When it comes to digital privacy, the U.S. is riding in a car without a seatbelt. A poor choice with long-range impact. The tech industry could unintentionally set precedent for other industries with its frugal acceptance of regulations.
Google, Microsoft, Facebook and IBM are lobbying the Trump administration for a federal privacy law in a bid to overrule California's newly minted state privacy bill. The language, similar to that of GDPR, is too aggressive for their liking.
While big tech views the majority of regulations as a threat, privacy is a simpler issue. GDPR, like California's Consumer Privacy Act of 2018, boils down to having a granular level understanding of where sensitive data lives and how efficiently it can be accessed.
But the narrative around this has been perceptually negative for companies. It's as if they are saying, "you are handcuffing me as an organization, you are not allowing me to succeed in the way I've traditionally succeeded," said Callum Corr, data analytics specialist at ZL Technologies, in an interview with CIO Dive.
It's understandable big tech isn't welcoming to a policy change that could aggravate its authority.
It's as if they are saying, "you are handcuffing me as an organization, you are not allowing me to succeed in the way I've traditionally succeeded."
The seemingly more laissez-faire approach to digital privacy comes down to a cultural difference between the states and the European Union. Compared the EU, the U.S. is a more "litigation-happy society" and a courtroom can be the last obstacle, according to Corr.
At some point, however, organizations need checks and balances to make sure they are fair and safe.
"The world of technology has been one hell of a great place," and because of the standards it creates and essentially sets for itself, its influence over other industries is notable and alarming, according to Corr.
The language has to change
Big tech wants to change a lot of the language in California's bill, if not remove it completely.
Among the key changes are where information is stored, how quickly businesses need to respond to a consumer's data request and steep fines, according to Corr.
No text has been revealed yet, making the tech industry's specific desires unknown, but "we know they do not support meaningful opt-in consent, right to know or civil liability for violating privacy to start," Ernesto Falcon, legislative counsel for the Electronic Frontier Foundation, told CIO Dive.
Organizations are trying to find a compromise of sorts. The U.S. Chamber of Commerce, Internet Association and Information Technology Industry Council are making efforts to craft voluntary standards in place of legal mandates. But an honor-based system could be futile.
The Information Technology Industry Council declined to comment and the Chamber of Commerce could not be reached for comment.
"It's not binding enough," said Corr. "Why am I going to opt into this? It's not beneficial to me," which makes it unlikely tech companies would vastly change any of their policies if it were voluntary standards. The American public would have to take action, like abandoning a platform, for it to really land a jab in big tech's ribs.
But the discussion of privacy is more popular then ever.
On Tuesday, the National Institute of Standards and Technology (NIST) announced a collaborative project modeled after its Cybersecurity Framework. The evolving framework is to "provide an enterprise-level approach" for aiding organizations in developing privacy strategies. The first public workshop takes place in October.
The politics of privacy
Privacy has become a political issue but it can't survive in a patchwork fashion across the 50 states.
It's natural for an industry to get involved in an issue that has direct impacts, but regulation designed by those it's meant to regulate could prove useless.
Ideally, privacy is a bipartisan issue, making progress difficult. Big tech has an agenda and is willing to lobby members of Congress.
But change for any business is a challenge, and when it comes to the new era of privacy in the U.S., "we are wholeheartedly intimidated," said Corr.
The change in how internet service providers (ISP) can traffic their services resulted in incentivizing ISPs to push back on privacy laws alongside big tech. While neither political party has established themselves as the champion of data privacy, there has been some interest from Democrats and Republicans exploring bills.
GDPR was the catalyst of California's privacy bill, and both left an impact on large tech companies, especially those that rely on consumer data to generate revenue, like Facebook and Google. But aiding in the construction of a privacy bill could make the impact less forceful.
"There are renewed efforts to define the privacy legislation frameworks of the future, and we look forward to working with policymakers around the world to move the process forward," according to a Google spokesperson.
"(Tech companies) engagement now is really just to hamstring state privacy laws and likely establish a woefully low bar while calling it privacy protections."
Electronic Frontier Foundation
Facebook walked back its opposition to California's initial ballot initiative. Before the Golden State's privacy bill, the social network, Google, AT&T, Comcast and Verizon all had the largest axes to grind in terms of privacy regulation.
Some of these companies have the most aggressive pushback on GDPR-like laws because of their "existing or planned monetization efforts," said Falcon. Their services, by design, have a deeply rooted connection to consumer activity. Even partly aggravating that reach could be detrimental to the bottom line.
Other tech companies, such as IBM and Salesforce, have much smaller dogs in the privacy fight. Their revenues are more dependent on their products and services, not the data within them.
Acting out of fear legislators would eventually craft a law targeting them, tech companies met a lot of potential privacy legislation with opposition. This change is a tangible "shift in strategy for them," said Falcon. But "their engagement now is really just to hamstring state privacy laws and likely establish a woefully low bar while calling it privacy protections."