Facebook has faced plenty of complaints about its handling of hot-button issues in the last year, including the company’s handling of political disinformation, hate speech, ideological bias, and consumer privacy. It’s not surprising, then, that Facebook now faces renewed whispers of federal regulation.
While many of the criticisms of Facebook are ideologically polarizing, privacy protection appears to have picked up some bipartisan steam. But policymakers should pause before rushing to regulate. Data privacy legislation could be far from a lump of coal for the controversial company. On the contrary, it could be the best Christmas present Mark Zuckerberg could ask for.
Congress would not be passing data privacy legislation in a vacuum. Earlier this year, California passed a law called the California Consumer Privacy Act (CCPA). The legislation is similar to the EU’s contentious data privacy law, the General Data Protection Regulation (GDPR), in spirit and effect, although the CCPA is a bit weaker.
Critics find several flaws with the CCPA. Like the GDPR, it is vague and expansive. Depending on how it is interpreted, it could apply equally to the well-lawyered Facebooks and the well-meaning but under-staffed mom and pops with a web presence. It is also expensive, and it could put the kibosh on popular consumer perks and services, such as rewards programs and free platform options.
Both data privacy laws present an interesting political economy quirk. Large firms like Facebook are the best positioned to cope with the costs of expansive regulation, as Adam Thierer has pointed out. They, therefore, benefit from reduced competition. At the same time, large firms would rather not suffer the compliance headache, even though they ultimately benefit. So they will often champion an alternative regulation that imposes fewer costs on them (while perhaps still handicapping the competition).
This seems to be the case with the push to regulate Facebook. National Journal’s Brendan Bordelon points out that Facebook and other tech giants support the federal data privacy efforts.
Industry heavyweights have two goals. First, they hope federal rules will override and replace the CCPA. Federal legislation could also preempt efforts by states, thereby preventing an onerous patchwork of fees and rules. Second, and perhaps more importantly, Facebook and others hope to have a seat at the table while crafting the rules. This way, Facebook can get good PR for “supporting privacy legislation” while ensuring that the rules are to its utmost benefit.
While Facebook’s strategy might seem unusual, it is actually a practice as old as the modern administrative state. Called “regulatory capture,” this tactic has been observed in supposedly independent agencies like the FDA and the Federal Reserve.
There are a number of ways that legislation, a regulation, or regulatory agency can be “captured.” Companies like Facebook can lobby for favorable laws in Congress, where legislators and their staffs are often forced to rely on industry experts for their technical knowledge. Further, once regulatory fervor dies down, the regulated companies are often the most important actors that still care to push for certain rule changes.
Seemingly benign regulations can also serve industries. Tyler Cowen made this point in his discussion on whether Facebook and Google are monopolies with economist Luigi Zingales. He argues,
“Imagine there is a new virtual-reality social network that cannot interchange with Facebook or LinkedIn because it’s an entirely different medium. The way the old regulations are written won’t pick up the new dynamic properties of the new sector and it will be held back. It will be stifled. The regulations will end up cementing in whatever market power Google and Facebook had.”
Congress has yet to converge upon a particular data protection bill. Industry groups have so far promoted voluntary standards and transparency practices as a federal alternative to GDPR-style state rules.
From the standpoint of permissionless innovation, that path is far superior. A transparency standards-based approach could provide consumers with more data use oversight. This approach would not kill investment and new services, as the GDPR has in Europe. Since many companies express doubt that compliance with the CCPA will even be possible by the January 2020 deadline, federal preemption would likely provide welcome relief. And most importantly, it could alleviate the extreme burden on small businesses.
It would also lessen the risk of regulatory capture since firms are most motivated and able to capture regulatory schemes that are heavy-handed and complex.
The final form of the bill could end up mostly benefiting the big guys, depending on how much influence they bring to the drafting table. This could take the form of locking in current policies that limit competition or introducing new barriers to entry, as Cowen pointed out. The rules may be less onerous than the CCPA, and therefore amenable to Facebook and the like, but they can still be insurmountable for smaller startups.
Ideally, any federal legislation that results will be a true standards-based system that provides consumers with the information and transparency they desire. Real, demonstrated harms, when they do arise, can be addressed in a post-hoc, restitutionary manner. This kind of arrangement guards against poor stewardship and promotes best practices. Best of all, it does not impose expensive barriers for new market entrants.
There is much animus against technology today. Facebook, in particular, is a salient bogeyman. Both parties have reasons to castigate the company, and politicians may find the prospect of legislatively flogging the social media platform irresistible in this time of gridlock.
This rush to regulate, combined with the possibility of industry political maneuvering, could be a policy disaster waiting to happen. Let’s not allow our hot heads to promulgate policies that end up backfiring.