Lawmakers issue ultimatum to tech platforms over data privacy

WASHINGTON — For years Congress has held dozens of hearings aiming to enact laws on data privacy and kids’ online safety, and to curb the freewheeling collection and sale of Americans’ data without enacting any substantial legislation.

The frustration is showing.

Two House lawmakers, who direct blame squarely at tech companies, are proposing to eliminate part of U.S. law that has enabled tech and social media platforms to thrive by shielding them from liability for user-generated content.

“Work with Congress to ensure the internet is a safe, healthy place for good, or lose Section 230 protections entirely,” Reps. Cathy McMorris Rodgers, R-Wash., and Frank Pallone Jr., D-N.J., the chair and the ranking member of the House Energy and Commerce Committee, said Sunday in an op-ed, unveiling legislation that would end the Section 230 protections.

That refers to a provision in U.S. law that shields online companies from lawsuits relating to content produced by individual users.

“These blanket protections have resulted in tech firms operating without transparency or accountability for how they manage their platforms,” Rodgers and Pallone wrote in The Wall Street Journal. “This means that a social-media company, for example, can’t easily be held responsible if it promotes, amplifies or makes money from posts selling drugs, illegal weapons or other illicit content. As long as the status quo prevails, these companies will keep putting profit ahead of the health of our society and youth.”

Proponents of Section 230, including Sen. Ron Wyden, D-Ore., one of the authors of the original provision, have argued that eliminating it would chill online speech and would lead to social media companies censoring messages, for example, from women who have faced sexual harassment posting under the #MeToo movement, or posts by Black Americans about police violence.

Tech groups were quickly on the offensive.

“This isn’t a serious discussion about Section 230,” Adam Kovacevich, CEO of Chamber of Progress, a tech group that represents Amazon.com Inc., Apple Inc., Google LLC, Meta Platforms Inc. and others, said in a statement about the Rodgers-Pallone proposal. “It’s holding Section 230 hostage without any replacement on the table.”

The protections offered by the section are not as broad as companies claim, according to the Electronic Privacy Information Center, or EPIC, a non-profit online privacy advocacy group. Nor is the provision intended to be a stand-in for online free speech and innovation, Megan Iorio and Tom McBrien, lawyers for EPIC, wrote in a recent blog.

The provision “was meant to accomplish a very limited purpose: preventing lawsuits that would force internet companies to either screen for and block all illegal content, or to not moderate their platforms at all,” Iorio and McBrien wrote. “This limited purpose protects free speech online; an overbroad interpretation of Section 230 is a license for internet companies to act with impunity, removing an important incentive to design safe products and comply with generally applicable laws.”

The Rodgers-Pallone proposal to eliminate these protections comes as the lawmakers try to advance federal data privacy legislation following years of futility. A measure backed by the pair in 2022 was approved by the House Energy and Commerce Committee but failed to get a floor vote after then-House Speaker Nancy Pelosi, D-Calif., opposed it, saying it would provide fewer consumer protections than California’s data privacy law.

In April, Rodgers joined with Sen. Maria Cantwell, D-Wash., chair of the Senate Commerce Committee, to unveil a draft proposal that would create a federal data privacy standard. Formal language hasn’t been introduced and the proposal has yet to garner widespread backing from other lawmakers.

Among the key provisions of the Cantwell-Rodgers bill is a preemption of state privacy laws, giving users the right to sue companies, and the imposition of data minimization requirements, all of which are still points of friction between Congress and the sector.

The U.S. Chamber of Commerce, the largest business group in the nation, already has raised a host of objections to the Rodgers-Cantwell proposal, including that data minimization component would hurt online sales by allowing consumers to opt out of targeted advertising.

While Congress has been debating, more than a dozen states have enacted data privacy laws.

Two of them — Maryland and Vermont — included language on data minimization, said Caitriona Fitzgerald, deputy director at EPIC. Maryland’s was signed into law last week and Vermont’s is awaiting the governor’s signature.

Any measure that Congress passes as a national standard, therefore, cannot be lower than what states have set on data minimization, Fitzgerald said in an interview.

Stopping digital tracking

The goal of data minimization is to allow collection of information for limited purposes only and to prohibit the transfer of sensitive covered data to third parties without the express consent of consumers.

Online companies now “track our every movement online to build these really deep profiles about us to make inferences about us and that shouldn’t be allowed to continue,” Fitzgerald said. “With good privacy laws, advertisers are going to have to figure out a way to innovate and provide businesses with a way to advertise that doesn’t involve tracking everyone’s movements.”

Reducing the amount of data that companies collect would also minimize the harm that Americans suffer when that data is stolen or lost, Sen. John Hickenlooper, D-Colo., said at a hearing May 8 on data privacy.

“Minimization and security are obviously interconnected, interrelated together,” said Hickenlooper, chair of the Senate Commerce Subcommittee on Consumer Protection, Product Safety and Data Security.

Thousands of data breach incidents occur each year including at an estimated 10 percent of publicly traded U.S. companies, Hickenlooper said.

“If you want to reduce the number of victims, you have to reduce the number of crimes and the way you reduce the number of crimes is to reduce the supply of information,” James Everett Lee, chief operating officer of California-based Identity Theft Resource Center, said in an interview. “And you have to do that by improving security itself but you also have to reduce the amount of data that is actually available. And that’s what data minimization is about.”

Data minimization principles put the onus on companies collecting the data to determine what data on their users is essential to complete a transaction or do business, as opposed to putting the responsibility on users who are routinely asked to consent to data collection.

Testifying before the Senate Commerce subcommittee Lee told lawmakers that companies should not collect information on consumers that is not needed to complete a transaction.

If companies need certain data to complete transactions, then “delete it as soon as the transaction is completed unless you are required to keep it. If you must keep the information, make sure it is secure and encrypted,” Lee testified.

Threats to eliminate the tech shield law to gain concessions in other areas, however, haven’t worked in the past.

In the 116th Congress, Sen. Lindsey Graham, R-S.C., introduced a measure backed by Sen. Richard Blumenthal, D-Conn., with support from members of both parties that would’ve stripped social media companies of their Section 230 immunity if they did not comply with content moderation best practices set by a group of government officials.

Graham reintroduced the legislation in December 2020 and in May 2023 said if Congress “cannot pass a law or series of laws to protect the American consumer, then it’s time to open up the American courtrooms as a way to protect consumers against abuse from the social media companies.”