K Street is going on a lobbying blitz as lawmakers begin work on drafting the first federal privacy bill, a high-stakes debate for the tech industry.
Lawmakers are still in the early stages, but lobbyists and tech groups are already busy trying to sway a complicated debate – and prepare clients for the massive changes ahead.
The nation's first federal data regulations and consumer privacy law will shake up the entire tech landscape, affecting both big tech giants and young startups, and how those companies operate.
"I think the top concern among our clients, both bigger companies and the smaller startups, is that depending on how privacy legislation is drafted, it can affect their business models pretty dramatically," Greta Joynes, Brownstein senior policy advisor and a leader in the firm's privacy practice, told The Hill.
A wave of controversies, headlined by the Cambridge Analytica scandal and a slew of massive hacks, have put the spotlight on data privacy issues, with lawmakers hauling top executives before Congress for answers.
That scrutiny has tech companies beefing up their lobbying presence.
Google, the Alphabet Inc., subsidiary, spent over $21.2 million on lobbying in 2018 and had 26 firms on retainer, a jump from the $15.4 million spent on 23 firms in 2016.
Amazon has been increasing its D.C. presence, a trend likely to continue with its second headquarters coming to northern Virginia. The company spent $14.4 million on lobbying in 2018, with 16 firms on retainer. The company notably has hired major players — Akin Gump, Brownstein and Squire Patton Boggs, among others—beginning in 2012, when it spent $2.5 million on lobbying.
In 2018, Facebook spent over $12.6 million on lobbying expenditures and had 13 firms on retainer, a big increase from 2016 when it spent just under $8.7 million on six firms.
Congress, though, is largely playing catch-up on data issues. Overseas, the European Union began its sweeping General Data Protection Regulation (GDPR), last year, with heavy fines for companies that fail to comply. And in the U.S., California passed a privacy bill that takes effect in 2020, the first of its kind in the U.S.
Those moves have added urgency over efforts on a federal privacy law, with industry groups seeking a nationwide standard, and privacy advocates worried Congress will undercut tougher state laws.
Congress is grappling with a number of thorny issues from whether to allow states to craft their own rules to how far regulators should go to restrict companies' use of data.
"We are certainly encouraging clients to reach out to stakeholders early on in this process as opposed to responding to a bill later in the process because the impacts could be really broad," Joynes added.
But the contentious issues at play could also divide tech companies.
For starters, there's a stark split between what tech industry giants will accept in a privacy bill and what smaller firms are seeking. So far, tech giants, backed by their massive lobbying teams, have been taking the lead in the debate.
"For the companies that are just starting to invest in policy and advocacy, with less resources, they have less people and less time and energy to focus on it. With the larger companies, they're making a larger investment with policy," Craig Albright, vice president of legislative strategy at BSA told The Hill.
Those representing start-ups and smaller firms worry companies like Google and Facebook will set the tone for regulations. Those larger companies would have an advantage complying with new rules. Many are already dealing with GDPR in Europe. A law with tough restrictions on the use of consumer data could also hamper younger competitors.
Others counter that the largest online companies have the most at stake.
"What sort of investment do you have to make in compliance?," Joynes said. "It's a different level of impact for a smaller company than for one of the big tech players."
Preparing a diverse range of companies for new data rules will also be a challenge for tech groups.
Albright said BSA, which represents enterprise software companies including Microsoft, IBM, Oracle and Apple, as well as pre-IPO companies, is making sure it is "catering to the needs of individual companies to help them prepare for this legislation."
A key focus for smaller tech companies is ensuring that any data law doesn't impede innovation, John Hayes, the chief technology officer and co-founder of BlackRidge Technologies, which develops cybersecurity products, told The Hill.
"As legislators are trying to make policy and draft legislation, they just need to be careful that that legislation doesn't actually preclude new technology developments," he said. "The real challenge the federal government faces is: how do you balance getting what you need and managing and allowing true innovation to occur."
Giving those smaller companies a voice in the debate is a priority for many.
"Congressional offices appreciate hearing the perspective of smaller, innovative tech companies after hearing from large tech companies on a constant basis," Craig Saperstein, a partner at Pillsbury, told The Hill. "These smaller companies offer a different perspective to members that's beneficial to them."
One of the biggest questions for lawmakers is whether to allow states like California to enforce their own rules. Critics say the California law was poorly drafted, leaving tech companies with questions on how to implement it.
"There are a lot of concerns about the California law, broadly, and what that potentially means for different industries varies kind of across the spectrum," Joynes said.
The tech industry and Republicans back a lone federal standard with preemption, language that would override state measures. They say it is necessary to avoid a patchwork of state rules that companies must comply with.
But Democrats are facing pressure from consumer and privacy advocates who worry a federal standard could be weaker than the California law.
“It is entirely possible that what happens is weaker than stronger state laws and that would be very worrying for privacy advocates in this space. We’re watching what happens in California and Illinois and other states and I don’t think people are going to except a weaker standard that preempts those good laws out of Congress,” Gaurav Laroia, policy counsel at the advocacy group, Free Press, told The Hill.
He worried that lawmakers are focusing on preemption at such an early stage, calling it "a not very subtle way to force deregulation at the state level."
But even within the tech world, there are questions about the impact of a broad federal bill.
"You see a lot of rhetoric, especially from Republicans, worried about this issue that a one-sized fits all federal standard might disadvantage innovators and small businesses," said Stewart Verdery, CEO and founder of Monument Advocacy. His group represents companies including Microsoft, Amazon, and Netflix, and organizations like the Identification Technology Association, Entertainment Software Association and TechNet.
"Larger companies having gone through the GDPR exercise are more comfortable with a federal solution so long as it is a national standard," Verdery added.
The tough issues at stake and differing viewpoints ensure a busy role for K Street.
Critics of the California law say state legislators rushed through their debate, drafting a law that left many questions. Joynes said K Street is working to ensure Congress avoids similar missteps.
"I think there are a lot of people who understand the need, both politically and practically, for privacy legislation," she told The Hill.
"But I think the hope would be at the federal level is we'd have a more deliberative process than we saw develop in California."