Some U.S. technology companies have a simple solution to a raft of new laws that impact their businesses: fight them in court or interpret them in the best light possible.
Their approach is fraught with risk but may be their best option to cope with laws that could seriously undercut their profitability, if not lead to heavy fines and regulatory actions, say legal experts and Silicon Valley observers.
Large tech companies in particular are taking aggressive actions despite a climate of accelerating antitrust investigations of Apple Inc.
, Facebook Inc.
, Alphabet Inc.’s
, and Amazon.com Inc.
Many are mindful of the impact of the European Union’s General Data Protection Regulation, a precursor to California’s sweeping new privacy law, that prompted Oracle Corp.
, International Business Machines Corp.
and others to scale back operations in Europe.
“They have more at stake, more to lose,” Julian Baring, general manager of Americas for digital media advertising company Adform, told MarketWatch in a phone interview. “The pendulum swung back to the power of the consumer, and it started with the march of legislation of GDPR.”
The most vigorous response so far has come from Uber Technologies Inc.
and delivery startup Postmates who filed a lawsuit Dec. 30 in federal court in Los Angeles that seeks to declare unconstitutional a California law that could force the companies to consider their drivers as full-time employees instead of contractors.
The lawsuit contends Assembly Bill 5, which became law on Jan. 1, denies the two companies and two workers the “fundamental liberty to pursue their chosen work as independent service providers and technology companies in the on-demand economy.” AB 5 violates due process by infringing on this right, the lawsuit says.
Uber has suggested it will continue to classifying its drivers as independent contractors instead of employees despite the law, and that it may try to put a referendum on the 2020 ballot to exclude ride-hailing services like its own from the law.
The lawsuit is the latest salvo by gig-economy companies who claim AB 5 could eviscerate them by removing the flexibility their business models depend on.
The animus extends to non-tech businesses.
GEO Group Inc., a private prison firm that recently won multibillion-dollar contracts to run immigration detention centers in California, sued the state on Dec. 30. It claims Assembly Bill 32, which bars renewals of contracts with operators of private prisons beginning Jan. 1, is unconstitutional.
A legal strategy comes with high risk for larger companies. “If they choose to push back, they may open themselves up to legal action by law firms looking to test the fortitude of CCPA,” Mark Davies, vice president and client partner at IT services company Cognizant Technology Solutions Corp.
, told MarketWatch in an email.
While Uber and Postmates have taken a confrontational approach, Facebook Inc.
has interpreted its data gathering as in accordance with California’s new law, the California Consumer Privacy Act (CCPA), which isn’t expected to start enforcement until July.
The company said in a blog post last month it does not plan to change its web-tracking practices to adhere to CCPA as it claims its practices are in compliance with the new law restricting “sale” of user data.
Facebook has told advertisers it does not need to make changes because its web-tracking system, Pixel, is a business-to-business ad service that customers install for free and does so via an invisible pixel. They only pay Facebook to deliver targeted ads based on information they harvest, Facebook contends.
This would exempt the social-networking giant from the CCPA, since Facebook is not directly selling the personal data it collects nor making it visible to its business partners.
Why the push back? Because CCPA is hard and costly to comply with.
“The rules may sound straightforward at first, but they’re not. A company’s ability to comply with the CCPA’s data review, change, and deletion requirements assumes the data is stored in one place and easy to access,” AEI digital privacy expert Shane Tews told MarketWatch. “The reality is that information on individual consumers is often distributed across multiple databases with limited authorization to access the data without proper permission.”
Meanwhile, Gartner analyst Bart Willemsen has identified more than 200 companies pitching products and services to help companies adhere to privacy rules, though none of them offers a comprehensive solution, he adds.
Those in the tech community familiar with CCPA, have “raced to put processes and systems in place to meet cumbersome CCPA requirements,” Gary Shapiro, CEO of the Consumer Technology Association, which represents more than 2,200 U.S. tech companies, said in a statement.
“There is definitely a delicate balance between the privacy of individuals and the amount of data some of us are trying to collect,” Tim Danks, USA vice president of risk management and partner relations at Huawei Technologies, told MarketWatch at CES in Las Vegas last week. “That is the challenge in the foreseeable future.”
Not every new tech-related law has been met with resistance. Senate Bill 327, which requires that manufacturers’ connected devices sold in California require reasonable security in the form of user authentication, has been largely accepted. In fact, in the months leading up to its passage, its language grew broader.
“The California IoT (internet of things) security law was viewed as a fairly modest proposal, particularly as compared to the CCPA,” Christine Lyon, a Silicon Valley attorney specializing in privacy, told MarketWatch in a phone interview. “[It] flew largely under the radar and didn’t raise a lot of concerns.”
Of course, smaller companies don’t have the luxury of waging battles in court or rationalizing over their technology. They’re in a race to get up to speed over the next six months. “That’s probably not enough time,” Daniel Barber, CEO of data-privacy firm DataGrail Inc., told MarketWatch in a phone interview. Many U.S.-only companies, he said, are “for the first time catching up with broad privacy regulation.”
A survey conducted by DataGrail revealed that 70% of 300 security professionals said their computing systems “would not scale with additional privacy regulations,” Barber said.