Will Google+ be the final push Congress needs to pass restrictions on data use?

Congress held a hearing a few weeks ago in response to news that Google kept secret a flaw that exposed private user data on its Google+ platform. Almost 500,000 users’ non-public profile data, including names, email addresses, birth dates, photos and other personal information was potentially exposed to over 400 apps and their developers.

Because there is no evidence that the data was actually taken or used improperly, Google may have no legal liability or obligation to have disclosed the vulnerability. Data breach laws as written today do not kick in until there is an actual “breach” involving an unauthorized acquisition of the data.

However, the Wall Street Journal reported that Google deliberately hid the problem from the public in order to avoid the type of bad publicity Facebook was getting from its Cambridge Analytica data breach. U.S. Senators at the hearing appeared to be troubled both by the legal loophole protecting Google from disclosure and with Google’s calculated decision to keep secrets.

Setting the stage for real movement

Following the scathing reaction to Facebook’s privacy hearings, the latest revelations about Google may finally set the stage for real movement in federal privacy legislation. “It is increasingly clear that industry self-regulation in this area is not sufficient,” said Republican committee chair Sen. John Thune.

Privacy legislation isn’t new. It just hasn’t gotten far in Congress with past efforts stalling or ending with rather weak calls for further study. But with bipartisan support, that could change. Earlier this year, two privacy bills with differing degrees of regulation were introduced affecting policy around how data is collected and used, consumers’ right of access to that information, and disclosure requirements. More recently, Senator Ron Wyden (D-OR) released a draft of federal privacy legislation that would impose harsh penalties on senior executives of companies that misuse consumer data.

In addition to the above series of events, one other factor may provide the momentum for federal privacy bills to gain real traction. California has been rolling out new privacy laws like Hollywood pumps out Marvel movies. This summer, the legislature passed the California Consumer Privacy Act of 2018 which was pushed through rapidly in lieu of a privacy ballot initiative. The Act is by far the nation’s strongest privacy legislation to date and specifically regulates data commonly associated with marketing such as browsing history, search history and any information about how a user interacts with a website, application or ad.

At the end of last month, California also passed a first of its kind privacy legislation affecting the internet of things (IoT) mandating “reasonable security features.” While both privacy activists and opponents criticize the bill for flaws, the law breaks new ground on the reach of privacy regulation in the U.S.

That same week, Gov. Jerry Brown also signed a bill guaranteeing net neutrality for Californians, in direct conflict with the FCC’s decision to repeal regulations over net neutrality, competition and privacy. While not a direct rule on privacy, the subject of net neutrality is intertwined with that of online privacy.

The impact on the industry

These bills, and the promise of more, pose serious business risk to large internet companies such as Google, Facebook Microsoft and IBM, even after they’ve had to make adjustments to accommodate Europe’s GDPR. The prospect of having to navigate increasingly stringent and complex privacy laws on a piecemeal state-by-state basis is driving the larger players to consider compromise and uniform solutions.

These internet and technology leaders are now lobbying for federal privacy regulation. It’s no real secret that the goal would be to (1) create one uniform law that would preempt the California law and any piecemeal state legislation and (2) draft rules that are less restrictive than what California has now.

Regardless of the outcome, one thing is clear. We can expect changes in access to the data critical to making targeted advertising solutions so effective and driving so much innovation in the marketing space. Changes in privacy laws potentially will affect all of the following:

• The cost of collecting data.
• Who controls the data.
• What kind of data can be used.
• How data can be used.
• Characteristics of data such as completeness, precision and volume.
• Liability associated with using data.

When these changes will be necessary is yet to be seen, but it is no longer a matter of if, but when, it will happen.

And in an ironic twist, the heavier regulation will likely make it harder for the little guy, for the small and mid-sized agencies and for local businesses, so larger players will end up with a competitive advantage. Maybe that’s one more reason to expect the push for regulation.