Illustration: Caresse Haaser, Sarah Grillo / Axios
For years, people didn't mind handing their personal information over to social networks so they could chat with friends or take fun quizzes. That's changing in the wake of Facebook's Cambridge Analytica scandal.
What's next: There are lots of signals that data privacy rules of some sort are on the way — including congressional hearings and Mark Zuckerberg's acknowledgment that regulations may not be such a bad thing. The social network also faces state and federal investigations. Look for proposals on data portability, transparency and new opt-in rules. New privacy rules in Europe are also a template.
No federal law spells out what companies trading in personal information can do with user data. No federal agency has clear jurisdiction over writing rules for internet companies. And public concern about personal data falling into the wrong hands has only recently swelled.
Now lawmakers are feeling the heat, but they're far from a consensus on the right approach.
What we're hearing: Congressional aides tell Axios that Zuckerberg's testimony will help determine the next steps. A few options are getting attention:
- Data portability: Giving consumers the ability to yank their data from any company at any time is getting some traction. The concept is modeled in part after the 1996 law that allowed people to keep their numbers when switching phone companies. Rep. David Cicilline, a top Democrat on antitrust issues, told Axios that he's looking at how to make data portability the law.
- Transparency: Sweeping legislation with super-strict data use standards is unlikely. But there's enough public and media outrage that lawmakers on both sides of the aisle could go for a narrower approach, such as requiring companies to clearly disclose how they are collecting, using, and sharing consumers' data.
- Opting in: Facebook has said it will give users more control over how information is shared with third-party apps and will clarify privacy settings. A regulatory approach could be to require companies to get opt-in consent for certain data-related behavior.
- Europe's template: EU regulators view privacy as a human right and have much stricter views about data. A sweeping new law known as the General Data Protection Regulation (GDPR), taking effect in May, is intended to give consumers more control over their data. Congress will be watching how that law plays out, but a U.S. clone isn't seriously being discussed.
- FTC investigation: The FTC could use its active investigation to look at Facebook's broader privacy practices, using its settlement of a previous investigation as a hook for digging in. A couple of options:
- It could fine Facebook if it finds that the company violated a 2011 agreement to protect consumers' private information. Still, a fine isn't likely to be catastrophic for a company of Facebook's size.
- The FTC can also hold Facebook to specific conditions for a certain period of time under a settlement.
- A Republican congressional aide said GOP lawmakers could be more inclined to act if the FTC finds it doesn't have the jurisdiction to take action on wrongdoing in the case.
Yes, but: Previous attempts to take action on this issue have failed. Congress has shown sporadic interest in data security legislation, particularly after big data breaches or scandals, but has never been able to get a bill across the finish line. The Obama administration tried to push a Consumer Privacy Bill of Rights, but it ultimately died on the vine.
There are also limits to the approaches that could be considered this time:
- In the past, telecom companies like AT&T and Verizon have balked at rules that apply only to them, as internet service providers, but not to their tech rivals. (They fought hard against the privacy rules the FCC passed in 2016, and celebrated when Congress struck them down last year.) These companies are less likely to fight privacy rules if regulations cover all companies dealing in data.
- An "opt-in" consent requirement is a tough sell for companies: Their digital advertising businesses take a big hit if consumers opt out of data tracking and sharing.
- The FTC can pursue companies for "unfair and deceptive practices," as it did when it reached the settlement with Facebook in 2011. But the FTC does not have the same ability as the FCC to write industry-wide, prescriptive rules. It acts on a case-by-case basis if it finds a company broke a promise to consumers.
What to expect: Tech industry lawyers tell us that policymakers — especially those seeking to rein in tech firms — see privacy rules as more straightforward than antitrust action.
- "It's much easier to get your head around imposing a set of requirements about what you can and can't do with people's information," said one lawyer who works for tech clients. "And now there's a giant bullseye on Facebook."
- Pressure is coming from both parties, suggesting a reasonable bill could actually move through Congress. "Privacy is suddenly a bipartisan issue again," said a regulatory lawyer working on data issues.
Ripple effects: Other online platforms won't get out of this unscathed. Regulatory proposals will drag in the likes of Google, Twitter, Snapchat, Amazon and Microsoft, who'll have to explain why they're different from Facebook.