On Capitol Hill and across Washington, the fight over data privacy revolves almost exclusively around the behavior—and ultimately, the fate—of just three tech companies: Facebook, Google, and Twitter.
That relentless scrutiny hasn’t been fun for the companies’ executives who have been hauled regularly before congressional committees while the Federal Trade Commission pores over their privacy practices, and as lawmakers from both parties float a full-scale breakup of the Silicon Valley cornerstones.
So it’s perhaps surprising that smaller tech companies—from obscure startups to mid-sized firms like Yelp and Mozilla—want U.S. policymakers to turn their attention away from big tech and toward a discussion of how privacy legislation will impact their own bottom lines.
“The internet is not just Google, Facebook, and Twitter,” said Kate Tummarello, a policy manager at Engine, a Washington-based lobbying group for tech startups, at an event on Capitol Hill late last week. “There are plenty of small companies that are thinking seriously about this too.”
As policymakers fixate on the daily drumbeat of privacy scandals emanating from Facebook and other top tech platforms, the rest of the industry is increasingly worried that federal privacy legislation will look to punish the major players instead of crafting a framework under which tech companies of all stripes can effectively operate.
“It’s really important to think about unintended consequences,” said Angela Hooks, a government-affairs manager at Yelp, during the same event. “It seems like there’s a lot of pressure on big tech companies. But obviously it’s going to trickle down to everyone.”
Smaller companies say the backlash to big tech’s myriad misdeeds was the driving force behind both Europe’s General Data Protection Regulation and California’s new data-privacy rules. And they’re warning Washington against indulging in a similar reaction, arguing it could cause a reduction in both the ability of tech startups to blossom and for smaller, data-driven companies to stay in business.
“We often hear from European officials who say, ‘No no no, GDPR is not meant for your company,’” said Tummarello. “’It’s not meant for startups, it’s meant for the big guys.’ ... You try to tell an investor that, and the startup will not be able to get funding off of what some European official might’ve said at a press conference a year ago.”
Tech startups are particularly concerned by the enormous cost of navigating a byzantine network of regulations and reporting requirements. Europe’s GDPR remains notoriously opaque, with tech companies of all sizes claiming that they’ve accrued massive legal bills as they work to comply. They say that’s also a problem with California’s new rules, and they’re urging lawmakers to avoid forcing companies to hire an army of lawyers that they can’t afford.
“Compliance cost is the big one,” said Heather West, a top policy executive at Mozilla. “And it’s concerning because of the fact that some of these requirements are not well-defined, so you’re making guesses.”
To get around crippling compliance costs, some advocates want policymakers to build specific exemptions for startups and smaller tech firms into a new privacy bill. That could include exempting firms with a small market share or few employees, though many argue that would ignore the very real privacy threat from small firms with access to Social Security numbers or other sensitive data. It may also include fewer reporting requirements for startups or smaller firms, which may not have the resources to detail all the data collected on their customers.
Other issues may be more difficult to resolve, including the trend toward a requirement that customers affirmatively opt-in to most kinds of data collection and the tendency of successful startups to leverage vast amounts of consumer data in innovative—and potentially intrusive—ways.
“Small companies—whether they’re startups or not—or companies that don’t have consumer-facing brands, also have a real challenge with an opt-in approach,” said Neil Chilson, a senior technology researcher at the libertarian Charles Koch Institute.
When faced with an unknown brand asking for access to their data, Chilson argued that consumers are more likely to refuse the prompt before they know whether they’ll enjoy the product. “That has a tendency to strengthen the power of companies that already have brand recognition,” he said. “And it makes it much more difficult for companies that don’t have any brand recognition among consumers, including startups.”
The notion that Facebook, Google, and the other major players may benefit from federal privacy regulation through a reduction in competition is a pervasive one in startup circles and throughout the rest of the tech industry.
“Cynically, I am sure that [the big companies] are trying to make sure that these laws are ones that they can comply with,” said West. “And maybe—I hope they’re not crafting them in anti-competitive ways, in ways that stop the next big thing. Because I want to see the next Facebook, the next Google, the next service that is going to provide value to people but also be very privacy-protective.”
West and others say startups will need access to at least some forms of sensitive consumer data if they ever hope to dethrone Facebook, Google, and the rest.
“It is about the venture capitalists who are funding startups,” West said. “They’re not going to be looking at a data-driven concept in the same way that they might have years ago. ... If we overburden the next amazing project with privacy requirements that don’t actually make it a better product for users, then we’re actually missing out on the point.”
Others, however, think it may be time to permanently close off the avenues for data harvesting that made Facebook, Google, and others so successful.
“I think we’re starting to get to a place where there are just certain behaviors that we don’t want companies to engage in,” said Gigi Sohn, a fellow at the Georgetown Law Institute for Technology Law & Policy.
“I do have sympathy with the smaller and middle-sized companies for being lumped in with Google and Facebook and Amazon at every turn,” Sohn said, adding that she could support some limited exemptions for smaller tech companies to avoid “very complicated and burdensome reporting requirements.”
But when it comes to paving the way for the continued collection of data for advertising, artificial intelligence, or algorithmic purposes, Sohn suggested that ship has already sailed. Tech startups and their investors, she argued, will need to adjust to the new paradigm.
“I have no problem with companies using data for the purpose for which it’s intended,” Sohn said. “But companies who want to build another Facebook or another Google, whose entire business models are based on selling my data in order to sell advertising—I don’t care if there’s no more of those! And I don’t think the American people want it either.”