How Washington plans to regulate Big Tech
“Secret algorithms, concealed monitoring & potential marketing & more, require privacy rights and protection,” tweeted Richard Blumenthal, a Democratic senator, referring to Facebook, on Tuesday.
He previously suggested that a new privacy law could be drafted “early in the session” this year.
Companies including Apple and Facebook have accepted the need for a federal privacy law, as the US looks to bring in some of the protections of the EU’s General Data Protection Regulation.
The parameters have been set by California’s new privacy law, which was passed this summer and is due to come into force by 2020. Alastair Mactaggart, the real estate developer turned privacy activist whose campaign helped bring about the California act, said: “California was the catalyst for all this, without a doubt.
“Now with the House [of Representatives] in Democrat hands, it will be harder to undo what is in that act.”
Reining in big tech is likely to be one of the few areas where Democrats and Republicans seek to co-operate over the course of what is otherwise set to be a divided Congressional session.
In the past year, members of both parties alike have grilled some of the industry’s top chief executives on their approach to privacy. Four Republican members of Congress recently wrote to both Apple and Google to warn: “Users have a reasonable expectation of privacy when taking active steps to prevent being tracked by their device.”
Attention in Washington is turning to the areas of focus for the new legislation: how much companies have to tell customers about the data they hold; how much control customers retain over that data; and what penalties companies will face for data breaches.
Politicians and corporate lobbyists generally agree that companies need to give customers greater and clearer information over how they store and use consumer data.
Tim Day, senior vice-president of the Technology Engagement Center at the US Chamber of Commerce, said: “Transparency is critical. Consumers need to have a clear understanding of how their information is shared.”
Those keen to keep the new regulations to a minimum talk about simply making online customer agreements more understandable. But some want far tougher rules, such as Mark Warner, the Democratic senator who has proposed forcing companies to reveal the exact monetary value of the data they hold.
“We know these companies have information on what each customer’s data are worth,” said one congressional Democratic aide. “It shouldn’t be hard to force them to publish that as a matter of course.”
Once politicians have decided how much companies should disclose about the data they hold on their customers, they will then have to decide what rights customers retain over that data.
One possibility is to allow service users to pay for greater levels of privacy. If a company is able to put a value on consumer data, say some, consumers should be able to pay that amount to withhold it.
While some companies already offer such “pay-for-privacy” deals, they have been criticised in the past by both Democratic senators and the Federal Communications Commission — the regulator likely to be in charge of enforcing any new privacy law.
Others want a new law to go further and ban companies from passing on or selling their customers’ data unless they get express consent. A softer version of that proposal would be to assume customers give their consent to companies to hand over their information, but to allow them to opt out of doing so.
Mr Mactaggart said: “‘Do not sell my information’ gets broad approval from customers.
“Soon it will be the equivalent of ‘Do not call’,” he added, referring to the power Americas have to opt out of receiving telemarketing calls.
But even those wanting the toughest form of regulation say they do not intend to push for a European-style “right to be forgotten”, whereby people can demand that internet search engines hide certain information about them.
One senatorial aide working on privacy legislation said: “Our first amendment [freedom of speech] rights mean there is no way we can have a right to be forgotten in the US.”
The news last year that up to 500m Starwood hotel guests may have had their information hacked has refocused attention on what should happen to companies which fail to keep people’s data secure.
The California act allows customers to sue companies if they can prove their data has been illegally accessed — though campaigners originally wanted companies to be liable for any breaches of the act.
Technology industry insiders say they are likely to focus their federal lobbying efforts on limiting the range of misdemeanours for which they might be held liable.
But tellingly, a draft proposal from the Internet Association, which represents the biggest US online companies, does not mention financial liabilities at all.
Instead the organisation proposes only that companies should tell customers if their data has been hacked, insisting that any new law should “allow companies flexibility in how they notify individuals of unauthorised access to their personal information”.
One thing the technology industry is desperate to ensure is that any new federal law overrides the California privacy act, as well as any other state legislation that may be passed — a legal tool known as “pre-emption”.
Mr Day said: “Pre-emption is of critical importance — we need to make sure both consumers and businesses have a clear road map.”
Campaigners such as Mr Mactaggart, however, are keen to ensure the California act remains intact and that states can enact stricter rules if they wish. “A federal law is fine,” he said. “But it needs to be a floor — not a ceiling.”