New laws in Europe and California are forcing tech companies to protect users' privacy or risk big fines.
Now, the industry is fearing that more states will enact tough restrictions. So it's moving to craft federal legislation that would pre-empt state laws and might put the Federal Trade Commission in charge of enforcement.
Europe enacted a tough law in May which requires, among other things, that companies make data breaches public within 72 hours of discovering them.
That's why Facebook had to promptly announce last month that its systems had been hacked and at least 50 million user accounts were compromised.
In June, California passed legislation that — if it is enacted as written — would go even farther, allowing users to sue for damages for exactly the kind of data breach Facebook suffered.
"They don't want to entertain the possibility that they would liable to individuals for doing some sort of harm from all the data that they collect," says Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, a digital advocacy group.
Companies are weighing in now because regulation is coming from all fronts and they're trying to control it, he says.
In May, an off-the-record board meeting of one of Silicon Valley's trade association, the Information Technology Industry Council, took place in Washington, D.C.
According to two people with knowledge of the meeting, it was there that Facebook's top lobbyist, Joel Kaplan, warned that an impending California privacy law posed a threat. If the California law spread to other states, Kaplan allegedly said it would present an even bigger problem than privacy provisions in Europe's new General Data Protection Regulation, or GDPR.
"Just this year, [you have] a data broker law from Vermont, in addition to Europe and California," said the EFF's Falcon. "And then dating back even further, the state of Illinois has a biometric law that Facebook has opposed and has been trying to amend. So they are seeing a trend."
That may explain why, soon after that San Francisco meeting, an industrywide effort emerged to not just get behind federal privacy legislation, but to actually write it.
While there's no formal legislative language yet, the working drafts so far include two must-have provisions for tech companies, according to two people familiar with the process. The companies want a pre-emption clause to ensure federal law trumps any state privacy laws. And they want to put the Federal Trade Commission in charge of enforcing digital privacy laws.
Pre-empting state laws would allow the industry to avoid a patchwork of rules in different states. And tech companies would also get to work with a watchdog they know.
Critics add that the FTC isn't particularly aggressive.
"The FTC doesn't have authority to make [new] privacy rules right now," says Ariel Fox Johnson, policy counsel for Common Sense Media, an advocacy group. "I don't know what the FTC can do besides put out guides or try to go after people for violating statements that they've made in their privacy policies."
That's what happened back in 2011. The FTC accused Facebook of not living up to its own privacy policies when it shared information it had told users would remain private. The FTC warned Facebook and the company, without admitting to wrongdoing, promised not to do it again.
Fast-forward seven years to the Cambridge Analytica scandal, when it was discovered that private information of some 87 million Facebook users was shared with the political data firm.
That breach led to congressional hearings -- as well as much of the pressure Facebook faces now. (The FTC is still determining whether the Cambridge Analytica debacle means Facebook violated the earlier agreement.)
Late last month, officials from Apple, Amazon, AT&T and Twitter testified before the Senate Commerce Committee about lawmakers' privacy concerns and came out publicly in support of a new federal privacy law.
Previously, tech companies had opposed that kind of regulation, but experts say that some kind of federal data privacy law is inevitable.
It isn't just Congress getting the industry's attention. Tech executives are also working the other end of Pennsylvania Avenue. Google CEO Sundar Pichai, for example, was at the White House recently.
"We had a great meeting — great meeting. I admire him, respect him," President Trump's chief economic adviser Larry Kudlow told reporters. Kudlow announced that tech executives would be back for a meeting with Trump later this month.
A reporter asked if the invitees would include big tech players like Facebook, Google and Twitter. Kudlow nodded and said, "That is our hope."
In a story that aired and was published earlier, NPR conflated two meetings attended by high technology executives in which privacy was discussed. The story said that Facebook's top lobbyist expressed concerns about a California privacy law at an industry meeting in San Francisco. In fact, he expressed his reservations at a closed-door, off-the-record industry board meeting that occurred weeks earlier in Washington, D.C.
