No one in the tech industry wants to deal with a patchwork of state privacy laws regulating their industry, but companies that don’t collect large amounts of consumer information and sell or share it — the “good actors” — also don’t want a want a new federal privacy law that lumps them in with “bad actors” like Google and Facebook.
The Wikimedia Foundation, for example, filed comments with the National Telecommunications and Information Administration (NTIA) asking for a privacy law that is “reasonable” and “proportional.”
The foundation — a nonprofit that hosts information websites like Wikipedia, Wikimedia Commons, Wiktionary, Wikibooks, Wikisource and others — collects very little information on its users and requires its editors to use pseudonyms to protect their personal identity and information.
Unlike Google, “these important protections mean that we hold a unique place as one of the few large internet platforms that do not rely on tracking or sale of user data to generate revenue,” the foundation stated in its filing.
The foundation believes it is important for a federal privacy law to preempt a patchwork of state laws because dealing with 50 different privacy laws is exceedingly difficult for a smaller companies and nonprofits.
The foundation also wants any new NTIA regulations to be both “flexible” and “proportional,” and has expressed concerns that the former might trump the latter.
“Flexibility in a regulation ensures that everyone has the ability to address privacy concerns in a way that is most intuitive to them,” the foundation states. “This is an important goal and should remain in the NTIA’s framework. However, proportionality in a regulation ensures that the burdens are not equally placed on every actor, despite vast differences in their operations.”
The Wikimedia Foundation’s priority is a federal privacy law that is reasonable and proportional so that it doesn’t burden tech companies of different types and sizes.
“We strongly believe that the goal should not only be ‘reasonable’ minimization [of data collected], but simply ‘minimization,'” the foundation states. “After all, minimization does not mean that no data must be collected, but that what is collected is as little as possible. At the Wikimedia Foundation, we intentionally minimize the data we collect on users in order to encourage free and open participation on our projects.”
The foundation’s point is that what is a “minimization” of data collection for the Wikimedia Foundation may look very different from what is a “minimization” of data collection for Google.
“I think it comes down to context,” SiteLock’s Research Security Analyst Jessica Ortega told InsideSources. “Transparency could mean something really different for Google. For a company like Wikimedia, transparency could mean an email or a public link to all their records sent out to all their customers.”
One way to fulfill the foundation’s wish for proportionality is to create a privacy law with purposefully vague language, Ortega said.
But a vague law could let the bad actors off the hook and fail to adequately protect consumers. While a more specific law could better protect consumers, it could also stifle innovation and hurt companies like the Wikimedia Foundation.
“It’s not inherently bad for consumers, because it could mean stronger security measures, but it could also become weaker security measures,” Ortega said. “So there’s definitely a case for being more specific, but when you make it more specific you lose innovation.”
Roslyn Layton, a visiting scholar at the American Enterprise Institute (AEI) specializing in tech policy, told InsideSources that there are ways to ensure the kind of proportionality the Wikimedia Foundation wants in a privacy law while still cracking down on the bad actors like Google and Facebook.
“One way is a safe harbor,” Layton said. “If you have a checklist and do a certain set of things, then you shouldn’t worry about the law coming after you. A safe harbor could address that proportionality issue. When they do enforcements and look at antitrust issues, the Federal Trade Commission (FTC) takes this perspective: if you are 0.001% of the marketplace, they’re not going to look at you. You need to have a sizable impact on the market.”
Because bad actors like Google and Facebook are the reason for privacy talks, formulating a law to address their vices while being fair to good actors will be a substantial challenge for Congress.
“On the one hand you want a comprehensive approach but not comprehensive enforcement,” Layton said. “If in fact you only want to go after the big players, then why do you want comprehensive legislation?”