back to article CEOs beg for America-wide privacy law... to protect their businesses from state privacy laws

On Tuesday, fifty-one CEOs of major data-using companies urged US lawmakers to pass a national data privacy law, insisting that they're committed to protecting consumer privacy. The executives made their plea as signatories to a letter [PDF] from the Business Roundtable, a trade group, that was sent to Congressional leaders. …

  1. John Savard Silver badge

    If only...

    It's unfortunate both houses of Congress aren't controlled by the Democrats. Then there would be a simple solution: take the California law, and model the Federal law after it, instead of after the helpful suggestions from the industry.

    1. Wade Burchette Silver badge

      Re: If only...

      If you didn't notice, democrat stronghold California was one of only two states that didn't jump on the Google antitrust probe.

    2. Balding Greybeard

      Re: If only...

      YIKES! Surely ye jest.

      The California Law is in some respects more onerous than GDPR. GDPR applies to a natural person, whereas the Cali Law applies to the household. One can only imagine the unintended consequences of that.

      Committees in both the US House and Senate have been holding hearings on GDPR and GDPR like legislation. GDPR adopted in the US would make compliance easier for everyone and provide great consumer protection.

      1. Mark 85 Silver badge

        Re: If only...

        Well, Congress seems to have lots of committees and even investigations. Not much ever comes out of them though since the power behind them has deep pockets filled with cash. So expect to see some showboating and not much else.

      2. bombastic bob Silver badge

        Re: If only...

        yeah DEMO[N,c]RATS just have DIFFERENT corruption than DC Establishment-type RHINO Republo-crats. Having either group in charge (i.e. non-TeaParty politicians) is bad, but the DEMO[N,c]RATS are particularly heinous. Yet when I read between the lines of the original post, it seems he _really_ meant "anybody but TRUMP" [which of course I disagree with - I want MORE Trump and people like him].

        In this regard, Trump's not too happy about what Facebook and Google are up to these days... with their biased filtering and banning algorithms as one example. He's likely to SIGN anything that restricts their influence and power over individuals (even if the DEMO[N,c]RATS write it), as well as stand up for individual rights with respect to data slurping tracking, etc.. The ACLU's been WAY too quiet...

        But try and convince LIBERAL and D.C. ESTABLISHMENT politicians, who get ZILLIONS of dollars from these *evil* entities, to do anything that in ANY way puts a leash or a muzzle on whatever they're up to, and, well, you get the idea.

        This is ALSO why Cali-Fornicate-You rules are more likely to be Google-friendly. [how DO they determine 'household' anyway? by SLURPING your data and THEN using an AI to decide?]

        GDPR seemed to be on the right track, a real stroke of "doing the right thing" by the EU, giving INDIVIDUALS (not groups nor anything 'fuzzy') control of their data, with some transparency.

        (too bad they still can't enforce it properly, as it seems there are constant violations going on from the same people BUYING liberal politicians in the USA)

      3. Mike 137 Bronze badge

        Re: If only...

        "GDPR adopted in the US would [...] provide great consumer protection"

        Unfortunately GDPR is turning out not to provide as much consumer protection as was hoped. There are numerous examples already of it being almost completely ineffective. Quite apart from widespread actual neglect of the law, it's easy and common to circumvent its intent while still appearing compliant, e.g. by invoking "legitimate interest" as a blanket basis for processing.

        The greatest weakness of the legislation is that it's not policed. Enforcement relies on complaints, which means that most instances of non-compliance remain under the radar. Only a tiny proportion of actual instances of non-compliance are ever proceeded against. Plus, the sheer complexity and invisibility of multi-tier data sharing (e.g. via "web analytics" and automated ad broker trawling) can make establishing a supportable complaint well-nigh impossible.

        Adoption of the GDPR in the US would make data transfers between the EEA and the US easier to justify, but would not in any sense make them safer unless compliance with the sprit and purpose of the legislation by all parties concerned were ensured.

