{"id":2469,"date":"2018-12-22T16:27:41","date_gmt":"2018-12-22T16:27:41","guid":{"rendered":"https:\/\/live-journal-of-law-and-public-policy.pantheonsite.io\/?p=2469"},"modified":"2018-12-22T16:27:41","modified_gmt":"2018-12-22T16:27:41","slug":"federalizing-privacy-rights-how-tech-giants-went-from-protesting-privacy-laws-to-supporting-them","status":"publish","type":"post","link":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/2018\/12\/22\/federalizing-privacy-rights-how-tech-giants-went-from-protesting-privacy-laws-to-supporting-them\/","title":{"rendered":"Federalizing Privacy Rights: How Tech Giants Went From Protesting Privacy Laws to Supporting Them"},"content":{"rendered":"In an impassioned speech in Brussels<\/a> <\/em>this October, Tim Cook, the CEO of Apple, threw his weight behind a federal privacy law, denouncing the data collection practices engaged in by his fellow technological giants such as Google and Facebook. While it is not new<\/a> <\/em>for tech companies to push for stronger privacy laws, the renewed impetus for the movement comes from the European Union\u2019s General Data Protection Regulation<\/a> <\/em>(GDPR), which went into effect on May 25, 2018, and California\u2019s Consumer Privacy Act<\/a>, <\/em>which will go into effect on January 1, 2020. On the heels of California\u2019s legislation, other states such as Georgia<\/a> <\/em>have also introduced similar bills. This patchwork of legislations across states with different levels of obligations<\/a> <\/em>has pushed the tech industries to petition Congress to enact a federal legislation. Earlier in November, Senator Ron Wyden (D\u2013OR) introduced a federal privacy bill, but many news outlets report it as unlikely to be passed into law<\/a><\/em>. <\/em>While the tech companies\u2019 interest may stem more from the desire to avoid compliance with 50 different laws on privacy, this post analyzes the public policy implications of a federal legislation on privacy for the complicated digital economy.\n

Present federal protections for privacy rights:<\/strong><\/p>\nThe current approach at the federal level in regulating the collection and use of private information is sector-specific<\/a><\/em>, with no umbrella legislation that prevents or regulates how sensitive information is to be used. The only such umbrella legislation on privacy is the Privacy Act of 1974<\/a> <\/em>which applies only to the collection, maintenance, use and dissemination of individual information by federal agencies. Paul Schwartz describes the sector-specific approach to privacy in the United States and explains that federal sector-specific legislations such as the Video Privacy Protection Act and the Wiretap Act merely establish \u201cfloors\u201d upon which several states have enacted much more stringent regulations. Paul M. Schwartz, Preemption and Privacy<\/em>,118 Yale L.J.902, 919 (2009)<\/a>. There is also a sprinkling of regulatory requirements imposed by agencies such as the Securities and Exchange Commission that require public companies to disclose material cybersecurity risks and incidents<\/a><\/em>. Not only is there is no federal omnibus privacy legislation, neither is there a single enforcement authority<\/a><\/em>; rather, enforcement is carried out by three actors: the Federal Trade Commission (FTC), state attorney generals who self-describe themselves as the \u201cInternet\u2019s police\u201d<\/a><\/em>, and class-action attorneys. By and large, however, enforcement of privacy laws at the federal level is toothless<\/a><\/em>, based largely on a breach of the contractual policy of privacy that consumers agree to in click-wrap agreements, and pursued by the FTC if the activities are deceptive or unfair.\n

