Ever since the Cambridge Analytica scandal last summer, consumer data privacy has been a hot topic in Congress. The witness table has been dominated by the biggest platforms, with those in lockstep with the tech giants earning the vast majority of attention. However, this week marked the first time that opposing views had a chance to fight back. The Senate Judiciary committee held a hearing called GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation, and unlike previous hearings, this hearing featured two groups of panelists with contradictory viewpoints.
While we still call for a panel that puts consumer advocates and tech giants at the same table to discuss consumer privacy, we appreciate that Judiciary Chair Sen. Lindsey Graham included representatives from DuckDuckGo and Mapbox to discuss how they are able to run successful businesses while also respecting user privacy. It’s clear after this hearing that companies who deliberately over-collect data and sidestep user privacy are making a business choice, and they could choose to operate differently.
Privacy Can Be Good for Business
In his opening statement, CEO and Founder of DuckDuckGo Gabriel Weinberg said that, “Privacy legislation is not anti-advertising…[our] ads won’t follow [the user] around, because we don’t know who you are, where you’ve been, or where you go. It’s contextual advertising versus behavioral advertising.” Press investigations have exposed, time and again, that large tech companies will often choose their profits over your privacy. This underscores the need for stronger privacy laws across the country, and it helps to have another tech CEO tell the Senate that well-drafted privacy legislation can spur more competition and innovation.
In fact, Sen. Graham immediately followed up on this point, asking Google’s Senior Privacy Counsel, Will DeVries, to explain how much of Google’s revenue from search terms comes from contextual advertising versus behavioral advertising. Despite being repeatedly pressed by Sen. Graham, DeVries declined to answer and promised to get back to the Senator privately. It’s unfortunate that he couldn’t—or wouldn’t—answer the question. It’s not the first time companies have muddied the waters on this point. Facebook CEO Mark Zuckerberg has previously claimed that users prefer targeted ads, a claim without much merit. It would be useful for Congress (and users) to know if the reason for these claims is because the business models depend on it. We hope Sen. Graham keeps asking that question and receives a real answer.
But we cast doubt on the assertion that new privacy laws kill businesses. During the second panel, the Judiciary committee’s top Democrat, Senator Dianne Feinstein, asked if the GDPR was bad for business. CDT’s Michelle Richardson responded by saying that because the GDPR is so new, we don’t yet know its effects. Richardson also cited a Cisco study that cites evidence that organizations in Europe that are ready for the GDPR are benefiting from their privacy investments.
As we have said before, the real proof of the GDPR’s provisions will be in how they are enforced, and against whom. Those answers will only emerge as European regulators begin to use their new authorities. Similarly, state laws such as BIPA in Illinois and Vermont’s data privacy law, and the CCPA, are still so new that we don’t entirely know their impact. Congress needs to allow the laws to work and the courts to make decisions before they get involved.
Privacy Doesn’t Have to Be Complicated
And then there is the question of whether users actually have a choice. Freshman Sen. Josh Hawley asked DeVries whether users can fully turn off all Google’s location tracking services on their Android phones. DeVries responded that location tracking is required to “perform basic functions” on the phone. In other words, no—even if a consumer consciously chooses to turn off location tracking on their Android phone, Google is still tracking them. That’s a big deal, and Sen. Hawley noticed:
Here’s my basic concern … that Americans have not signed up for this…They think they can opt out of the tracking that you’re performing, but they can’t meaningfully opt out.
DeVries offered to follow up with Sen. Hawley later on Google’s tracking practices, saying, “I understand it’s a complicated topic.” “I don’t think it’s that complicated,” Sen. Hawley responded. Again, it’s disappointing that DeVries wouldn’t answer the question in a public hearing. Android users should have the right to know why they can’t ever turn off collection of sensitive (and apparently, valuable) data.
Build a Floor, Not a Ceiling
States across the country have already enacted laws to create strong protections for user privacy. Republicans and tech industry leaders who resist these restrictions have gone on record calling for federal preemption of state privacy laws. They say they want “one national standard” in order to avoid a “patchwork” of regulations—which could moot an ongoing class action suit against Facebook in Illinois and wipe out the CCPA.
We were pleased to hear Senator Feinstein say that people should control their data with opt-in consent and that she would oppose efforts to water down the CCPA through a federal privacy law during the hearing, saying “I will not support any federal privacy bill that weakens the California standard.”
Senator Richard Blumenthal followed up by saying there is “a bipartisan core of support for adopting a law that regards California as a floor, not a ceiling, in terms of privacy standards for both the expectations of what the standard should be as well as enforcement.”
We are glad to see these senators take such a strong stand for privacy protections at the state level. We look forward to working with them and hope Congress will continue inviting different viewpoints to the table to work on strong, comprehensive privacy protections for all Americans.