        1. LDS Silver badge

          "it being almost completely ineffective."

          It's still too early to say, and it nevertheless had some positive effects. Starting a draconian application from day one would have had the counter effect of many people asking to make it less powerful because it created issues. Yet people like Schrem has now quite powerful tools to fight against the data hoarder.

          It is true that there are political issues about going against US companies that dominate the EU landscape, especially since Trump is using it to justify his trade war.

          1. lglethal Silver badge

            Re: "it being almost completely ineffective."

            I agree with LDS. The firm I work for and all those for which friends and family work for (at least that I've spoken to on this topic) have gone out of their way to try and make sure they're complying with the law. Yes there are still some (the facebooks and googles) who are going out of there way to flout the laws, but the vast majority of firms in Europe or with major dealings with Europe are massively improving their data handling and privacy aspects.

            It's already 1000 times better than it was before. Once the law starts really coming down on the obvious big boys, then you'll see the last outliers brought to heel..

            1. Alan Brown Silver badge

              Re: "it being almost completely ineffective."

              "It's already 1000 times better than it was before."

              Yup. I had an interesting cold call today from a company that started backpedalling as soon as I started asking questions about how they'd managed to link my name against the number they'd called without also knowing the company name.

              It got even more interesting afterwards when discussing it with the ICO - as the company in question claims to be ISO27001 compliant and to have a laundry list of government departments as customers - but the website contains no hint of company or data controller registration information - and whilst an individual complaint about misuse of my data (and their failure to 'fess up about where they got it - most likely an illegally obtained marketing list) will take months to wend its way through the system, the fact that they appear to be an unregistered data controller is the kind of thing that gets someone looking more closely at their activities immediately.

        2. Cederic Bronze badge

          Re: If only...

          There's a very strong challenge in creating a law that provides protections to consumers while also enabling companies to go about their perfectly reasonable business.

          I can't provide a utility service to you without knowing your name and address. I can't charge you without knowing your bank details. I can't properly plan my service delivery, secure capacity and improve my service without tracking your usage. I can't mitigate for you the costs of bad debt by other customers without applying fraud prevention and risk mitigation measures across all customers, as I don't know in advance which customers might default.

          Although I'm having to capture and process a very large amount of information on you, regarding none of which I require your consent, and without any of which I will be unable to provide the service to you at a price you're willing to pay.

          The law obliges me to protect that information, to hold it only as long as needed and holds me to account for the controls needed to assure that any agents acting on my behalf (e.g. meter readers) also look after it.

          So no, I'm not circumventing the law if I act as above, I'm complying with it, in your best interests in every regard, and without the 'legitimate interest' clause I'd incur additional unwanted expenses that I would have to pass on to you.

          disclosure: I'm not actually a utility company and I will not be providing you with a utility service.

          1. LDS Silver badge

            Re: If only...

            Laws like GDPR take into full account the needs you outlined. But GDPR forbids collecting more data than you need to deliver a service and to use the data you need at will beyond providing the service, without the user explicit consent. And there is a class of "sensitive data" which do require specific permission for collecting and processing.

            Here the law even before GDPR separated the consent to use data for delivering a service from using and transferring/selling them for marketing purposes. One effect, for example, is that I don't receive any unsolicited phone calls or messages because I've been very careful not to consent for such uses since the law was introduced in 1997 - yes, twenty-two years ago. It was updated in 2003 and now integrated with GDPR.

            It show it's possible and sometimes even politicians can think of the people - but I'm afraid the US systems has been paralyzed by too many lobbying money.

            1. swm Bronze badge

              Re: If only...

              I signed up for the "do not call" list and, as far as I can tell, the marketeers are using this list for marketing leads.

          2. Alan Brown Silver badge

            Re: If only...

            "There's a very strong challenge in creating a law that provides protections to consumers while also enabling companies to go about their perfectly reasonable business."

