Congress is taking the first steps toward setting national rules governing how companies use consumers data — although one of its goals might be to prevent states from enacting stronger privacy protections of their own.
The approach being pondered by policymakers and pushed by the internet industry leans toward a relatively light government touch. That's in contrast to stricter European rules that took effect in May and a California law that takes effect in 2020. Other states are also considering more aggressive protections.
However it works out, any regulatory push will find it challenging to reconcile the concerns of privacy advocates who want people to have more control over the use of their personal data — where they've been, what they view, who their friends are —and the powerful companies who mine that information for profit.
During a Senate hearing Wednesday, several Democratic senators warned that a national law could simply be used to override state efforts. Calling that pre-emption the "Holy Grail" for the industry, Democratic Sen. Brian Schatz of Hawaii said it won't get the bipartisan support it needs if the goal is merely to replace California's law with a weaker, "non-progressive" federal statute.
Senior executives from AT&T, Amazon, Apple, Google, Twitter and Charter Communications all told senators that they support a federal proposal that could negate "inconsistent" state privacy laws. Facebook, which faced a major congressional grilling over privacy back in April, was not present at the hearing.
Apple, which doesn't rely on advertising for revenue, was the most vocal in support of a stronger federal law. Bud Tribble, Apple's vice president of software technology, said the bar would have to be "high enough in the federal legislation" to provide meaningful consumer protections.
The Senate Commerce Committee hearing comes amid increasing anxiety over safeguarding consumers' data online and recent scandals that have stoked outrage among users and politicians. The committee's chairman, Republican Sen. John Thune of South Dakota, said both Republicans and Democrats now want to reach consensus on a national privacy law that "will help consumers, promote innovation, reward organizations with little to hide and force shady practitioners to clean up their act."
An early move in President Donald Trump's tenure set the tone on data privacy. He signed a bill into law in April 2017 that allows internet providers to sell information about their customers' browsing habits. The legislation scrapped Obama-era online privacy rules aimed at giving consumers more control over how broadband companies like AT&T, Comcast and Verizon share that information.
Allie Bohm, policy counsel at the consumer group Public Knowledge, said examples abound of companies not only using the data to market products but also to profile consumers and restrict who sees their offerings: African Americans not getting access to ads for housing, minorities and older people excluded from seeing job postings.
What is needed, privacy advocates maintain, is legislation to govern the entire "life cycle" of consumers' data: how it's collected, used, kept, shared and sold.
The 28-nation European Union put in strict new rules this spring that require companies to justify why they're collecting and using personal data gleaned from phones, apps and visited websites. Companies also must give EU users the ability to access and delete data, and to object to data use under one of the claimed reasons.
A similar law in California will compel companies to tell customers upon request what personal data they've collected, why it was collected and what types of third parties have received it. Companies will be able to offer discounts to customers who allow their data to be sold and to charge those who opt out a reasonable amount, based on how much the company makes selling the information.
Andrew DeVore, Amazon's vice president and associate general counsel, told the Senate panel Wednesday that it should consider the "possible unintended consequences" of California's approach. For instance, he said the state law defines personal information too broadly such that it could include all data.
The California law doesn't take effect until 2020 and applies only to California consumers, but it could have fallout effects on other states. And it's strong enough to have rattled Big Tech, which is seeking a federal data-privacy law that would be more lenient toward the industry.
"A national privacy framework should be consistent throughout all states, pre-empting state consumer-privacy and data security laws," the Internet Association said in a recent statement . The group represents about 40 big internet and tech companies, spanning Airbnb and Amazon to Zillow. "A strong national baseline creates clear rules for companies."
The Trump White House said this summer that the administration is working on it, meeting with companies and other interested parties.
The goal is a policy "that is the appropriate balance between privacy and prosperity," White House spokeswoman Lindsay Walters said. "We look forward to working with Congress on a legislative solution."
Matt O'Brien reported from Providence, Rhode Island.