How Big Tech plans to pre-empt California’s tough Consumer Privacy Act

Federal privacy rules, which were anathema to Big Tech only a year or two ago, are suddenly as popular as free Wi-Fi and puppies. Industry lobbyists are putting a lot of pressure on Congress to come up with a set of Federal privacy regulations that are less stringent in their demands for personal data protection and less destructive to existing business models than the Golden State legislation.

Cisco is the latest tech giant to put its industry-friendly spin on the desire to preempt California and other states’ efforts to strengthen protection of personal information. What makes Cisco different is that it is an internet infrastructure company, not a consumer-facing platform like Apple or Microsoft, which have also called for regulations. As Cisco’s and CEO Chuck Robbins predictably put it:

Cisco calls for comprehensive and interoperable privacy legislation around the world that allows ethical movement of data between countries. Laws should be anchored to the core principles of security, transparency, fairness, and accountability because privacy is a fundamental human right.

It’s a pretty thought, of course, but that’s almost certainly not a major reason Cisco and other big players are pushing for uniform federal legislation. Cisco’s EVP and Chief Legal Officer Mark Chandler came more directly to the point:

California has now already passed a data privacy law slated to take effect in 2020. If the pattern that followed California’s adoption of data breach notification legislation in 2002 holds true, we may see each of the 50 states pass their own versions of a data privacy law. Not only might the rules differ by state, but the enforcement mechanisms could also lead to confusion and unnecessary expense without any appreciable benefit to consumers.

Chandler went on to express concerns that various state laws might impose disparate or even conflicting requirements on companies doing business within the US and make it harder for small companies to compete across state lines—much less in the global economy. Chandler continued:

Accordingly, we recommend that Congress occupy the field and preempt the possibility of inconsistent state requirements for data privacy. As was the case with the Gramm-Leach-Bliley Act regulating security of financial customer data in the US, existing federal regulators should retain jurisdiction over the entities they currently regulate. The FTC’s authority should fill gaps between those existing regulators’ authorities to ensure a uniform baseline level of protection across the country.

Translation: Federal data privacy regulations would almost certainly be less draconian and costly as the more GDPR-like rules that California has adopted and other states are planning.

Other arguments for a uniform set of privacy rules

• Privacy laws are regionally inconsistent — both by state and by country — and siloed in the U.S. between different industries. The technical requirements to protect health care data in one state could contradict the requirements for "internet of things" information in another, even though a wireless pacemaker is both and needs to be operable in both states.
• The American system for data protection should be one that can easily interoperate with major regional and national data protection regimes, such as the EU, Japan, and Brazil without the need for separate agreements.
• The US already has strong data privacy laws that impose strict industry-based requirements for handling, storage and use of specific categories of sensitive personal information by healthcare providers, financial institutions, and others. In addition to robust enforcement of those sectoral laws by regulators, the Federal Trade Commission actively uses its authorities to challenge unfair and deceptive acts and practices impacting data privacy across the US economy.
• The absence of a general federal privacy law—covering data use, handling, and storage—is undoubtedly hurting the competitiveness of US-based multinational companies doing business abroad.
• A final argument that most Big Tech insiders will admit to only in private. There is the widespread belief that all of the proposed laws and public outrage is being driven by the misbehavior of two companies. (Hint: Google and Facebook). Many executives believe they shouldn’t be punished for sins of the few.

Cisco said it has three main goals for data privacy legislation:

• Ensure interoperability between different privacy protection regimes.
• Avoid further fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus.
• Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation.
• Ensure interoperability between national and regional privacy protection regimes.

My Take

Barely two months into 2019, the 2020 Presidential campaign is already underway which means that there is unlikely to be much agreement in Congress on anything between now and January 2021. Still, it’s likely the desire for some kind of data protection law that is not California’s has wide bipartisan support and the army of lobbyists marshaled by Big Tech may be enough to push new regulations over the finish line.

A number of bills have already been offered, including one by Sen. Ron Wyden (D-OR), that would jail executives who mishandle consumer data and another by Hawaii Senator Brian Schatz that would establish a fiduciary duty for online providers, similar to data protection requirements already mandated for doctors, lawyers and bankers.

The Schatz bill has fairly strong bipartisan support and could be the bill that does the trick.

On the other hand, to paraphrase H.L. Mencken, “Nobody ever went broke underestimating the ability of Congress to get things done.” So, stay tuned.