Thanks to the California Delete Act, the US may be on track to having better safeguards for its citizens’ data privacy. But with Washington DC having to face down aggressive big tech lobbying, a top-down solution at federal level still looks far away.
That’s the impression I came away with after speaking to Tom Kemp, who contributed to the landmark state legislation passed earlier this month and recently published his book Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy.
“The best situation is to have a very robust federal privacy law,” says Kemp. “But it's very difficult in a dysfunctional Washington DC. And then you roll on the whole lobby efforts as well. So the best thing you can do is try at the state level.”
When I press him on the point that, eventually, some kind of federal legislation will be needed to tackle big tech monopolies like Meta and their rampant exploitation of the American public’s data, Kemp remains unconvinced.
“What makes you think that?” he asks. “The US does not have a federal data breach notification law – the first one was in the ‘90s, in California. The last major piece of legislation was not even privacy-centric, but it involved privacy in the US, and that was in the ‘90s with HIPAA and Gramm-Leach.” He’s referring to the federal laws that protect medical and financial data respectively, but as he points out, “that privacy stuff is only sector-specific.”
"The best situation is to have a very robust federal privacy law. But it's very difficult in a dysfunctional Washington DC."Tom Kemp, advisor to the California Delete Act and advocate of state-driven legislation to better safeguard American internet users' data
On the other hand, Kemp believes that state laws, like the Delete Act and the 2018 California Consumer Privacy Act (CCPA) it was designed to augment, could create a welcome ‘domino effect’ that sees the US gradually implement a stronger data privacy regime to protect its citizens from online abuses.
So far, a dozen states, including California, have passed data privacy laws like the CCPA – although the right to have a one-stop shop for deleting data is a privilege that only Californians currently enjoy. Kemp, however, is hopeful.
“The fact that more and more states sign on may reach a critical tipping point,” he muses, although he is cautious in his optimism. “Sure, it may increase the likelihood, but you can't say: ‘it will happen.’ Yeah, we're up to 12 states – but if you look at the data breach notification law, it took 15 years between California and Alabama and Mississippi. And we still don't have a national data breach notification law.”
Getting around the lobbyists
As Kemp says, much of Capitol Hill’s legislative problems are bound up with the lobbying system, which allows large corporations to exercise what many regard as undue influence over the tabling of laws in Congress. As he points out in his book, four of the five big tech firms – Microsoft, Amazon, Meta, Apple, and Google – are valued at more than $1 trillion each: in other words, they have buckets of money to spend on buying support from politicians. This in turn ensures that the likes of Facebook remain deregulated and therefore can continue to profit freely from user data.
However, the lobbying system was effectively bypassed in Kemp’s native California, which has a parallel system for tabling legislation that entails approaching the local electorate directly with proposed new laws. That enabled the California Privacy Rights Act (CPRA) to be entered on the statute books in 2020, which again amended the CCPA and established a dedicated agency to enforce it.
“Even though there are a lot of lobbyists in California, there are opportunities to get laws passed,” he says. “The CPRA went directly to the voters through the proposition system. We call it the California effect, that California is very progressive as relates to consumer protection.”
"Even though there are a lot of lobbyists in California, there are opportunities to get laws passed. The CPRA went directly to the voters through the proposition system. We call it the California effect."Kemp on how state-level legal provisions helped to bypass powerful tech lobby groups
Dobbs vs. California?
Last year’s decision by the Republican-dominated Supreme Court to overturn the landmark Roe vs. Wade ruling on women’s reproductive rights has pushed state lawmaking to the frontline of protecting human rights, and with that the struggle against big tech data-sharing has become more important than ever.
“In the face of the Dobbs decision [to overturn Roe vs. Wade] there's a heightened concern about weaponization of data vis a vis reproductive healthcare information,” says Kemp. And the dangers posed in this context by big tech firms, which have already been caught sharing data with the authorities about women seeking abortions in the US, is not lost on him.
“These are monopolies,” he says. “They don't want anything to change, and so you have to work around that. And in the US people are saying: ‘OK, if we can't get it at the federal level, let's see if we can get it at the California level.’ And that will have a ripple effect to other places as well.”
It appears to be paying dividends, in the Golden State at least. Data brokers, who legally hoover up our digital breadcrumbs to sell on to the highest bidder, are squarely targeted by the Delete Act, which aims to have the deletion portal up and running by 2026.
“Right now in California, there’s a registry where data brokers have to register, but you have to go to each and every data broker and make a request to get the data deleted from them,” Kemp clarifies. “It may take you 30 minutes per data broker, and there's over 500 registered. So if you just do the pure math, that would take you ten days.”
