Big Tech loves talking up privacy – while trying to kill privacy legislation

Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

These lobbyists, it's claimed, often registered for the first time just before or after the introduction of a privacy bill.

What's more, The Markup found 75 of these lobbyists worked for the same firm, Politicom Law, based in Sausalito, California. They did so on behalf of Apple, Google, Meta, and Microsoft in 21 states where privacy legislation has been proposed.

Politicom did not respond to a request for comment.

As a specific example, the report cites the Colorado Privacy Act, signed last July.

The Markup found that Apple, Amazon, Facebook, Google, and Microsoft had registered 15 lobbyists between them who worked to shape the bill.

Nonetheless, the influence of corporate lobbying doesn't mean the resulting law is without merit.

Margot Kaminski, associate professor at the University of Colorado Law School and the director of the Privacy Initiative at Silicon Flatiron, told The Register in an email that she appreciates several aspects of the Colorado Privacy Act.

"First, it's to my knowledge the only law to prohibit obtaining consumer consent through 'dark patterns' – manipulative website or app design that tricks people into saying 'yes' when they would actually prefer to say 'no,'" she said.

"Second, it gives a lot of discretion to the state AG [Attorney General] around rulemaking, which could result in practice in a fairly robust law. We'll see. Third, the law requires consent for processing​ sensitive data, not just collecting it. Depending on how broadly the AG implements this, this could reach a lot of companies and meaningfully empower individuals."

Kaminski also said she thinks pretty highly of Stacey Gray, senior counsel at Future of Privacy Forum, one of the organizations The Markup report cites as representing big tech.

"To imply that her views directly represent that of big tech isn't accurate," said Kaminski. "The devil is in the details on these laws," she added, noting that enforcement, interpretation, and rulemaking, among other things, depend on how a given state AG responds.

Justin Brookman, director of technology policy for Consumer Reports, wrote about the concerted effort by tech firms to weaken state privacy bills in a Twitter thread earlier this year.

There was enough pressure that a bunch of them were like, 'You know what? We could probably live with a national law that's pretty flimsy.'

"Traditionally, most tech companies kind of just lobbied against privacy laws because they didn't want to deal with rules," he explained in a phone interview with The Register. "And then there was enough pressure that a bunch of them were like, 'You know what? We could probably live with a national law that's pretty flimsy.'"

It was about 10 years ago, Brookman said, when Google and Facebook (before its Meta-morphosis) said they'd be fine with that. Then as calls for data privacy grew louder, Facebook became more vocal about the need for federal privacy regulation.

"But nothing ever happens at the federal level," said Brookman. "So you started to see the states do stuff."

After California and other states started passing privacy laws, Brookman said, there was a pivot, and tech companies then said that state legislation was a terrible idea because they didn't want to deal with different laws in each state. And now that it's happening, he said, they've decided to aggressively try to push their own terrible bills.

Brookman said he was skeptical about the chance of getting a federal privacy law anytime soon, though he suggests there's more of a chance now that states like California and Connecticut have fairly strong privacy laws.

Life can be pretty risky for privacy bills. A Connecticut data privacy bill died last year after lobbyists weighed in against it, though the state did pass SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” in April. The Washington Privacy Act collapsed for the third time last year. So did the Oklahoma Computer Data Privacy Act, and similar privacy legislation in Florida.

In some cases, the companies lobbying state lawmakers actually draft the bills that will later be passed to regulate them. That's what happened with the first version of the 2021 Virginia Consumer Data Protection Act, which was penned by an Amazon lobbyist.

Similar claims surfaced in a Reuters report published last November. The news wire found that Amazon "has killed or undermined privacy protections in more than three dozen bills across 25 states…"

Amazon issued a statement challenging the Reuters report. "The premise of this story is flawed and includes reporting that relies on early, incomplete drafts of documents to draw incorrect conclusions," the internet giant said. Amazon also reiterated past statements about its support for privacy.

Asked to comment on The Markup's claims, Amazon did not immediately respond. Nor did Apple or Meta.

A Microsoft spokesperson responded with a request for more detail about how the company might be included in the story, and about whether the other companies mentioned might be mentioned, too.

Google acknowledged supporting organizations that aspire to help consumers without necessarily endorsing the organization's platform – which didn't really address our inquiry about whether it participates in coordinated lobbying against privacy bills and whether there are any specific privacy bills that the company dislikes.

"We openly support a number of organizations advocating for policies that help consumers, and we’re clear that our sponsorship doesn’t mean we endorse that organization’s entire agenda," a Google spokesperson said in an emailed statement.

All of the companies cited by The Markup – Amazon, Apple, Google, Meta, and Microsoft – have dominant or emerging online ad businesses, which rely heavily on data collection.

Brookman said the State Privacy and Security Coalition has been the lead actor in privacy lobbying and represents a wide range of corporate interests, pointing to ISPs as an example.

But he acknowledged there are some common threads related to online ads. "There definitely are provisions I see inserted into laws that would specifically exempt or make it hard to turn off targeted advertising," he said. "Sometimes there's language around pseudonymous data, like cookies, or around allowing you to opt out only to the sale of your data – as a lot of online data sharing isn't a sale."

Brookman also suggested it's too simplistic to treat these large tech firms as a monolith, noting that both Apple and Microsoft have publicly withdrawn from the State Privacy and Security Coalition because they didn't support the group's efforts to weaken privacy laws.

In the absence of a federal law, the states are taking the lead, though where they're headed is still being hammered out.

Kaminski said it's notable that states aren't copying California. Back in 2020, states were copying and pasting text from the California Consumer Privacy Act (CCPA) and inserting it into draft bills, she said. But once states started passing these laws, the Washington bill became the template.

She said there are some things to like about the Washington State bill, such as its emphasis on internal company responsibilities, in the form of impact assessments and data minimization. The bill doesn't put all the burden on individuals and gives people the right to say no to data collection and processing in some instances.

The Washington bill, however, didn't get adopted.

"That law didn't pass in Washington amidst heavy criticism that Microsoft had a large role in drafting it," she said.

"If I were writing a data privacy law carte blanche, I would not necessarily start with the WA law," said Kaminski. "But I also wouldn't necessarily start with the CCPA. There's stuff to like and stuff not to like in each model. The optimist in me is just glad that there's momentum to pass these laws right now and is hoping that a state like Colorado can emerge as a policy leader in important ways." ®

Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • TikTok: Yes, some staff in China can access US data
    We thought you guys were into this whole information hoarding thing

    TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

    "100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."

    That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

    Continue reading

Biting the hand that feeds IT © 1998–2022