In 2020, lawmakers have lots of ideas about how to regulate tech companies. After the 2016 presidential contest and years of investigations from intelligence experts, Congress woke up to the power Big Tech holds over democracy — whether it’s through collecting data or serving up political ads. For legislators, it feels like time to rein in that power. New bills are introduced every day, creating a sea of regulatory threats that’s difficult to keep straight as time goes on.
A majority of these measures will never make their way into a committee hearing, and even fewer will be signed into law. But taken as a whole, they give us a sense of what a major tech regulation bill might look like this Congress. And as the 2020 election season takes off, that picture is more urgent than ever.
This is a living guide and will be updated as events warrant.
Crafting a federal data privacy framework
The biggest regulatory target is all of the data tech companies collect from their users, so many legislators are pushing for a far-reaching federal law to regulate personal data, akin to Europe’s General Data Protection Regulation (GDPR). The fight hit a tipping point after the 2016 election when Facebook was found to have provided London-based data firm Cambridge Analytica with access to data from over 87 million of its users. In theory, comprehensive data protections would stop such a scandal from happening again.
At this point, lawmakers largely agree that consumers should have more control over the data they produce and that privacy policies should be written in ways the average consumer can better understand. Most bills empower consumers with the abilities to delete, correct, or transfer their data to a competing service. Both major parties agree that if a company wants to collect sensitive pieces of information from you, you should have to opt in to that collection, not opt out once you’ve realized what’s happening.
But while Republicans and Democrats agree on many basic principles, there’s been little space for compromise on the gritty details of the law. Republicans have fought particularly hard to keep states and local governments from crafting their own, stricter laws once a federal privacy framework is signed into law, a provision known as “federal preemption.” If the bill includes a preemption clause, it would overrule laws like the California Consumer Protection Act (CCPA) and Illinois’ biometric data laws, a deal-breaker for many Democrats.
The parties also disagree on whether everyday consumers should be able to sue tech companies for misusing their data. In December 2019, Sen. Maria Cantwell (D-WA), the top Democrat on the Senate Commerce Committee, which is tasked with writing data regulations, put out her own bill called the Consumer Online Privacy Rights Act of 2019 (COPRA). That bill would empower consumers with the ability to sue platforms that misuse their data. To Republicans, a private right of action like what’s laid out in COPRA is a total nonstarter. Conservatives are afraid that companies could be sued into oblivion if a private right of action is included in a final law.
Once there are rules to enforce, Congress needs to decide who enforces them. The Federal Trade Commission has been the default choice as the US’s primary consumer protection agency, but many lawmakers see the FTC as toothless. If the agency is tasked with enforcing data rules, its authority may need to be expanded, including the power to fine offending companies the first time they break the incoming rules.
This skepticism over the FTC’s power has inspired some policymakers to look to an entirely new agency for privacy enforcement. Last year, Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) released their Online Privacy Act that, aside from creating a privacy framework, would build an independent agency focused on data privacy. That idea drew support in the Senate earlier this year when Sen. Kirsten Gillibrand (D-NY) released her Data Protection Act, which would establish a similar agency.
The bills we’re watching:
- S. 2968 - Consumer Online Privacy Rights Act: Introduced in the Senate
- Draft Senate bill - United States Consumer Data Privacy Act
- S. 3300 - Data Protection Act: Introduced in the Senate
- S. 2637 - Mind Your Own Business Act: Introduced in the Senate
- S. 847 - Commercial Facial Recognition Privacy Act: Introduced in the Senate
- House discussion draft: Energy and Commerce Committee
Updating the Children’s Online Privacy Protection Act
Republicans and Democrats may not be able to agree on how to regulate the tech industry’s collection of everyone’s data, but children’s data falls under special rules. The Children’s Online Privacy Protection Act (COPPA) sets special rules for users under the age of 13, effectively barring conventional data collection practices. Most recently, the FTC used its authority under COPPA to fine YouTube $170 million and TikTok $5.7 million for violating the law.
But lawmakers fear that COPPA isn’t tough enough to take on Big Tech’s abuses over children’s data. In March 2019, COPPA’s original author, Sen. Ed Markey (D-MA), paired up with freshman senator and tech hawk Josh Hawley (R-MO) for a bipartisan attempt at updating the landmark children’s privacy law.
“Congress needs to get serious about keeping our children’s information safe, and it begins with safeguarding their digital footprint online,” Hawley said last year.