California’s data broker registry, inadequate as it was, is already streets ahead of most other states. “Right now in the US, there are four states where data brokers have to register. The first one was Vermont, then California, then Texas, and then Oregon.”
Kemp helped the Lone Star state to enact its own earlier this year. “There was a civic society group called Texas Appleseed, and they wanted to add some regulations to data brokers,” he recounts. “They contacted me and I worked as an advisor to them.” But despite his best efforts, he was unable to persuade Texan lawmakers to go one step further and establish a deletion portal. “We tried, but that was a bridge too far in Texas,” he adds.
Silicon Valley: data is a weapon
I can’t resist pointing out that it seems odd that a serial entrepreneur from Silicon Valley, who has invested in multiple tech startups, would be such an advocate for legislation that restricts the industry.
“I'm a Silicon Valley entrepreneur, I support innovation, full stop,” he insists. “But I also believe that privacy should be an inalienable right. Now in Europe, coming out of World War Two, you guys have that in your – quote-unquote – constitution. The right to privacy is not in the US Constitution.”
As well as seeding capital for startups, Kemp was at the helm of Centrify cybersecurity company from 2004 to 2019, an experience that he says opened his eyes to the pitfalls of unrestricted data collection.
"I'm a Silicon Valley entrepreneur, I support innovation, full stop. But I also believe that privacy should be an inalienable right. The right to privacy is not in the US Constitution."Kemp explains how America falls short of Europe in this aspect of human rights, leaving US citizens vulnerable to data exploitation
“Having been successful in being a cybersecurity executive, I saw the impact of large-scale hacks,” he tells me. “I saw the type of data being collected, and I'm like: ‘Jeez, you know, maybe we should have some basic rights over our personal data. We should have the right to know what's being collected, to say no to selling, to be forgotten and have that data deleted.’ You don't have to give away your privacy for commerce to happen.”
Left unchecked, what Kemp calls the “overcollection” of data could have far-reaching negative consequences, from the domestic abuse survivor who rightly wants to disappear off the grid but can’t, to the underprivileged citizen struggling to find a job or place to live.
Essentially, what he appears to be arguing is that the tools of commerce should never be repurposed as tools of exclusion or oppression: “For example, in the past you could say, ‘Boy, I really want to target single women with young children, because I want to sell them economically priced diapers.’ But that model of advertising could be used to exclude that person, say, from a rental property or a job opportunity. And the problem is only getting worse now that we're in a post abortion-rights America where this health data can be used against people.”
"In terms of size and revenue and also reach, Google, through its products, reaches over 4 billion people. That's half the world's population"Kemp on why even Standard Oil magnate John D. Rockefeller would have been astonished if he could see the power big tech companies wield today
Tech giants dwarf their predecessors
In his book, Kemp likens today’s big-five tech companies to bygone behemoths such as Standard Oil Company, which traded between 1870 and 1911 until it was broken up by a Supreme Court ruling that found it to be an illegal monopoly in violation of US fair competition laws.
But though Standard Oil was eventually brought down by federal lawmakers, it and the other early industry giants fell short of today’s tech titans in one key respect: not even they knew what you, the consumer, was up to, all the time. Unfortunately, politicians, including federal-level ones, are also consumers too. Chances are, they’re all online, and can therefore be tracked and even manipulated.
That’s disconcerting, to say the least, given the sheer scale that today’s tech titans operate on, something even Standard Oil founder John D. Rockefeller would have struggled to comprehend.
“In terms of size and revenue and also reach, Google, through its products, reaches over 4 billion people,” says Kemp. “That's half the world's population. Meta has 3 billion users.” He later asks: “If people have built business models to just continuously collect personal data, then should we give up our rights and our ability to control our data?”
“Bad actors have figured out ways to weaponize that,” he concludes, invoking the specter of former data mining company Cambridge Analytica, infamously hired by the Trump and Leave campaigns to influence the presidential elections and UK Brexit referendum in 2016.
Away from heavyweight politics, the intrusive power wielded by the likes of Google on a daily basis has made encroachment of our privacy seem almost mundane, banal.
It really shouldn’t be, Kemp insists: “Does the world economy depend on knowing if I'm typing on Google, ‘Do I have cancer or not?’ And it's being sold, right? Do they need to know my precise geolocation at all times? Because that could be used against you, by people that don't have your best interests in mind.”
Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy, by Tom Kemp, is available now from Amazon.
More from Cybernews:
Subscribe to our newsletter