            No, there isn't. GDPR allows companies to use customer data for the purposes of doing business with the customer.

            What it DOES NOT allow is unconsented selling on of customer data to third parties or use of it in marketing campaigns - or of keeping said data in an unsecure manner.

            You can even stuff a flier in my latest widgets order. What you can't do is sell my data to marketing companies so they can bombard me with widget-related crap, or to Experian so they can build a shadow profile of my shopping habits.

            If you're a power company, bombarding me with marketing for "smart meters" separate to my actual bills is probably pushing past that line too - I'm about to find out on that one because I'm now getting 4 letters from EDF breathlessly telling me I can have a smartmeter installed for every actual statement.

            1. Cederic Bronze badge

              Re: If only...

              You tell me there's no challenge then immediately describe a situation that presents a challenge.

              In your situation EDF may be obliged to inform you that a smart meter is available. They are certainly writing to you for legitimate purposes and why wouldn't they have control over what they say when they do write to you?

              But the really confusing question is why on earth you're with EDF in the first place, instead of switching to a cheaper provider.

      4. Cederic Bronze badge

        Re: If only...

        While my dislike for the EU borders on contempt I happily acknowledge that GDPR is an excellent legal framework, and as enacted in the UK the Data Protection Act is an excellent law.

        Unless you're an abusive company, of course.

        I can heartily recommend the GDPR in its current form to the US.

    3. robidy

      Re: If only...

      Taking forward you political point, there are plenty of Democrat controlled states that could implement the California model.

    4. LDS Silver badge

      Re: If only...

      California adopted it only to avoid a ballot that could have been even better - and in the hope to be able to amend it later. Thus, not very different from what's happening at the federal level.

      Still, even the California law lacks many GDPR provisions - like the opt-in model instead of the opt-out.

    5. eldakka Silver badge

      Re: If only...

      This has nothing to do with democrats or republicans. Neither party wanted or were going to approve a privacy bill.

      Their hands were forced by a referendum proposition that would have been put forward otherwise.

      Roughly, in California, private individuals can submit proposals for a referendum ballot. If they get enough signatures, enough support, then the proposal must be put to the people, the government can't block it. There was such a proposal going forward, it had the support to be put on the appropriate ballots without government being able to stop it.

      If the proposal is approved in the referendum, then it is now the law. The government has no influence over it anymore. What is in the proposal is it, end of story. It's a California state constitutional rule.

      To avoid having their hands tied, the government entered into a private agreement with the proposers to withdraw the proposal on the condition that the government would put a similar proposal into law. Which is what has happened.

      With this being a law, as opposed to a constitutional amendment that stands as-is, the legislature of the state has the opportunity to amend, modify, change the legislated law in the future. Which they couldn't do with a referendum-approved proposition.

      So no, this law wasn't passed out of the goodness of the legislatures hearts, whether republican or democrat. It was a purely defensive act to mitigate something that was a fait accompli.

  2. DCFusor Silver badge

    Of course since they have both money to lobby and control of what we see - and therefore own the government, they'll get what laws they want. Begging is just for show.

    The future, even if private...well now, the past starts now, right? I mean less than a nanosecond ago. Some SciFi writer (Asimov?) did a story on how a device that let you look into the past would instantly destroy civilization. While the posited device was fancier, we have one already. We call it a disk drive.

    1. Dinanziame

      'The Dead Past', by Isaac Asimov (indeed).

      Published in 1956. How's that for insight into the future?

      1. LDS Silver badge

        I like that novel a lot because it shows very well what happens when skilled people can see only one good use of the discoveries and technologies they build - while they are utterly blind to some other obvious and dangerous uses.

        1. BebopWeBop Silver badge

          well short story, but yes I agree, and with an interesting twist on government interference.

  3. Kevin McMurtrie Silver badge

    Urged US lawmakers?

    Surely you meant "offered monetary contributions to US lawmakers" or this would be no more powerful than "letters to the editor."

