Big Tech loves talking up privacy – while trying to kill privacy legislation
Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules
Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.
That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.
The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.
These lobbyists, it's claimed, often registered for the first time just before or after the introduction of a privacy bill.
What's more, The Markup found 75 of these lobbyists worked for the same firm, Politicom Law, based in Sausalito, California. They did so on behalf of Apple, Google, Meta, and Microsoft in 21 states where privacy legislation has been proposed.
Politicom did not respond to a request for comment.
As a specific example, the report cites the Colorado Privacy Act, signed last July.
The Markup found that Apple, Amazon, Facebook, Google, and Microsoft had registered 15 lobbyists between them who worked to shape the bill.
Nonetheless, the influence of corporate lobbying doesn't mean the resulting law is without merit.
Margot Kaminski, associate professor at the University of Colorado Law School and the director of the Privacy Initiative at Silicon Flatiron, told The Register in an email that she appreciates several aspects of the Colorado Privacy Act.
"First, it's to my knowledge the only law to prohibit obtaining consumer consent through 'dark patterns' – manipulative website or app design that tricks people into saying 'yes' when they would actually prefer to say 'no,'" she said.
"Second, it gives a lot of discretion to the state AG [Attorney General] around rulemaking, which could result in practice in a fairly robust law. We'll see. Third, the law requires consent for processing sensitive data, not just collecting it. Depending on how broadly the AG implements this, this could reach a lot of companies and meaningfully empower individuals."
Kaminski also said she thinks pretty highly of Stacey Gray, senior counsel at Future of Privacy Forum, one of the organizations The Markup report cites as representing big tech.
"To imply that her views directly represent that of big tech isn't accurate," said Kaminski. "The devil is in the details on these laws," she added, noting that enforcement, interpretation, and rulemaking, among other things, depend on how a given state AG responds.
Justin Brookman, director of technology policy for Consumer Reports, wrote about the concerted effort by tech firms to weaken state privacy bills in a Twitter thread earlier this year.
There was enough pressure that a bunch of them were like, 'You know what? We could probably live with a national law that's pretty flimsy.'
"Traditionally, most tech companies kind of just lobbied against privacy laws because they didn't want to deal with rules," he explained in a phone interview with The Register. "And then there was enough pressure that a bunch of them were like, 'You know what? We could probably live with a national law that's pretty flimsy.'"
It was about 10 years ago, Brookman said, when Google and Facebook (before its Meta-morphosis) said they'd be fine with that. Then as calls for data privacy grew louder, Facebook became more vocal about the need for federal privacy regulation.
"But nothing ever happens at the federal level," said Brookman. "So you started to see the states do stuff."
After California and other states started passing privacy laws, Brookman said, there was a pivot, and tech companies then said that state legislation was a terrible idea because they didn't want to deal with different laws in each state. And now that it's happening, he said, they've decided to aggressively try to push their own terrible bills.
Brookman said he was skeptical about the chance of getting a federal privacy law anytime soon, though he suggests there's more of a chance now that states like California and Connecticut have fairly strong privacy laws.
Life can be pretty risky for privacy bills. A Connecticut data privacy bill died last year after lobbyists weighed in against it, though the state did pass SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” in April. The Washington Privacy Act collapsed for the third time last year. So did the Oklahoma Computer Data Privacy Act, and similar privacy legislation in Florida.
In some cases, the companies lobbying state lawmakers actually draft the bills that will later be passed to regulate them. That's what happened with the first version of the 2021 Virginia Consumer Data Protection Act, which was penned by an Amazon lobbyist.
Similar claims surfaced in a Reuters report published last November. The news wire found that Amazon "has killed or undermined privacy protections in more than three dozen bills across 25 states…"
Amazon issued a statement challenging the Reuters report. "The premise of this story is flawed and includes reporting that relies on early, incomplete drafts of documents to draw incorrect conclusions," the internet giant said. Amazon also reiterated past statements about its support for privacy.
Asked to comment on The Markup's claims, Amazon did not immediately respond. Nor did Apple or Meta.
A Microsoft spokesperson responded with a request for more detail about how the company might be included in the story, and about whether the other companies mentioned might be mentioned, too.
Google acknowledged supporting organizations that aspire to help consumers without necessarily endorsing the organization's platform – which didn't really address our inquiry about whether it participates in coordinated lobbying against privacy bills and whether there are any specific privacy bills that the company dislikes.
"We openly support a number of organizations advocating for policies that help consumers, and we’re clear that our sponsorship doesn’t mean we endorse that organization’s entire agenda," a Google spokesperson said in an emailed statement.
- UK monopoly watchdog investigates Google's online advertising business
- Google's FLoC flopped, boffins claim, because it failed to provide promised privacy
- Privacy pathology: It's time for the users to gather a little data – evidence
All of the companies cited by The Markup – Amazon, Apple, Google, Meta, and Microsoft – have dominant or emerging online ad businesses, which rely heavily on data collection.
Brookman said the State Privacy and Security Coalition has been the lead actor in privacy lobbying and represents a wide range of corporate interests, pointing to ISPs as an example.
But he acknowledged there are some common threads related to online ads. "There definitely are provisions I see inserted into laws that would specifically exempt or make it hard to turn off targeted advertising," he said. "Sometimes there's language around pseudonymous data, like cookies, or around allowing you to opt out only to the sale of your data – as a lot of online data sharing isn't a sale."
Brookman also suggested it's too simplistic to treat these large tech firms as a monolith, noting that both Apple and Microsoft have publicly withdrawn from the State Privacy and Security Coalition because they didn't support the group's efforts to weaken privacy laws.
In the absence of a federal law, the states are taking the lead, though where they're headed is still being hammered out.
Kaminski said it's notable that states aren't copying California. Back in 2020, states were copying and pasting text from the California Consumer Privacy Act (CCPA) and inserting it into draft bills, she said. But once states started passing these laws, the Washington bill became the template.
She said there are some things to like about the Washington State bill, such as its emphasis on internal company responsibilities, in the form of impact assessments and data minimization. The bill doesn't put all the burden on individuals and gives people the right to say no to data collection and processing in some instances.
The Washington bill, however, didn't get adopted.
"That law didn't pass in Washington amidst heavy criticism that Microsoft had a large role in drafting it," she said.
"If I were writing a data privacy law carte blanche, I would not necessarily start with the WA law," said Kaminski. "But I also wouldn't necessarily start with the CCPA. There's stuff to like and stuff not to like in each model. The optimist in me is just glad that there's momentum to pass these laws right now and is hoping that a state like Colorado can emerge as a policy leader in important ways." ®