On Tuesday, fifty-one CEOs of major data-using companies urged US lawmakers to pass a national data privacy law, insisting that they're committed to protecting consumer privacy.
The executives made their plea as signatories to a letter [PDF] from the Business Roundtable, a trade group, that was sent to Congressional leaders.
Their respective companies – among them Amazon, AT&T, Bank of America, Comcast, Dell, General Motors, IBM, Qualcomm, Salesforce and SAP, to name a few – "rely on data and digital platforms every day to deliver and improve our products and services," as the letter notes.
But these are not information addicts seeking absolution through the penitence of privacy; rather, they're unrepentant data junkies seeking federal relief from state-level restrictions. In other words, they want a soft America-wide law to protect them from tough privacy laws set by individual states.
"Consumers should not and cannot be expected to understand rules that may change depending upon the state in which they reside, the state in which they are accessing the internet, and the state in which the company’s operation is providing those resources or services," the letter states.
The show of concern for consumers is touching, but the letter's corporate signatories should have used the word "companies" in place of "consumers."
Business leaders don't want to have to comply with different privacy standards in every US state. And they say as much in the Business Roundtable Framework for National Consumer Privacy Legislation [PDF], a set of guidelines designed to ensure that federal lawmakers craft rules less restrictive than states like California and Illinois.
Save us from the states
The California Consumer Privacy Act, A.B. 375, takes effect at the start of 2020 and it establishes a series of new rights for those living in the state. These include: a right to ask data-collecting businesses to reveal the types of data collected and specific personal information; a right to ask such businesses to delete one's personal information; a right to opt-out of having one's personal information sold; and a private right of action, allowing individuals to sue over data exposure.
The Business Roundtable Framework would add escape hatches to avoid or dilute the obligations described under California's law. For example, in situations where organizations that have a relationship with consumers provide consumer data to service providers, those service providers "should not be expected to provide transparency or control directly to consumers."
Similarly, the group will accept that consumers "should also have the opportunity to make choices with respect to the sale of personal data to non-affiliated third parties," but that wording allows the sale of personal data to affiliated third parties – business partners and subsidiaries, in other words. Also, the group doesn't want individuals to have a private right to take legal action over privacy claims.
"One of the things that's important about the framework is that it doesn't want a private right of action," said Lee Tien, senior staff attorney at the Electronic Frontier Foundation, in a phone interview with The Register.
Tien said that laws have to be enforceable and if they depend on the willingness of government officials to bring claims, consumers will remain at the mercy of politicians. He likened the situation to having a speed limit where only one person can write a very big ticket to discourage other drivers from driving too fast.
As browser rivals block third-party tracking, Google pitches 'Privacy Sandbox' peace planREAD MORE
"When you can't hire of lawyer to sue on your behalf, it's a lot harder to cause the companies to change the practices that are problematic," he said.
In an email to The Register, Dipayan Ghosh, co-director of the Digital Platforms & Democracy Project and Shorenstein Fellow at the Harvard Kennedy School, a former privacy and public policy advisory at Facebook, and technology and economic policy advisor at the White House during the Obama administration, said the letter shows an effort by corporate leaders to appear to support privacy while pushing to preempt California's rules.
"The Business Roundtable’s letter is a signal that the industry opposes the consumerist approach to privacy protection that has been adopted in California," said Ghosh. "For the Business Roundtable's legislative proposal to suggest preemption of California is alarming but predictable."
"We need a stringent consumer privacy standard moving forward – and the industry must start from a place of real contrition for the numerous data breaches and privacy incidents that have occurred at firms that are members of the Business Roundtable," said Ghosh. ®