In case you haven’t noticed, privacy – meaning the protection of your personal data and information – is all the rage today. In fact, privacy has become very big business not only in America, but also in Europe, where the General Data Privacy Regulation (GDPR) mandated sweeping privacy protections for consumers and strict restrictions on how companies can use personal information and data.
Doing business in this new era of privacy comes at a price, mostly for compliance. Compounding this is the lack of clear rules in the U.S. where there remains no comprehensive federal privacy law. It is no wonder that many companies have come to the privacy table kicking and screaming, forced to abide by a growing patchwork of inconsistent state laws with no federal preemption in place.
Nevertheless, the business of privacy has flourished. What was once the province of tech and data geeks has become a corporate mainstay. Every major company has a chief privacy officer in the C-suite pantheon. Board and shareholder meetings are replete with resolutions on privacy, data security, and related risks.
Nowhere is the business of privacy bigger than in Washington, D.C., where privacy organizations, coalitions, alliances, trade associations, experts, and institutions have proliferated. As the collective concern over privacy increases, so too does investment from Big Tech. Google, Amazon, Facebook have spent millions lobbying the U.S. government in an effort to shape the new federal policy.
In fact, Google’s cadre of lobbyists grew from four lobbying firms with an annual spend of $800,000 in 2006, to 100 lobbyists, 30 lobbying firms, and an annual spend of $21.7 million in 2018. According to the Center for Responsive Politics and The Wall Street Journal, Google has spent the most money on lobbying among all U.S. corporations.
Despite its embarrassment of riches, the company now faces the prospect of an antitrust investigation along with questions about its labor, privacy, and business practices. While there have been similar actions in Europe, this time seems different. A confluence of criticism from Congress, increased consumer interest, and intense media scrutiny has focused national attention on the issues. These developments have prompted Google to revise its strategy for dealing with Congress, the Federal Trade Commission, the Trump Administration, and governments around the world. Google plans to retool its lobbying team and re-think how to handle the growing government and consumer animus.
Whatever the outcome for any individual company, the point is that privacy means big bucks in Washington. Whether companies are paying to explain their views or excuse their poor performance, the tally is large and growing. This certainly explains the proliferation of privacy divisions in elite law firms and the development of well-funded front-groups flacking for Big Tech.
Not to be left out, state governments have made sure they are a big part of the action too. In true California fashion, the Golden State set the pace for privacy legislation at the state level. The California Consumer Privacy Act (CCPA) was among the first, and potentially the strongest, pro-consumer privacy laws to emerge in the states. But it certainly will not be the last. Maine’s Act to Protect the Privacy of Online Customer Information, which applies to broadband Internet service providers, claims to be the strictest privacy bill in the land. And the New York Privacy Act (NYPA) seeks to impose fiduciary responsibilities on businesses that control and process consumer data, in addition to banning certain algorithms that profile consumers.
With so much at stake, the U.S. government may be the biggest winner of all. The Federal Trade Commission (FTC) is negotiating a settlement with Facebook on a $3-billion – $5-billion fine for its history of consumer privacy violations. As the enforcer of last resort, the U.S. government stands to gain billions of dollars from policing violations of generally accepted privacy principles by (mostly tech) companies.
But the federal law on privacy is inchoate. The CONSENT Act, which was introduced in the last Congress, never became law. In the aftermath of the Facebook Cambridge Analytica fiasco, and following several congressional hearings, the rationale for a federal statute is unquestionable. And yet, the debate and division on the approach remain.
There have been several privacy bills introduced in the current Congress. Each has its own set of priorities and there seems to be some common ground. For example, there is agreement that consumers should be able to have control over their own data and that the FTC should have jurisdiction over privacy matters. But on the key issue of federal preemption of state laws, there is no uniformity. Nor is there agreement on what qualifies as “personal information” or whether consent should be opt-in or opt-out.
Democratic Senator from Minnesota and presidential candidate Amy Klobuchar introduced The Social Media Privacy Protection and Consumer Rights Act of 2019, in January. It may have some bipartisan appeal but does not specifically preempt state privacy laws.
Republican Senator Marsha Blackburn (R-Tenn.) introduced the Balancing the Rights of Web Surfers Equally and Responsibly (BROWSER) Act of 2019 as a model privacy vehicle for the Senate majority. It has an opt-in provision and specifically preempts state privacy laws, while providing a few loopholes for company use of personal information.
Democratic Senator Ed Markey (D-Mass.) introduced the Privacy Bill of Rights Act, which mirrors provisions of the GDPR and the California Consumer Privacy Act, while specifically preempting state laws. The Markey bill is thought to be the most pro-consumer bill of the batch.
Separate bills by Senators Booker (D-N.J.) and Wyden (R-Ore.); Senator Hawley (R-Mo.); Senator Warner (D-Va.); Rep. DelBene (D-Wash.), and Rep. Clarke (D-N.Y.) are also under consideration.
Many experts agree that Congress is under immense pressure from the business sector to enact comprehensive privacy legislation before the California Consumer Privacy Act becomes effective in January 2020. But there is a healthy dose of skepticism that it will not meet that deadline – whether because of partisan or policy differences. As the date nears, one thing is clear: The business of privacy, especially in Washington, will become more pricey and more profitable with every passing year.
Adonis Hoffman is chairman of Business in the Public Interest, Inc. and founder of yourprivacymatters.org. He is a former chief of staff and senior legal advisor at the FCC and served in legal and policy positions in the U.S. House of Representatives. He has also served as an adjunct professor at Georgetown University. Mr. Hoffman is a member of The Media Institute’s Board of Trustees and First Amendment Advisory Council. Follow him on Twitter @AdonisHoffman. This article originally appeared in The Hill on July 3, 2019.