Tech lobbyists in Washington have historically worked to blunt any discussion of a Capitol Hill crackdown on their clients’ data practices. But with last week’s passage of a landmark privacy bill in California, experts believe the stage is set for a Silicon Valley about-face.
The tech industry is terrified of the California Consumer Privacy Act, which was signed into law Thursday after its unanimous adoption by the legislature in Sacramento. Modeled on the European Union’s strict new General Data Protection Regulation, the rules severely restrict the data-harvesting methods of tech firms operating in the most populous U.S. state by requiring expansive new disclosures and strict opt-in consent for data tracking.
But the law is in some ways even more aggressive than its European counterpart. It imposes strict monetary penalties on companies regardless of their income, and provides consumers with the ability to sue companies for any breach of personally-identifiable information. That second point, experts say, almost certainly opens the door for a flood of frivolous lawsuits against any firm engaging in data collection.
“It’s GDPR on steroids, in that sense,” said Christin McMeley, a data-privacy lawyer at Davis Wright Tremaine.
The new rules don’t take effect until 2020, and there will inevitably be a push to water down the most-onerous provisions before then. But given the limitations of such an approach, some experts believe that the tech lobby will leapfrog over Sacramento straight to Washington, where they can advocate for a privacy bill that’s more to their liking.
“It might light a fire under federal regulators to preempt the law,” said Jamie Court, head of the California-based progressive advocacy group Consumer Watchdog. “And the people holding the match may be Silicon Valley lobbyists who probably know better than to think they’re going to get that to happen in California, where they just got rolled.”
Federal preemption may be particularly likely if other states choose to follow California’s lead. “It’s a bit of a whack-a-mole kind of game for the companies,” said Zach Graves, the head of policy at conservative tech group Lincoln Network. “I wouldn’t be too surprised if they decided on a federal preemption strategy instead.”
Despite its unanimous passage, California’s privacy rule is almost universally described as a work in progress. The bill was introduced, debated, and signed into law in less than a week—a frantic rush designed to head off an even more aggressive ballot initiative spearheaded by Alastair Mactaggart, a San Francisco real estate developer with little background in data privacy.
Evan Low, a Democratic Assembly member representing part of Silicon Valley, had reservations about both the legislation and the ballot initiative. But like most of his peers, he voted for the legislation because—unlike the initiative—it would be much easier to “tinker with it” afterwards.
Several privacy lawyers said the legislative text is a mess, and will require extensive revisions and clarifications for it to even make sense. But more-substantive changes could also be in the cards. Low told National Journal that he hopes to strip the private right of action from the bill before 2020, though he isn’t sure how many of his fellow lawmakers share that aspiration.
“They’re sort of not in a position [to say] one way or another,” he said, “because they don’t know what they really just—what did we really just vote for?”
Given the progressive predilections of the average California voter and the ease with which initiatives may be placed on the state’s ballot, it could be difficult to tweak the bill too much without incurring the wrath of privacy advocates.
“I don’t think they’re going to be able to tinker too much with the rights themselves,” said David Stauss, a data-privacy lawyer at Ballard Spahr. “I think if they did they would probably get themselves into a situation in which the ballot measure might get back on the table.”
Such concerns wouldn’t apply on Capitol Hill, where any bill passed would preempt California’s law and likely set a less-stringent standard of privacy for tech companies nationwide. Congressional legislation to that effect has so far gained little traction, but that could change if the tech lobby throws its weight behind a federal bill ahead of California’s 2020 deadline.
“I would definitely watch the changing rhetoric from tech CEOs about wanting to have federal legislation,” said Graves, who pointed specifically to Salesforce chief executive Marc Benioff’s campaign to get Silicon Valley behind a “national privacy law.”
Brad Weltman, the chief Washington lobbyist for the Interactive Advertising Bureau, said he’s heard increased interest in federal privacy legislation from the tech industry since debate over California’s new privacy law began.
“There have been lots of efforts on data bills over the last decade, and usually it takes some sort of precipitating event to get everybody to the table—by everybody I mean legislators, advocates, and industry,” Weltman told National Journal. “Whether or not this is it—it could be.”
The tech industry is still digesting the impact of California’s new rules. And it’s not clear whether most companies will be gung-ho about supporting federal restrictions on their data practices, even if they do prove less onerous than the ones out of Sacramento.
“The concern about federal data-privacy legislation is that we freeze technology in time, that it gets messed up, and that it impacts innovation,” said David Keating, a data-privacy lawyer at Alston and Bird. “But I think the pendulum swung, given the enactment of the Consumer Privacy Act.”
Keating and other experts said that any federal bill supported by Silicon Valley is unlikely to be introduced before the November midterm elections, and it’s more likely to gain traction if Democrats win control of one or both houses of Congress.
Should that be the case, experts expect Democratic lawmakers to sell the bill as a crackdown on Silicon Valley abuses—even if the actual goal is to grant tech firms a reprieve from California’s new rules.
“I think the Democrats have to be careful, if they try to take this on, not to preempt California’s law,” said Court, “or there really is going to be a backlash against them sucking up to Silicon Valley.”
“Democrats are going to have to decide whether they’re the party of privacy or the party of Silicon Valley,” Court added.