Federal privacy regulations usher in the age of tech lawmakers

Big tech and privacy advocates are lobbying for dramatically different federal data privacy rights. CIOs should pay attention to whom -- and what -- the legislation seeks to regulate.

Tech companies that have successfully lobbied against stricter privacy regulations are facing pushback from consumers on their latest campaign to curtail data privacy rights.

Big tech's call for federal regulation comes amid a reactionary call for privacy rights, as data breach media coverage has exposed companies' poor management of personal information and piqued consumers' data protection concerns.  

"Consumers are seeing data breaches and privacy mistakes in the news every single day, and the breaches are getting larger in scope. And the number of individuals impacted seems to be larger for every single one," said Nicholas Merker, partner and co-chair of the data security and privacy practice at Ice Miller, based in Indianapolis. "People understand that some companies are misusing their data or not protecting their data appropriately, and it's creating a risk for these individuals."

Shortly after GDPR -- the European law that unified data privacy protection and specified consumer rights to their personal data -- went into effect last spring, California passed the California Consumer Privacy Act (CCPA) of 2018. The new state law gives users the right to request details about individual data collected by the companies they do business with and to delete personal data without penalty to service.

Now, tech giants like Facebook, IBM and Microsoft are playing offense and proposing federal privacy regulations that override the California rules.

As the fight between state and federal laws plays out, CIOs and their data privacy experts may well find themselves advising their companies on where to come down on data privacy rights.

A company's best course will likely depend, in large part, on where it does business, how it makes money and how much its customers value data privacy.

Why the push for federal law?

Tech companies with multistate operations are gunning for the federal law in order to avoid having to comply with up to 50 competing jurisdictions. Experts expect other states to begin following in California's footsteps by amending or creating state privacy laws.

The CCPA has certainly set the bar for other like-minded states, said Erin Illman, co-chair of Bradley's cybersecurity and privacy practice group and member of the North Carolina Bar Association's Privacy and Data Security Committee.

"You're going to see the states that have taken a forward stance in privacy start to really look at California and say, 'Maybe we need to amend our laws that are already on the books, but maybe we also need to put forward a similar law or something that even goes farther than California,'" Illman said.

But big tech's effort to get a federal law passed is not just to save themselves the headache of state-specific compliance, experts said, but also to preserve profits amid growing concern over business preservation.

And if we look to the GDPR as a model for U.S. legislation, we must also examine the immediate aftermath, Merker said.

"The GDPR is a great example of what [strict federal privacy legislation] would do to the behavioral advertising firm, targeted advertising firm, company index firm industry -- it would destroy it,"  Merker said.

"When GDPR was implemented for publicly traded companies, you saw massive drops in stock prices; you saw some companies that just no longer existed, because their practices are no longer legitimate under the GDPR."

Data: The new dollar

Data privacy experts advise CIOs keep a close eye on the proposed legislation and its framework, including exactly whom it seeks to regulate.

For example, one of the proposals for the federal privacy regulations defines consumers as users who have purchased something from the company. Under this definition, social media businesses like Facebook and email businesses like Gmail that do not charge for their services or sell products would have far fewer reportable consumers than sites that sell a product or charge a nominal fee for service. Even a $1 yearly fee makes each individual a consumer whose privacy is protected instead of a user who remains exempt from privacy regulations.

Experts noted that this distinction shows the defining characteristic of online business: Data is money.

"Personal information is the currency of the internet -- more so than bitcoin, more so than the dollar. [Data] is what is being bartered for services and then sold for revenue," said Nader Henein, research director of data protection and privacy at Gartner.

"Like any other currency, it needs to be regulated. Otherwise, it loses its value, and it's inconsistent."

Love affair gone sour

In the face of big tech's all-out lobbying effort for the federal law, data privacy interest groups have not hung back. Instead, they are taking advantage of growing consumer sentiment that the titans of Silicon Valley can delight customers and still not have their best interest at heart.

The inability of business to prevent massive data breaches that expose sensitive information has also fueled consumer interest in wanting more control over personal data. 

Internationally, America seems like we are now behind the times when it comes to privacy law.
Nicholas Merkerpartner and co-chair of Ice Miller's data security and privacy practice

A major point on the tech companies' list of wishes is self-regulation and the creation of industry guidelines with no legal or financial penalty for noncompliance. Trade groups such as the U.S. Chamber of Commerce, the Internet Association and the Information Technology Industry Council are all pushing for voluntary standards.

Tech companies' C-suites claim they know exactly what data is being collected, how it's used and, ultimately, how to protect it. They argue self-regulation allows for flexible compliance that protects privacy and the ability to remain profitable.

Privacy advocates, on the other hand, cite years of improper data management, privacy violations and data breaches as examples of the whittling of trust that's occurred between the general public and tech businesses.

"There's a lot of trust that's been lost between the general public and between privacy advocates and business," Illman said. "Because of that loss of trust, the concept of self-regulation is something that privacy advocates are pushing back against and saying, 'You know, we don't really trust you to regulate yourselves.'"

So, what's the next battle move? The proposal and establishment of federal privacy regulations could be a positive change if companies develop strategies that are fair, transparent and create a more equal benefit for company and user.

"Internationally, America seems like we are now behind the times when it comes to privacy law," Merker said. "All privacy advocates want America to catch up and be standing with the rest of the world."

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG