FTC holds 2-day hearing on federal consumer legislation

On April 9 and 10, 2019, the Federal Trade Commission (FTC) held its 12th Hearing on Competition and Consumer Protection. The theme of the two-day hearing focused on the FTC’s approach to consumer privacy, and featured remarks from the FTC Commissioners, plus numerous panel discussions by prominent experts.

The FTC’s Chairman, Joe Simons, presented his opening remarks by reiterating his support for the FTC’s existing consumer privacy strategy, but drove home his belief that the agency needed to do more. Emphasizing the positive and negative aspects of data collection, he stated that “we live in an age of technological benefits powered by data”, making his message that we need to evaluate our approach to privacy in a shifting world, loud and clear.

Areas of consensus

The majority of delegates - including the Commissioners, industry stakeholders and privacy advocates - agreed upon a few areas of concern. These include:

  • The need for federal privacy legislation.
    There was general agreement that Congress should do something.

  • The FTC should be the country’s main privacy enforcer.
    Perhaps an obvious choice, considering the agency’s long-standing role as the government’s principal privacy authority.

  • Consumers should have choice regarding their privacy.
    …although precisely how to give consumers meaningful choice remains to be agreed upon.

  • Impact on small businesses.
    Stakeholders are concerned that smaller companies face significantly bigger challenges when dealing with new consumer privacy laws.

Areas of disagreement

Despite the encouraging level of consensus regarding the above issues, there was plenty of fuel for lively debate between stakeholders. Issues include:

  • What constitutes privacy harm
    There was a general consensus that financial loss and physical injury are discernible harms. Chairman Simons identified reputational damage as a privacy harm, while one panelist argued that privacy harms should include a broader range of harms such as anxiety or fear.

  • How to give consumers meaningful choice
    Industry stakeholders advocated strongly for the longstanding privacy principle of notice and choice. However, this was rebuffed by academics and privacy advocates as no longer workable in today’s environment. And while many agreed that consumers would be required to accept a measure of responsibility for their choices with any privacy tool, there was no consensus about just how much responsibility they should be given.

  • How to enforce a privacy law
    There were divided views concerning the pre-emption of state laws. Also, whether or not there should be provision for a private right of action. Another spilt in opinion was whether enforcement should be based on; analysis of actual past harms (ex-post), or on anticipated theoretical activities (ex-ante). Supporters of ex-ante enforcement argued that the ex-post enforcement would be a case of ’too little too late’ for incidents involving highly sensitive data.

Goals of Privacy Protection

James Cooper, the FTC’s Deputy Director for Economic Analysis. Cooper spoke about three fundamental questions concerning consumer privacy:

  1. What do consumers want?

  2. Is there some reason firms aren’t responding?

  3. Is there something the government can do to improve things?

Cooper discussed recent surveys that suggest privacy is highly important, while revealed preference indicated the opposite, (referred to as the “privacy paradox”), and whether or not the government should take action, and to which types of harm any new privacy regulation should address.

Over the course of two days, panelists discussed a broad range of related topics, including the primary goals of consumer privacy legislation and the virtues and shortcomings of the GDPR and CCPA within context of consumer rights, corporate obligations, and enforcement mechanisms that should characterize a new U.S. federal privacy regime.

California Consumer Privacy Act (CCPA)

Panelists expressed broad support for the CCPA. However, they also found significant areas of concern regarding California’s new law, which is due to come into effect on Jan 1, 2020. Shaundra Watson BSA, of The Software Alliance, argued that a new federal law should be much stronger than the CCPA, in terms of protecting consumers’ rights by reaching third party uses of data. David LeDuc, of the Network Advertising Initiative (NAI), agreed, arguing that the CCPA has inherent flaws as a privacy framework because it mostly focuses on regulating “the sale” of data, and noting that first-party data uses can be harmful, while third-party uses can be beneficial to the consumer.

The EU’s General Data Protection Regulation (GDPR)

Panelists discussion around the GDPR highlighted a belief that although it would not be wise to simply import the GDPR wholesale into U.S. law, they considered that there were a number of positives in the European Union’s approach. Laura Moy, of the Georgetown Law Center on Privacy and Technology, voiced her approval of the GDPR’s provisions on purpose limitation, data minimization, and fining authority. Another panelist, Markus Heyder of the Centre for Information Policy Leadership, underlined the benefits of the GDPR’s “organizational accountability” and declared his support for the use of certifications and codes of conduct.

Viewpoints on US Legislation

It was evident that all the panelists were unanimous in their support for a new federal privacy law. Shaundra Watson explained how the US sectoral approach was developed in conjunction with emerging threats to privacy but added that the current framework was no longer fit for purpose, since the lines between different categories of data and industry types have become blurred.

David LeDuc pitched in by citing the efforts of the new coalition ‘Privacy for America’, of which NAI is a member. The coalition supports wholesale bans on certain harmful data practices, as well as the creation of a new FTC Data Protection Bureau.

While most panelists appeared to agree on a number of high-level principles, it was evident that there remained differences of opinion regarding other issues, such as a private right of action, fining authority, and the preemption of state laws.

Laura Moy gave her support to a private right of action, suggesting that based on past performance, federal agencies could not be trusted to defend disadvantaged populations. Moy further argued that a strong patchwork of state legislation would be better for consumers than a weak federal standard.

Sources: Federal Trade Commission, WileyConnect, DisCo

Do you have an opinion on a new federal privacy law?  How will such a law impact state laws that are in the process of being passed?  Voice your concerns and opinion here.