U.S. businesses, concerned by a new European law and a California ballot initiative addressing data privacy, are pushing the government to develop a federal regulatory framework rather than risk a patchwork of state-level rules.
Trump administration officials, who have held early discussions with industry groups like the Business Roundtable and the Information Technology Industry Council, say they’re in the nascent stages of an initiative that has no predetermined outcome. The White House is considering several possible actions, including an executive order directing various government agencies to develop a structure.
[Related: Two senators demand answers from Amazon’s Jeff Bezos about privacy concerns for ‘Alexa’]
A Department of Commerce official said the White House might also opt to launch a more informal interagency process to work with industry ton crafting a set of voluntary guidelines. The result could be similar to the National Institute of Standards and Technology’s cybersecurity framework, which has been popular among U.S. businesses.
The administration is not expected to call for new regulation and will instead use its bully pulpit to try to drive behavioral changes. Any national standard would ultimately require Congress to advance legislation, which is unlikely prior to the 2018 midterm elections.
“It’s not a regulatory problem today, and so that’s a starting point that we have to embrace,” a White House official said. “This is not the administration that is going to set up the Federal Internet Commission.”
Apart from the White House initiative, the Federal Trade Commission earlier this week announced it would hold a series of hearings across the country to examine possible changes to laws governing consumer protection and competition.
“What we are afraid of is fragmentation,” Christoph Luykx, chief privacy strategist at CA Technologies, said in a recent interview. “We believe that any law on privacy should be a law that goes through the normal legislative process.”
Navigating regulations that vary from state to state, like insurance requirements, is complex and costly for companies seeking to take advantage of broader markets, and the attempt by privacy advocates in California to launch a ballot initiative that would allow individuals to prevent companies from selling their data alarmed the tech industry. In a compromise, the California legislature will instead soon vote on a related bill.
Scandals involving data at companies like Facebook, which has promised to simplify controls for users, have also raised fears that Congress could try to enact a more sweeping law.
“There is a clear risk of legislation popping up targeting issues that have been raised because of specific companies, but then taking with it a whole swath of other companies that actually might have unintended consequences,” Luykx said.
One worrisome model for U.S. businesses is Europe’s General Data Protection Regulation, or GDPR, which took effect in May. The landmark privacy law, among other things, requires companies to get permissions from users before using personal data for marketing purposes.
President Trump, however, has generally moved in the opposite direction. Last year, he signed a rollback of U.S. broadband privacy rules launched by the Obama administration that would have forced internet service providers to obtain user consent before leveraging an individual’s location or personal information for advertising or marketing. A White House aide said the administration hopes to do something less intrusive.
“We are looking to balance privacy and prosperity, and a heavy-handed regulation will not achieve this goal and will place undue burdens on small business, which are a key constituency for the administration and the future of our economy,” the aide said.
Former President Barack Obama’s own attempt to create a consumer privacy protection framework was a challenging endeavor. The administration’s so-called “Consumer Privacy Bill of Rights Act” initially faced stiff opposition from technology companies who said it was overly burdensome. Conversely, privacy advocates charged that the framework did little to advance data protections.