That sentiment spread from the Senate into the House of Representatives in January 2020 when Reps. Tim Walberg (R-MI) and Bobby Rush (D-IL) introduced the PROTECT Kids Act. The Markey-Hawley and Walberg-Rush measures are very similar; they both would require platforms to roll out “eraser buttons” for parents who want to delete all of the information a company has on their child at once. The Senate bill raises the age of covered children to under 15, but the House bill goes up to children under 16.
If lawmakers can agree on a few of these key details, a COPPA compromise could be in our future.
The bills we’re watching:
Rules for digital advertising
In an age of Russian election interference, digital ads can be a problem even if there’s no issue with user data. The Honest Ads Act, first sponsored by Sens. Amy Klobuchar (D-MN), Mark Warner (D-VA), and John McCain (R-AZ), was the first proposal to regulate digital ads in the aftermath of the 2016 election. It would amend one of the biggest campaign reform acts to make it through Congress ever, the Bipartisan Campaign Reform Act (BCRA), to force political campaigns to follow the same advertising standards they do on television and radio when they pay for ads on large social media platforms like Facebook and Google. Those same platforms that profit off of those digital advertising dollars would be forced to maintain a public database of all of these ads, disclosing details like the rates charged and the number of people who saw them.
The bill was first introduced in 2017, but the discussion surrounding political ads has evolved tremendously in the three years since it was proposed. Former Sen. Al Franken (D-MN) encapsulated Congress’ anger over digital advertising in comments made to a Facebook lawyer in October 2017:
How did Facebook, which prides itself on being able to process billions of data points and instantly transform them into personal connections for its users, somehow not make the connection that electoral ads paid for in rubles were coming from Russia? Those are two data points! American political ads and Russian money: rubles. How could you not connect those two dots?
Facebook, Google, and Twitter reacted to the threat of regulation in this space by publicly supporting the bill and creating their own databases without the measure being signed into law. Still, campaigns don’t need to follow the same advertising rules online that they do over broadcast, kicking off fresh discussions in Congress (and among the campaigns themselves) over what politicians can and cannot say in digital ads.
In February, Rep. David Cicilline (D-RI), chairman of the Judiciary Committee’s panel investigating platforms for anti-competitive behavior, said he would be introducing his own bill that would amend Section 230 of the Communications Decency Act in a way that opens platforms up to liability for running political ads that make false claims. The bill has yet to be introduced, but it has the potential to open up an entirely new discussion over how platforms should be held accountable for their ads practices ahead of the 2020 election.
After McCain died, Sen. Lindsey Graham (R-SC) took the helm as the sole Republican sponsor of the Senate version of the Honest Ads Act. Senate Majority Leader Mitch McConnell (R-KY) hasn’t shown any interest in pushing this legislation forward, but it could make moves under new leadership.
The bills we’re watching:
- H.R. 2592/S. 1356 - Honest Ads Act: Introduced in the House and Senate
Deception and interoperability
Sen. Mark Warner (D-VA) has spearheaded a handful of efforts to get other lawmakers talking about tech regulation over the past few years, including measures that ensure platforms aren’t designed in deceptive or anti-competitive ways. In April 2019, Warner sponsored the DETOUR Act with Sen. Deb Fischer (R-NE) to target so-called “dark patterns” — deceptive practices used to convince users to engage with them in ways that benefit the company. For example, if a platform asked you for permission to track your location, the “yes” button could be green and the “no” button could be red.
“Our goal is simple: to instill a little transparency in what remains a very opaque market and ensure that consumers are able to make more informed choices about how and when to share their personal information,” Warner said last year.
Aside from Warner and Fischer, Sen. Josh Hawley (R-MO) has sponsored legislation that would ban potentially addictive features like Snapchat streaks that incentivize users to spend more time on their platforms. Hawley’s SMART Act would authorize the FTC and Health and Human Services to create rules around these features, ensuring that they are safe for users. Those rules would expire after three years, but they could give Congress a good idea of what regulations they should codify into law later.
Rules governing design are something that could quell concerns lawmakers have over anti-competitive behavior, too. Warner’s ACCESS Act would, if approved, require big tech companies like Facebook and Google to build more open APIs that allow data sharing with smaller competitors. It would force these companies to maintain interfaces that facilitate the “secure transfer of user data” to users and competing services.
By regulating design, lawmakers could halt anti-competitive and deceptive behaviors before the start and help smaller players emerge into significant competitors, too.