When the California Consumer Privacy Act (CCPA) passed in June, security experts applauded the state legislation as a win for consumers. The ruling gave residents certain rights around how their personal data can be stored, accessed, sold and deleted.
But months later in September, the U.S. Chamber of Commerce, a pro-business lobbying group, urged Congress to come up with new federal data privacy legislation. Federal oversight would likely have the effect of pre-empting California’s privacy law, as well as those in other states looking to regulate data handling and security. That’s because, under the Supremacy Clause of the U.S. Constitution limiting states’ rights, federal law generally takes precedence over state laws, and even over state constitutions.
That has left top privacy advocates concerned that companies are actually just pushing for federal privacy practices that would be weaker than those enacted by states.
“On the heels of the most recent breaches and scandals, big tech is taking a new approach… they’re starting to argue pre-emption, which would get rid of good laws in states like California, and replace those with weaker federal laws,” John Simpson, director of the privacy and technology project at Consumer Watchdog, told Threatpost. “That is highly problematic. Yes, the national law is fine, but it must not pre-empt tougher state laws.”
These competing viewpoints are setting up a possible debate about the role of states in regulating privacy.
Tech Giants Argue for Federal Approaches
It makes sense that companies like Google, Facebook and others would want to avoid having to conform to a state-by-state patchwork of privacy laws – it makes compliance expensive and difficult, and opens them up to multiple sets of fines.
“Congress should adopt a federal privacy framework that pre-empts state law on matters concerning data privacy in order to provide certainty and consistency to consumers and businesses alike,” the U.S. Chamber of Commerce said.
Federal laws have other advantages too – including standardizing best practices and restrictions, so that companies have fewer differing hoops to jump through.
Accordingly, in September, the Internet Association (IA) – comprised of companies like Amazon, Google and Facebook – released “Privacy Principles For A Modern National Regulatory Framework,” consisting of policy considerations to modernize national privacy legislation. Part of this policy, which sets forth a national privacy framework and considerations for policymakers when evaluating national privacy laws, also urged pre-emption of state laws: “A national framework should specifically preempt the patchwork of different data breach notification laws in all 50 states and the District of Columbia to provide consistency for individuals and companies alike,” it said.
Privacy advocates are skeptical that the statements are altruistic, however.
“It has often been state legislatures, not Congress, leading efforts to protect consumer privacy,” said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union. “I think there is an overarching worry that the tech industry would look to prevent state law by looking to help craft federal legislation with less protections.”
She added, “The seeming willingness to subject themselves to federal regulation is, in fact, an effort to enlist the Trump administration and Congress in companies’ efforts to weaken state-level consumer privacy protections.”
And indeed, recent reports indicate that the Trump administration is already working with tech companies to craft a proposal to protect privacy. In July, reports surfaced that the Commerce Department was holding meetings with representatives from Facebook and Google, along with Internet providers like AT&T and Comcast, and consumer advocates.
“The biggest concern for a lot of us in this space are these companies showing up in D.C. in the privacy hearings and the resulting law being weaker than it should be,” Katharine Trendacosta, policy analyst for the Electronic Frontier Foundation (EFF), told Threatpost. “That companies are backing privacy laws – but they can influence what those laws would be.”
Amazon, Facebook and Google did not respond to request for comment.
Federal Bodies Slow to Act
The pre-emption discussion comes at a time when the federal government is legitimately trying to grapple with how to better enforce and regulate consumer data protection and privacy.
Events like the Cambridge Analytica privacy scandal in March and last year’s record-setting Equifax data breach have spurred the government to take a more introspective look at handling these issues.
For instance, after the Cambridge Analytica incident erupted in March, Congress summoned Facebook CEO Mark Zuckerberg to a series of hearings during which both Democrats and Republicans discussed the need for federal rules.
More recently, there were Senate hearings in September, during which the Senate Commerce Committee spent two and a half hours questioning senior leaders from the likes of Amazon, Apple and Google to better understand how privacy and security challenges could be addressed.
Major technology companies expressed support for federal privacy and security legislation during the hearings – and voiced encouragement for Congress to pre-empt state rules – including the California Consumer Privacy Act.
