Why privacy regulations are no longer a pipe dream
Illustration: Aïda Amer/Axios
Just over a year ago, the notion of passing a consumer privacy law was laughable. Now the tech giants that once said rules would break their business now want Congress to draft bills.
The big picture: Tech giants have made their fortunes peddling users' personal data. A broader public recognition of how powerful their data is (and dangerous in the wrong hands), coupled with a growing distrust in social media and tech companies, have given policymakers more leverage to put in place new regulation — even in an administration focused on de-regulation.
The backstory: Early in the Trump administration, the Republican-controlled Congress overturned the FCC's privacy rules for internet service providers such as AT&T and Comcast. Trade groups for tech companies lobbied behind the scenes to undo the rules, even though the rules didn't apply to web platforms like Google and Facebook.
But that's when the momentum toward federal privacy rules really picked up. Here's how the narrative turned:
1. The data scandals started rolling in. The biggest was Facebook's Cambridge Analytica disaster, in which user data leaked to third-party developers. CEO Mark Zuckerberg was hauled before Congress to explain how it happened.
- Last week, the Washington D.C. attorney general sued Facebook for being "fast and loose" with user data.
- Google said this month it was shutting down its social network Google+ earlier than planned after a software bug exposed private profile data to app developers. It's closure was triggered by another security issue.
- Also over the past year, a number of major companies, including Marriott and UnderArmor, have disclosed data breaches or hacks affecting 100 million customers or more.
- Several media investigations — like the NYT's piece on apps tracking location data 24/7 — show how pervasive tracking is and how that information can be used.
2. Public perception turned. The percentage of Americans concerned that the government wouldn't do enough to regulate tech companies jumped to 55% in February of this year, according to an Axios-SurveyMonkey poll. (Still, most Americans said they largely think tech companies have had positive effects on society.)
3. In Europe, the strict General Data Protection Regulation took effect in May and represented a sea change in how companies notify consumers about their data collection practices.
- That forced companies dealing in data — which is essentially all major companies these days — to request permission before sharing personal data with third parties, and give consumers access to the data that firms have collected about them.
- Because of the high fines associated with not complying with the law, GDPR is now becoming the global standard for how businesses mine consumer data. Some argue that, as a result, the U.S. should have a similar standard.
4. The White House got interested. Staffers in the National Economic Council recognized the global swirl around data privacy and began meeting with major corporations to get feedback on a potential privacy framework.
5. States took matters into their own hands. California passed a law putting restrictions on Google, Facebook and other companies in the business of gathering data directly from consumers. Vermont also passed its own privacy law this year aimed at data brokers.
- That patchwork of different rules makes it tough for internet companies to do business across states — so they'd rather have a national law to pre-empt the states.
6. And the Democrats won the House. After the springtime Zuckerberg hearings, House Democrats vowed to make passing privacy legislation a priority if the House flipped after the mid-terms.
- And 15 Democratic senators have introduced a privacy bill that would require apps, websites and other services that collect data to protect customer information and be subject to fines for misusing data.
Between the lines: Tech companies may say they're on board with privacy rules of some sort, but they've stopped short of committing to specific provisions, such as letting consumers opt in to data collection instead of forcing them to opt out.
What's next: When proposals get fleshed out in early 2019, industry lobbyists will be working hard to shape the details.