Need for a federal privacy law:<\/strong><\/p>\nA person\u2019s data is collected by companies such as Facebook, Amazon and Google every time he connects to the internet, runs an online search, buys products through e-commerce portals, or even communicates with his Alexa\/Google Home device. All of these were being done by companies by including \u201cnotice and consent\u201d<\/a> <\/em>clauses in extremely fine print in a lengthy agreement where consumers were given notice of such data collection and indicated their consent by clicking on an \u201cI Agree\u201d box. A study done by two researchers at Carnegie Mellon estimated that it would take a user almost 25 days of the year<\/a> <\/em>if they were to read every privacy policy on every website that they visit in a year. It was to impose checks on companies collecting such data that the GDPR was formulated, with requirements such as<\/a> <\/em>obtaining a clear indication of consent before data collection, communicating the basis of collection, retention and purpose of use of such data, and providing individuals access to the data about them that has been collected. Most of Big Tech did not welcome the GDPR\u2019s requirements, finding them to be \u201c<\/em>burdensome.<\/a><\/em>\u201d<\/em>Yet, these same companies are now pushing for a federal privacy law despite claiming self-regulation was a better solution<\/a> <\/em>in the past.\n\nMost of the arguments in favor of a federal privacy law have come from within the industry itself, calling for a uniform law that sets one standard for the entire country as opposed to 50 different standards. This argument seems to be inspired<\/a> <\/em>by the reality that state-wide privacy laws are in the offing and will make matters complicated for Big Tech, and an effort to shape public debate by being a part of it. In response to the call for comments by the National Telecommunications & Information Administration (NTIA) on developing the Trump administration\u2019s approach to privacy law, Amazon<\/a> <\/em>has called for a uniform federal law that will replace the \u201cpatchwork of different privacy obligations\u201d, arguing that differing obligations will be expensive, time-consuming and divert resources that could otherwise be used in innovation. AT&T<\/a> <\/em>has framed the need for a federal law in terms of the difficulties to consumers in navigating differing and complicated state-specific legislations.\n\nPrivacy advocates, on the other hand, also welcome a federal law on the subject but have called for such standards to be a floor and not a ceiling, and strongly criticize the language of pre-emption of state laws that is adopted by technology industries. Privacy scholars<\/a><\/em>, who submitted comments to the NTIA, explain that states have historically been \u201claboratories of experimentation\u201d and have been willing to experiment with different approaches to regulate privacy.\n\nToday, there is bipartisan support on the need for a federal privacy law, yet little consensus on what that law should look like. But popular opinion seems to suggest that Americans want more protections for their privacy, not less, and it is unclear whether a federal policy that preempts state requirements will accomplish this. While there is merit to the suggestion that having 50 different state laws and one federal law would only be burdensome and complicated for all actors involved, it is also important to ensure that a uniform federal policy sets the bar high enough<\/a> so that it affords meaningful protection to internet users.\n\n \n

Suggested citation: Nayanthika Ramakrishnan, Federalizing Privacy Rights: How Tech Giants Went From Protesting Privacy Laws to Supporting Them<\/em>, <\/span>Cornell J.L. & Pub. Pol\u2019y, The Issue Spotter<\/span>, (Dec. 22, 2018), https:\/\/live-journal-of-law-and-public-policy.pantheonsite.io\/federalizing-privacy-rights-how-tech-giants-went-from-protesting-privacy-laws-to-supporting-them\/.<\/span><\/p>","protected":false},"excerpt":{"rendered":"

In an impassioned speech in Brussels this October, Tim Cook, the CEO of Apple, threw his weight behind a federal privacy law, denouncing the data collection practices engaged in by his fellow technological giants such as Google and Facebook. While it is not new for tech companies to push for stronger privacy laws, the renewed…<\/p>\n","protected":false},"author":1,"featured_media":2471,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[14,15,16,17,18,19,27,28],"tags":[122,169,608,732,1232,1233],"class_list":["post-2469","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-archives","category-authors","category-blog-news","category-certified-review","category-feature","category-feature-img","category-recent-stories","category-student-blogs","tag-amazon","tag-att","tag-facebook","tag-google","tag-privacy-laws","tag-privacy-rights"],"acf":[],"_links":{"self":[{"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/posts\/2469","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/comments?post=2469"}],"version-history":[{"count":0,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/posts\/2469\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/media\/2471"}],"wp:attachment":[{"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/media?parent=2469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/categories?post=2469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/tags?post=2469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}