Tech industry pursues a federal privacy law, on its own terms

Technology companies have taken plenty of hits on privacy this year. In May, Europe began enforcing a sweeping new law that lets people request their online data and restricts how businesses obtain and handle the information.

Then in June, California passed its own law that gives people the right to know what information companies are collecting about them, why the companies are collecting that data and with whom they are sharing it — setting a privacy benchmark for the United States.

Now top tech companies are going on the offensive.

In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.

“We are committed to being part of the process and a constructive part of the process,” said Dean Garfield, president of a leading tech industry lobbying group, the Information Technology and Innovation Foundation, which is working on proposals for the federal law. “The best way is to work toward developing our own blueprint.”

The efforts could set up a big fight with consumer and privacy groups, especially as companies like Facebook face scrutiny for mishandling users’ personal data. Many of the internet companies depend on the collection and analysis of such data to help them target the online ads that generate the bulk of their revenue.

“It’s clear that the strategy here is to neuter California for something much weaker on the federal level,” said Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, a digital rights group. “The companies are afraid of California because it sets the bar for other states.”

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

In the United States, tech companies’ efforts to fight privacy regulations gained momentum in late spring, as it became clear that the California proposal might become law.

At a board meeting for the Information Technology and Innovation Foundation in May, Joel Kaplan, Facebook’s top lobbyist, warned that California’s restrictions posed a threat to the industry and that the trade group needed to make the issue of privacy a priority, according to two people briefed on the meeting who were not authorized to speak publicly.

Kaplan said the California proposal could spread to other states, the people said. Top lobbyists for other tech companies agreed that it could be more problematic than the new European law, and that it would unleash a patchwork of state laws that would not only strap their businesses but become a regulatory headache, the people briefed on the meeting said.

Until that moment, there had been a split in the tech industry about privacy rules. Companies like IBM and Salesforce, which sell data storage and software to other businesses, were more willing to accept consumer privacy laws, IBM and other members of the Information Technology and Innovation Foundation said. Social media and other companies that relied primarily on advertising for revenue, like Facebook and Google, were adamant that the industry should fight all rules.

But at that meeting, it became clear that Facebook and Google had softened their resistance to a federal privacy law, as long as they were deeply involved in writing the rules.

“There has been a complete shift on privacy,” said Chris Padilla, vice president for government and regulatory affairs at IBM. “There is now broad recognition that companies that were resistant to privacy rules can no longer just say no.”

Many of the companies also recognized that it was a good time to press ahead with a federal privacy law since Trump administration officials have expressed openness to a business-friendly approach to such rules.

David Redl, head of a division of the Commerce Department that is leading the agency’s privacy efforts, said in a July speech that the administration’s “commitment to prosperity will be our guide.”

“We also know that industry is looking to the administration to demonstrate leadership on this issue,” he said at the time. “They’re rightfully concerned about the potential for a fractured and stifling regulatory landscape.”

Lindsay Walters, White House deputy press secretary, said in a statement that the administration wants to work with Congress on legislation “that is the appropriate balance between privacy and prosperity.”

The administration said it intends to have an outline of potential rules by the end of the year. But the timeline could easily be pushed back, as numerous agencies may be involved, including the Commerce Department, the Federal Trade Commission, and the National Institute for Standards and Technology.

Privacy advocates said tech companies were pushing to undercut the California privacy law in other ways. Although passed in June, the law stipulates that lawmakers can pursue technical changes in its language until the end of this month. It is scheduled to take effect in January 2020.

Any changes are supposed to be minor, but tech lobbyists and privacy groups continue to swarm the offices of the legislators behind the law, their aides said. Consumer privacy groups, which have pushed lawmakers to leave the law virtually untouched, fear the companies are trying to soften protections.

This month, the California Chamber of Commerce and other business and tech groups sent 19 pages of edits to the law to state Sen. Bill Dodd, one of the bill’s authors. They criticized language, such as the law’s definition of personal information, that they said would apply to too many people or websites.

In the letter, the groups said California’s attorney general, Xavier Becerra, would need more time to figure out how to enforce the rules and asked to delay enactment for one year. The business groups argued that the law could hurt a typical consumer.

“Unless the law is clarified, he or she might also inadvertently be deprived of special discounts and promotions,” the letter said.

In a rebuttal letter to Dodd, several consumer privacy groups called for him and other California lawmakers to keep any changes to a minimum, saying the tech industry’s moves were “excessive in nature.”

“The sky is not falling, as industry suggests,” the groups said.

Cecilia Kang is a New York Times writer.