Big Tech: What They Say vs. What They Do

This post is authored by Matthew Bonner, a third-year student at Drexel University’s Thomas R. Kline School of Law. Mr. Bonner is a legal-intern with the XPAN Law Group.

In the wake of the GDPR’s enactment,  various leaders within the tech industry responded to calls for data privacy regulation in the United States. In October 2018, the CEO of Apple, Tim Cook, gave a keynote address to the European Parliament regarding the company’s stance on data privacy. Channeling Eisenhower, Cook warned of the “data-industrial complex” profiting off the personal data of individuals, and affirmed Apple’s support of a “comprehensive federal privacy law in the United States.” Cook’s words, however, appear to conflict with Apple’s own privacy policy regarding the collection of data.

On its face, you could argue that Apple’s current privacy policy does not exactly conform with the GDPR for several reasons. First, Article 12 of the GDPR requires controllers to clearly and concisely present information concerning data subjects’ rights. As Jefferson Graham of USA Today points out, the requisite information to complete a personal data access request from Apple lies buried in their over 3,000 word privacy policy.  Additionally, you could argue that its cookie policy belies Apple’s supposed commitment to the GDPR because of its presentation of users’ right to object to marketing data. Article 21 of the GDPR provides protection to data subjects against entities seeking to collect data for the purpose of direct marketing. In accordance to the regulation, information about an individual’s right to object to marketing data must exist clearly and separately from any other information.” What constitutes “clear and separate” presentation of the information remains unclear.  Only further guidance will clarify whether Apple’s one sentence mentioning its use of cookie data for advertising purposes complies to the GDPR. Further, Apple, like Google in the recent CNIL fine, may run afoul of the consent requirements (specific to cookie data) because it appears to only provide an “opt-out” option rather than an “opt-in” to collection.

Similarly, on March 30, 2019, Mark Zuckerberg, the CEO of Facebook shared a few ideas that seemed to indicate a commitment to a GDPR-like law in the United States. Zuckerberg spoke positively of granting individuals more control over their data. He highlighted the importance of data portability (a right enumerated in Art. 20 of the GDPR), and even expressed an agreement with sanctions for data privacy violations. Noticeably, Mr. Zuckerberg tempers his suggestion for increased user control with exceptions “enabling companies to use information for safety purposes and to provide services.” This caveat is particularly conspicuous in light of Facebook’s recent Cambridge Analytica scandal, which affected the data of millions of its users. Facebook’s appeals to increased accountability in the tech industry also seem puzzling considering its own history with the FTC.

Big Tech’s push for increased data privacy may leave many pondering the details of such a regulation, and the Washington Data Privacy Act may shed some light on those questions. The Washington Data Privacy Act is the newest of a patchwork of state privacy laws emerging around the country. It passed the State Senate nearly unanimously in March 2019. This Act may become the most influential legislation in the country because it will set the standard for two massive in-state tech companies: Amazon and Microsoft. In a hearing about the upcoming legislation, Microsoft sent its general counsel, Julie Brill, to announce the company’s major support of the Act. The head of the Washington American Civil Liberties Union, Shankar Narayan, decried the ineffectiveness of the Act and stated only the “most egregious conduct” would violate the law, and that the many exceptions written into the Act would thwart enforcement. Privacy advocates also highlight the fact that in §14(5) of the Act, the only consent requirement for utilizing facial recognition software is “conspicuous notice.” In other words, there is no consent requirement. Narayan alleges that the Act’s lenient provisions on facial recognition are a result of lobbying efforts from Microsoft and Amazon.

The current discourse regarding a federal data privacy law does certainly suggest that a regulation is on the horizon. However, only time will tell whether an American regulation will provide robust consumer protection, or leave many exceptions for data controllers to escape accountability for poor data management practices. Big Tech’s apparent embrace of data privacy may seem encouraging, but industry practices also provide useful information about America’s regulatory future.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic data discovery, you should consult a licensed attorney in your jurisdiction.