  4. doublelayer Silver badge

    Suggested change

    I suggest we change the last slogan in the subtitle. Rather than the 1984-inspired contradictory statement, I believe the one introduced in the book The Circle better represents what these companies think. That slogan was "Privacy is theft.", and the fictional company clearly meant it. Let's hope we can prevent that from becoming instated in law with only a thin attempt at disguising it.

  5. Anonymous Coward
    Anonymous Coward

    US lawmakers must understand

    they too and their families will fall victims to data slurpers if this gang of filthy rich corporations will get its way.

    1. LDS Silver badge

      Re: US lawmakers must understand

      I'm sure companies can think about some specific exceptions, if they don't do already. For example, I don't believe Google execs use the same Android version other people have to use, with the same level of slurping and tracking....

    2. bombastic bob Silver badge

      Re: US lawmakers must understand

      Elitists ONLY think of themselves, specifically their power, and maintaining that power. And they *KNOW* they can exempt themselves, later, with a nudge nudge wink wink know-what-I-mean

      Politicians *NEVER* suffer under the legislation they write. Only THE PEOPLE are subject to that legislation. Politicians have rigged it that way for DECADES. Obaka-"Care" was one of the PRIMARY examples, how the HR and Senate had "their plan" and everybody ELSE gets SHAFTED with Obaka-"Care". So typical.

      Or the 'do not call list' - political robo-calls are EXEMPTED.

    3. Anonymous Coward
      Anonymous Coward

      Re: US lawmakers must understand

      You act like they haven't already slurped politicos' data. There are almost certainly J. Edgar Hoover-style negotiations going on about this right now.

  6. bazza Silver badge

    Outsider's Point of View

    It would be madness to end up with a hotch-potch of different laws across the USA. Having one *good* one across the whole nation would make everything a whole lot easier.

    Also, what'd there be to prevent the most stringent varation of the law spreading? If one moved to a state where there were more rights for the consumer, wouldn't that require service providers to "upgrade" one's account given one's new residency and conferred rights? Or would they try and sustain the position that the law that applied was the one for the state where one resided when the account was first opened? That sounds equally unmanageable. An IP address geolocation is not a certain indicator of state resisdency; one might open a Facebook account when visiting rather than living there.

    1. bombastic bob Silver badge

      Re: Outsider's Point of View

      "It would be madness to end up with a hotch-potch of different laws across the USA"

      This should remain AS A THREAT to the "data slurp" industry, making them willing to allow something with enough teeth to do any good... but these days, in THIS election environment, I suspect they've already gone TOO FAR with the politicians they're buying. So the people to convince about GDPR-like laws are Republicans that support Trump. Most of THEM don't like Federal overreach, and so whatever laws DO exist have to be like the Anti-trust laws from a century ago [which were, incidentally, accomplished by a Republican president, Teddy Roosevelt].

      The 'hotch-potch' as you call it [not sure what the correct spelling is, maybe yours?] would make compliance difficult if they CONTINUE TO SLURP AND TRACK. So in a way it drives them to STOP IT with the evil data slurp/leverage even FASTER, due to the cost of continuing it.

    2. Zippy´s Sausage Factory

      Re: Outsider's Point of View

      One good strong federal law would be ideal. But what's being proposed is one weak and ineffectual one, in order to stop strong ones being enacted, so that the tech companies don't have to change what they're currently doing in any way, shape or form.

      In my opinion Android only gets privacy controls because Apple make them a selling point. If Apple weren't making privacy a selling point, Android would happily tell every app everything about you it ever asked for.

      1. Cederic Bronze badge

        Re: Outsider's Point of View

        I don't agree. Android would still constrain apps as those are how Google entice users to their platform, and that grants Google access to the users' data.

        Google would suffer from apps misusing data, so it's in their interests to constrain the apps. If only they could constrain themselves.

