This is a guest blog by Robert Gellman, a privacy and information policy consultant who has worked with privacy issues for over 40 years, including 17 as legislative staff on Capitol Hill.
More than one hundred nations have both comprehensive privacy laws and data protection agencies to oversee or enforce those laws. The United States is the most significant outlier—we have no general privacy law and no privacy agency.
What we do have is a number of disconnected privacy laws, each with its own distinct standards and enforcement process. The Federal Trade Commission (FTC) has jurisdiction over some of those laws, and the FTC is the federal agency most cited as the equivalent of a general data protection agency. Currently, for example, opponents of new privacy protections for broadband Internet carriers under consideration by the Federal Communications Commission (FCC) often point to the privacy enforcement offered by the FTC as the model that they say the government should follow. That has made it even more timely to ask: is the FTC really capable of standing up for consumers in privacy matters?
To begin, you need to understand that this is a complicated question and that there is much more nuance than can be considered in a short blog post. Nevertheless, it is possible to look at recent developments and institutional limitations and draw some conclusions.
- The FTC has limited jurisdiction. It generally does not have any authority over federal, state, or local agencies; non-profits; banks and insurers; transportation companies; and some other sectors. It cannot serve as a general purpose privacy agency because many institutions that affect consumer privacy fall outside of its authority.
- The FTC can only address privacy with its general authority to prevent “unfair or deceptive acts or practices” affecting commerce. The only exception is a small number of areas where Congress gave the agency express privacy regulatory authority, as it did for example with the Children’s Online Privacy Protection Act. Most privacy cases that the FTC brings rely on its general authority. In fact, most of the cases rely on the deception authority. If a company makes a promise in a privacy policy and fails to carry out that promise, the FTC can act because of the deception. But if a company doesn’t promise to protect privacy (and many write vague and unclear privacy policies) there’s little the FTC can do even against privacy violations most consumers find offensive.
- The FTC has no effective general authority to issue privacy regulations beyond a few specific statutes. Decades ago, the FTC was more aggressive in other areas, and the Congress (in the Magnuson-Moss Warranty—Federal Trade Commission Improvement Act of 1975) placed severe limits on the FTC’s authority so that new regulations are nearly impossible.
The FTC could make greater use of its authority to define “unfair” trade practices, but it only occasionally does so in privacy cases. The FTC much prefers relying on its authority over deceptive trade practices because it’s a lot easier to show that a company didn’t comply with a promise than to establish a standard for unfairness. All deception cases, however, are similar at heart. They break no new ground and set no real standards. All we learn is that saying one thing and doing another is actionable. But we don’t know what substantive privacy practices are appropriate and which should be banned. The FTC’s actions tend to merely encourage companies to make fewer and more ambiguous promises.
So a preliminary conclusion here is that the FTC doesn’t do all that much to protect consumer privacy. It does bring a modest number of privacy (and security) cases each year, and the FTC waves the privacy flag in workshops and reports. No one argues that the FTC is insincere or lacks knowledgeable people, but different viewers weight the value of these activities differently.
In my view, the FTC lacks actual statutory authority to take aggressive steps to protect privacy, and it fails to use effectively the authority it does have. Worse, the FTC uses some of its limited resources to protect business interests by arguing in Europe that the American privacy system is better than it is. None of the FTC’s activities in Europe does anything to help American consumers.
Unlike the FTC, the FCC has lots of regulatory authority with respect to telecommunications carriers, and its current effort to write privacy rules for companies that provide broadband services is a much-needed exercise of that authority. But the telecommunications companies have argued long and hard that the FCC should adopt FTC’s privacy standards, supposedly for the sake of “consistency.”
The real point is that business interests see the FTC as a weaker regulator than the FCC—after all, if a business has a choice of regulatory agencies, it will invariably select the agency with weaker standards, power, and enforcement. In fact, the FTC has no actual privacy rules that would govern broadband providers. Further, any privacy standards inferred from FTC case law, reports, and statements are much more subject to revision due to political changes in FTC members. Actual regulations are harder to change.
What’s also interesting about the business argument is the sudden desire for common privacy standards. That has not been the American way of privacy. For better or worse, we have sectoral privacy laws that cover bits and pieces of the economy, but we have no common, universal standards. In the FCC broadband privacy debate, those who would almost certainly oppose a generally applicable privacy law suddenly demand uniformity of regulation. What they really seek a uniformity of weak standards with limited enforcement. That’s what you get at the FTC.
I said at the start that this was a complicated issue with many facets, and I’ve offered one perspective in support of my argument that the FTC deserves low grades when it comes to protecting consumer privacy. I do not believe that the privacy needs of consumers will ever be satisfied by the Federal Trade Commission under its current authority.