California Gov. Gavin Newsom signed a landmark bill into law last week, forcing large internet companies like Facebook to make their sites safer for children. Aside from sparking irritation in tech circles, it has put a spotlight on an area where states are making greater headway than Congress: passing laws to regulate the freewheeling dominance of Big Tech firms.
Rallying against Big Tech is that rare issue both Republicans and Democrats can agree on, yet several federal proposals with bipartisan support have stalled in Washington, including a comprehensive privacy bill and an antitrust package that will probably be mothballed next year amid a likely GOP majority in the House. When it comes to policing Big Tech, Congress is essentially gridlocked. The real action is happening at the state level.
Texas and Florida have been trying to push through new social media laws, currently tangled up in the courts with the possibility now of a Supreme Court ruling. Both seek to stop companies such as Facebook and Twitter from blocking certain types of political speech — which will likely do more to appeal to their Republican bases than to adequately clean up harmful online content. Even so, like California’s new rules, they underscore the growing importance of state-level firepower in regulating tech. With Congress doing so little, more state legislators should try to pick up the slack and pass sorely needed legislation that addresses infringements of privacy, online harms and market abuse by these firms.
Doing so would take a cue from Big Tech’s own playbook.
For years, industry lobbyists have targeted state lawmakers to quietly push for watered-down privacy laws, shrewdly preempting tougher policies that might threaten their business models by forcing changes to their ad or data-collection practices.
Privacy laws recently passed in Virginia, Utah and Colorado, along with similar bills under consideration in another 22 states, lack any real enforcement power. That’s because technology firms themselves have been instigating or advising on the legislation.
Amazon.com, for instance, fed Virginia lawmakers the initial text of a bill that became that state’s privacy law. “Amazon gave us the first cut of a draft to look at,” Democratic Virginia state Sen. David Marsden told Protocol recently.
A powerful tech industry group known as the State Privacy and Security Coalition (SPSC), whose members include Facebook parent Meta Platforms Inc., Alphabet Inc. and Amazon, has also offered state lawmakers “substantive expertise” and advice on privacy legislation. One lobbyist with the group helped Utah Republican state Sen. Kirk Cullimore add substitute language to his state’s privacy bill, according to the minutes of a February 2022 hearing.
Bizarrely, the current best effort at protecting consumer privacy has come from a large tech company. Apple’s App Tracking Transparency pop-up, introduced to iPhones globally last year, has done more than any law to curb targeted advertisers on our phones, knocking an estimated $14 billion off Facebook’s ad sales this year alone (and improving Apple’s business in the process).
California offers a helpful template. Its own privacy law, which was rolled out in 2020, became a de facto U.S. standard because tech companies realized it would be easier to follow its rules universally rather than weed out California users.
The same could happen with the state’s new Age Appropriate Design Code. It forces internet firms to redesign their websites or algorithms if they infringe on the privacy of under 18s or expose them to harmful content, and is tougher than the British rules it is based on.
Facebook, for instance, has been accused of continuing to surveil teens for ad targeting even after saying it wouldn’t under the new U.K. rules protecting kids. It’ll be harder to get away with that under California’s law. The state’s attorney general can pursue penalties of as much as $7,500 for every minor affected by a company that breaks the legislation.
Tougher state rules aimed at the tech industry wouldn’t just create national momentum for finally passing federal laws; they might also compel tech companies to be more accepting of federal regulation, seeing it as a more palatable alternative to a confusing patchwork of state directives. And once Congress eventually standardizes something, even if it’s a few years down the line, there would be less risk that certain regulations could be watered down. The federal laws would be more powerful.
Oddly, groups campaigning for better privacy or online protections haven’t been lobbying state houses at anywhere near the same level as tech companies, according to Jesse Lehrich, co-founder of Accountable Tech, a civic group pushing for stronger regulation of social media firms. “I’ve been a little bit surprised because I haven’t heard many of our allies getting serious about mapping out where there may be opportunities,” he said.
That could be a missed chance for advocacy groups. California has shown that states can accomplish far more than Congress at tackling Big Tech’s dominance. Federal laws trying to do the same look near-impossible next year. States could make a necessary difference, and they should.