“A patchwork of differing state privacy law will confuse consumers, providing them uneven protections and potentially forcing them to navigate a complicated menu of diverging state-specific privacy choices and controls,” Leonard Cali, AT&T senior vice president of Global Public Policy, told Senate members in his opening statement. “While consumer protections often vary by state in our federal system, these variations make less sense when data moves freely, without regard to state borders and at the speed of a light.”
Meanwhile, Google – which recently found itself in hot water for not reporting a data breach in Google+ earlier this year– published a proposed data privacy legislative framework ahead of its appearance in front the Senate. Many privacy experts waved the framework aside, saying the company already complies with or easily could abide by the policies, and that it doesn’t represent a meaningful effort at consumer protection.
What, if anything, will come of the hearings is unclear. Historically, federal regulation of cybersecurity and privacy issues in big tech have been limited, with only three laws on the books for years (the 1996 HIPAA laws, the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act) taking a deeper look at issues relating to security. In more recent years, the federal government has tried to ramp up its legislative efforts in these areas, passing the Cybersecurity Information Sharing Act (CISA) and the Federal Exchange Data Breach Notification Act of 2015.
However, it may be some time before Congress is able to focus on new privacy measures, even with consumer interest in regulating tech giants cresting. With 2018 being an election year with many seats up for grabs, the focus for congresspeople will be on getting reelected over passing legislation, according to security experts.
“For a while now, things have been absolute gridlock in Washington,” said Consumer Watchdog’s Simpson. “Meanwhile, states have been able to step up to the plate with a number of relatively successful efforts.”
States Lead the Way
While the U.S. Congress debates, states have been taking the lead on security issues. That was the case with California, which was the first in the nation mandating that companies notify consumers of a data breach. Illinois, meanwhile, ordained significant limits on the commercial collection of biometric data- like fingerprint in 2008.
As more data breaches make headlines, more states have made strides to take cybersecurity and privacy issues into their own hands. In fact, in 2018 so far at least 36 states have introduced more than 265 bills or resolutions related to this – and 14 of those states have enacted 31 of the bills to date.
For instance, in October, California signed a new law that banned companies from selling internet-connected devices with weak or default passwords, such as “Password” or “1234567.” And in February, Nebraska enacted Legislative Bill 757, which requires companies holding personal information to implement specific security procedures, and protect consumers’ credit should a breach occur.
The Arizona state’s attorney general meanwhile reportedly launched an investigation against Google regarding its alleged practice of recording location data from Android device owners (even after they opted out of the method) – a move that could trigger a hefty fine. That’s due to an Arizona state law that allows the state to bring consumer-protection cases against businesses that deceive users about their practices – and seek penalties of up to $10,000 for a violation.
Tim Erlin, vice president of product management and strategy at Tripwire, said that individual states have a more united population and fewer hoops to jump through, making it easier when it comes to passing laws in some cases than in the federal government.
“A state government effort might be more functional than federal law,” he said. “For instance, in California, with their economy, taxes and political climate revolving around Silicon Valley, tech more heavily influences legislature.”
These state-led laws have important implications as setting the standard for consumer security protection, data privacy and other issues.
“One reason we’re seeing poor cyber-practices across the industry is that companies view private data as an asset, not an incentive that should be treated as a liability,” said Alex Abdo, Senior Staff Attorney at Knight First Amendment Institute at Columbia University. “That’s in part because the laws penalizing these are weak. It would be great to see more states start to treat consumer data as liabilities.”
Moving forward, as efforts on the federal level ramp up, the stage could be set for a discussion on states’ rights. While the Supremacy Clause is clear, there’s a caveat, according to FindLaw: When a state law would provide more protections for consumers, employees and other residents than what is available under existing federal law, state law could take precedence.
To this point, the ACLU’s Guliani said that federal regulations around cybersecurity are well-needed and welcome; but she also stressed that “a big part of this debate is whether states will be free to provide additional protections to consumers” on top of federal enforcement.
“It’s not to say we shouldn’t have a federal privacy law… generally we’re supportive of Congress working on a law if that law is meaningful,” she said. “But, it should act as a floor, not as a ceiling, for protections.”