A group of big tech executives headed to the Senate this morning to talk consumer privacy and what a federal law may look like. But the questioning went far beyond that.
Called by the Senate Committee on Commerce, Science and Transportation, execs from Apple (AAPL - Get Report) , Amazon (AMZN - Get Report) , Alphabet (GOOGL - Get Report) , Twitter (TWTR - Get Report) , AT&T (T - Get Report) and Charter Communications (CHTR - Get Report) participated in the testimony.
The questioning centered initially on what should be considered in drawing up a federal privacy law, and how closely it might be modeled on existing privacy laws such as Europe's GDPR or California's recently passed consumer privacy law.
The executives expressed broad agreement that a federal privacy law is necessary and that it should require "clarity and consistency" across multiple services. But they disagreed on many of the finer points in how such a law should be drawn up and enforced, such as a potential requirement that companies notify users of data breaches within 72 hours of a breach, and how exactly the FTC would enforce and assess penalties for privacy violations.
The executives also warned broadly that a "patchwork" of privacy laws across various states would be bad for business.
Some of the executives also raised the idea that compliance costs could burden businesses, in particular small businesses. Asked how much money Alphabet had spent complying with privacy laws, Google's privacy chief Keith Enright said it was "an order of magnitude greater" than millions of dollars, and that "hundreds of human years" had been spent on compliance projects that would have otherwise been spent building new products.
However, the conversation also veered off into other areas, and much of it zeroed in on Alphabet. Alphabet's policies came into focus recently when an investigation revealed that Alphabet is developing a search engine for China, in compliance with censorship requests of the Chinese government.
Enright denied that Google was "close" to launching such a search engine and said it was "unclear" if they would, but that he would be closely involved if it were to launch a China search engine. A few senators piled on questions on how the companies deal with Chinese regulators or businesses.
Questioned on whether Apple considers safeguarding human rights of Chinese citizens in developing software, VP of software technology Guy Tribble appeared to stumble over a prepared response, saying "we make products for customers, not countries."
Industry experts who followed the hearings said it was no surprise that companies would vouch for a hypothetical national privacy law -- but on terms that suit them.
Dimitri Sirota, CEO of BigID, a data privacy firm that helps enterprises with GDPR compliance, was skeptical of the idea that compliance with U.S. privacy laws would place undue burdens on a company like Alphabet.
"Compliance cost is a deflection in some regards. In a global economy, companies already have to comply to meet GDPR. The marginal cost to extend to the U.S. is minimal," said Sirota. "The greater concern is possible liability, but the companies arguing this are missing the forest for the trees. People want transparency and accountability in how organizations manage their data."
Eve Maler of Forgerock, a digital ID management firm, added that states may be more likely to pass their own privacy laws before a national law is brought to bear: "I believe we're going to see more states, like California, rolling out regulations before we see legislation at the federal level," she said.
"In terms of a U.S.-wide adoption of privacy laws, there are upsides if we can achieve elements of what we would call a "digital single market," similar to what GDPR is striving for in the EU," she added. "This hearing may be able to start the march toward that end goal."