  7. Oengus
    Big Brother

    Minimum requirement

    The minimum requirement of the federal law should be, at least, the most strict of the state legislations (current and future) and if there are some states with more restrictions in one area and less in another then the highest privacy rights apply. The other thing is the legislation must have easily enforceable penalties and the penalties must be high enough to be a real financial deterrent. Also the penalty payments must be able to be distributed to the individuals impacted by any breach of the legislation without the individuals having to jump through onerous or complicated processes.

    1. swm Bronze badge

      Re: Minimum requirement

      Fines are ineffective. You have to jail the violators.

  8. Anonymous Coward
    Anonymous Coward

    Translation: We don't want to pay off individual states to usurp privacy and would rather just do it through congress once where our gifts and donations to politicians will in no way influence any decisions made.

  9. Nick Kew Silver badge

    Makes sense

    Take away dodgy motivations and the problems of a single point of lobbying and potential corruption, and the underlying point makes perfect sense. In any walk of life, industry accepts that it will be subject to red tape and compliance is a cost of business. Asking for one set of red tape and compliance costs rather than 50 makes complete sense.

    It's the same argument Mrs Thatcher used, to convince the EU to adopt her greatest idea - the Single Market.

    1. LDS Silver badge

      Re: Makes sense

      The common market and custom union aims was there since the inception of ECC in 1958 - when UK was outside, hardly a Thatcher idea. ECSC had already created a "common market" for coal and steel.

      It is true that Thatcher saw the advantages and relaunched the idea when it was moving too slowly and worked hard to make it really working.

      Just, it worked so well UK didn't understand it couldn't stop integration there....

      1. Nick Kew Silver badge

        Re: Makes sense

        The original common market was a much more limited free trade area. Coal and steel, and lack of tariffs. But if you were doing business in an area involving elfin safety, consumer protections, etc you had to deal with red tape on a country-by-country basis. Not that there was much of that in those days: if your toy had jagged edges, that was no business of the law (kid I knew at primary school managed to lose an eye).

        For example, my first bike (as a child) wasn't legal under UK law due to not having a front brake, but was a lot easier for a child to ride due to both gear change and brake being back-pedal operated. And safer: borrowing a bike with a front brake, I went head-over-heels braking on the downhill! Mrs Thatcher's single market was about making it easy for a bike manufacturer to find a single set of rules that would make its bikes legal to sell throughout the EU.

        Particularly important in areas like medicines, where red tape is complex and compliance onerous and very expensive.

        1. LDS Silver badge

          Re: Makes sense

          I would suggest you to read the Treaty of Rome text, but I'm afraid there's no official English version...

          Anyway, art. 3(h) explicitly stated the converging of national legislation as necessary to make the common market work.

          You can read a summary here:

          Again, it is true despite the treaty aims things didn't go quick as they should have, and UK gave a big boost in the 1980s achieving it, but the ideas were already there in 1958, Ms Thatcher just built on it.

          In turn now UK complained about the EU regulations and wanted to regain control....

  10. Drew Scriver

    "Consumers should not and cannot be expected to understand rules that may change depending upon the state in which they reside, the state in which they are accessing the internet, and the state in which the company’s operation is providing those resources or services,"

    This is complete and utter nonsense.

    If they really believed in this argument they would also be calling for a federal VAT to replace the current 14,000 sales tax brackets, federally governed insurance coverage (e.g. car insurance, which differs in mandatory coverage per state), medical requirements (e.g. some states require a prescription for physical therapy, while other do not), and so forth, call/conversation recording laws (which differ per state), and so forth.

    If these CEOs really meant it they would be announcing that their companies are going to apply GDPR globally since their European subsidiaries already have to do this anyway.

    As people are rightfully concluding, this is merely a ploy to ensure that the privacy laws are controlled by the corporations (through donations to politicians and lobbying).

    1. Keven E

      Well said, DS. (exactly the quoted section I was gonna rip one over)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019