DAVID GREENE, HOST:
2018 has been a big year for supporters of data privacy. Europe enacted a tough law in May, and then California passed comprehensive legislation in June. And tech companies are feeling the heat, so they are working behind the scenes on a federal privacy law. But they are not just trying to influence it. They're actually starting to write it. NPR's Dina Temple-Raston has the story.
DINA TEMPLE-RASTON, BYLINE: Facebook is still assessing the fallout from the latest epic hack in which at least 50 million user accounts were compromised. We heard about it because in order to comply with Europe's new data privacy law, the company has to make hacks public within 72 hours of discovering them. A California privacy law, if it's enacted as written, would go even further and allow consumers to sue and potentially collect enormous damages for exactly this kind of data breach. Ernesto Falcon is with the digital advocacy group the Electronic Frontier Foundation.
ERNESTO FALCON: They don't want to entertain the possibility that they would be liable to individuals for doing some sort of harm from all the data that they collect.
TEMPLE-RASTON: Early this summer, a who's who in tech attended a high-level private meeting in San Francisco organized by the Information Technology Industry Council. According to two people with knowledge of the meeting, it was there that Facebook's top lobbyist, Joel Kaplan, warned the executives about the threat the California privacy law posed to all of them. If the California law spread to other states, he said, it would present an even bigger problem than Europe's privacy law. So companies have decided to weigh in before new laws start coming in from all fronts. Again, privacy advocate Falcon.
FALCON: You have just this year a data broker law from Vermont. And then dating back even further, the state of Illinois has a biometric law that Facebook has opposed and has been trying to amend.
TEMPLE-RASTON: The warning at the San Francisco meeting sparked an industry-wide effort to not just get behind federal privacy legislation but to actually write it. And while there's no one document that lays out their proposal yet, according to two people familiar with the process, the working drafts so far include two things, and the first, a pre-emption clause that would essentially override any privacy laws the states might pass, and the second, an agreement that enforcement of the law be left to the Federal Trade Commission. Ariel Fox Johnson of the advocacy group Common Sense Media says that while the FTC's a watchdog, it's not a very aggressive one.
ARIEL FOX JOHNSON: So I don't know what the FTC can do besides, like, put out guides or try to go after people for violating statements that they've made in their privacy policies.
(SOUNDBITE OF ARCHIVED RECORDING)
JOHN THUNE: Good morning. A decade from now, we may look back and view this past year as a watershed with respect to the issue of consumer data privacy.
TEMPLE-RASTON: Late last month, officials from Apple, Amazon, AT&T and Twitter testified before the Senate commerce committee about privacy and the need for a new federal law.
(SOUNDBITE OF ARCHIVED RECORDING)
JERRY MORAN: A yes or no question for each of you - would your company support federal legislation to pre-empt inconsistent state privacy laws?
TEMPLE-RASTON: And all the executives said they would.
(SOUNDBITE OF MONTAGE)
LEN CALI: Yes, Senator. In...
ANDREW DEVORE: Yes.
UNIDENTIFIED PERSON: Yes, Senator.
DAMIEN KIERAN: Yes, Senator, we would support...
TEMPLE-RASTON: Tech companies are working the other end of Pennsylvania Avenue as well. Google CEO Sundar Pichai was at the White House just recently, and Trump economic adviser Larry Kudlow announced last week that tech executives would be back for a big meeting later in the month.
(SOUNDBITE OF ARCHIVED RECORDING)
LARRY KUDLOW: We're going to have a little conference. The president will preside over it. We will have the big Internet companies, the big social media companies.
TEMPLE-RASTON: A reporter at the White House asked Kudlow if the invitation list would include big tech players like Facebook, Google and Twitter. Kudlow nodded and said, that's our hope. Dina Temple-Raston, NPR News.
(SOUNDBITE OF WHYSP X PLAYER DAVE'S "REVIVAL") Transcript provided by NPR, Copyright NPR.