Silicon Valley Doesn’t Want the U.S. to Get Too Hasty About Regulation

(Bloomberg Businessweek) -- Opponents of government regulation have a few standard refrains. For years, one of the most common has been that public officials shouldn’t pick winners and losers, meaning they shouldn’t use state power to reward favored companies or industries and punish others. In good faith, the line articulates a reasonable concern about facilitating corruption and choking off competition. It tends, however, to be deployed by complainants who were perfectly comfortable being among the winners until they suddenly drew greater scrutiny. Frequent foes of winner- and loser-picking include oil and gas companies, health insurers, megabanks, and now Silicon Valley’s biggest internet companies, which are starting to face consequences for frequent breaches of their eyebrow-raisingly massive data hoards.

After two years under a much harsher spotlight than they were used to, the internet companies acknowledge that some sort of new oversight is due. But, they say, let’s not get carried away here and change the ways the Valley does business. The government must avoid “picking winners or losers,” says Michael Beckerman, chief executive officer of the Internet Association, a Washington lobbying group representing Facebook, Google, Twitter, and most other major tech platforms. It’s wrong, he says, for lawmakers to punish his clients for mining data for profit, because pretty much every consumer-facing company now makes money from data in one way or another. “If you compare Facebook or Twitter to a car rental agency or your grocery store, or a data broker or a credit-reporting agency, our companies are a lot more transparent,” he says.

Unlike Facebook and Twitter, of course, Hertz and Kroger don’t know everything about you, nor have they proven so hackable. Since September alone, hackers broke into 30 million profiles on Facebook, its largest breach ever, harvesting email addresses, phone numbers, and search histories. Twitter Inc. disclosed that a platform bug may have allowed third-party developers access to the private messages of several million users. And Google parent Alphabet Inc., it was discovered, had attempted to cover up a data leak on its Google+ social network that affected about a half-million accounts. For people affected by such incidents, there’s little to no recourse and few answers about what’s to stop similar breaches of personal data in the future.

Silicon Valley Doesn’t Want the U.S. to Get Too Hasty About Regulation

These are the kinds of issues at the center of a heated policy debate that could become more volatile in the year ahead. The California Consumer Privacy Act, a powerful state-level law set to be codified in 2019 before it takes effect in January 2020, offers a blueprint for heightened data protections that analysts expect other states to follow. Its strength lies in giving users control over their personal information, including the right to delete it, while barring services from discriminating against those who share less data.

In Europe, the sweeping General Data Protection Regulation (GDPR) went into effect in May, and countries from Brazil to India to Japan are considering similarly stringent policies. But in the U.S., no national legislative proposal is close to passage. “What’s holding this back is a lack of expertise,” says Representative Ro Khanna, a California Democrat who recently released a set of guidelines for an internet consumer bill of rights. “Members of Congress are overly deferential to technologists because they don’t know the platforms.”

Whether the bill comes from the House or Senate, one of the most contentious issues revolves around cookies. Big Tech has vociferously opposed the sort of “opt-in consent” present in the GDPR, which requires companies to get permission from each user before cookies can track how long they spend on each page and where they go next. Some of the stronger plans under discussion in the U.S., including the Consent Act, introduced by Democratic Senator Ed Markey of Massachusetts, widen that approval requirement to explicitly include the creepier aspects of internet tracking. That might mean the Facebooks of the world would have to constantly ask users’ permission to follow them around other parts of the internet, monitor them offline, and build elaborate behavioral profiles of them. (A 2016 ProPublica report found that Facebook Inc. was classifying users under at least 52,000 interest categories with such unsettling specificity as “Pretending to Text in Awkward Situations” and “Breastfeeding in Public;” Facebook has said that users can opt out of some data sharing.)

Europe under GDPR shows that most users will simply click “OK” and proceed as usual. Still, “any consent is an improvement over the status quo of doing it secretly,” says Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation, a consumer advocate. The California law stops short of “opt-in” consent but does mandate that all websites include an “opt-out” button for data monetization, such as a link on their homepage allowing users to say “Do Not Sell My Personal Information.” It’s one reason Facebook and Google lobbied against the state law.

Enforcement is another key issue. Even if Washington could enact a national privacy law, it would mean nothing without aggressive consequences for companies that fail to keep their platforms abuse-free. While Facebook faces a potential $1.6 billion penalty for its latest data breach under the GDPR, in the U.S. the social network probably won’t be fined a penny. One of the last times the Federal Trade Commission punished a big tech company for privacy infractions—Google in 2012—the $22.5 million penalty amounted to less revenue than the company made in four hours.

Silicon Valley Doesn’t Want the U.S. to Get Too Hasty About Regulation

“There’s a risk that tech companies become so big and powerful that any privacy violation for them amounts to a drop in the bucket,” says Laura Moy, executive director of the Georgetown Law Center on Privacy & Technology. She and other consumer advocates are calling for a federal agency focused solely on privacy and empowered to levy fines that could make user privacy a CEO-level concern. “Tech giants like Facebook and Google have incredibly large revenues,” Moy says. “They don’t have the right incentives to spend a truly substantial amount of it ensuring privacy is built into everything they do.”

The most significant flashpoint in 2019 may be what policy experts call “uniformity,” the idea that data privacy standards ought to be constant whether you’re Facebook or Hertz Corp., and whether you’re in California or Connecticut. “The idea that we’re going to have 50 or 51 different privacy laws is just not how the internet works,” says Beckerman, the lobbyist, who’s demanding that any national privacy law preempt California’s. “This needs to be done in a way that doesn’t prohibit different business models,” he says. “Everyone is using data in different ways.” Moy says she worries a broad preemption could do away with valuable stronger laws, such as protections for the information patients share with doctors, or students with education providers.

Neither industry nor consumer advocates expect a sweeping federal privacy bill to get an up-or-down vote in 2019. The year ahead is about setting the terms of that debate. Statehouses will be the principal battlegrounds for now, with California’s law serving as a model for data rules.

The longer Washington’s laissez-faire approach persists, says former Facebook policy adviser Dipayan Ghosh, the more internet platforms will be able to build up their data infrastructure, making them harder to dismantle. “They’re only going to get more and more powerful,” says Ghosh, a social media researcher at Harvard’s Shorenstein Center on Media, Politics, and Public Policy. He expresses alarm at the companies’ often opaque and “borderline addictive” software.

Without greater data protections, Ghosh says, consumers can expect another year filled with hacks, leaks, and cover-ups, with no real consequences for the Valley. “If Facebook undergoes Cambridge Analytica 2, there are no direct repercussions,” he says. “It doesn’t have to inform consumers. It doesn’t have to compensate consumers. It doesn’t have to really do much for consumers at all.” That is to say, by failing to act, Congress will be picking a few big winners and a whole lot of losers.

To contact the editor responsible for this story: Jeff Muskus at jmuskus@bloomberg.net

©2018 Bloomberg L.P.