.
“Where this is headed depends to a great extent on the midterm elections,” Tene said. “The legislative process starts with the administration, but it ends in Congress, and it is currently very difficult to predict what Congress will look like a month and a half down the road. But [privacy] issues aren’t exactly partisan … and on these issues, surprisingly, there is a great deal of convergence from the political parties.”