FTC Could Address Net Neutrality if Court Were to Strike Down FCC Order, Ohlhausen Says

Congress might be moved to craft data security regulation if the FTC loses the case brought against it by Wyndham Hotels, Ohlhausen said, saying she wasn’t commenting on what will happen with the case itself. “Were we to lose ... I think that actually might motivate Congress” to work on data security legislation, she said. “There’s a little more consensus, a little more energy, around data security” in Congress, she said. If the FTC loses the case, the FTC would benefit from congressional guidance on the boundaries of its authority to prosecute unfair and deceptive practices under the FTC Act, she said. The FTC has been discussing and enforcing rules around data security for years, she said. “If we don’t have [that authority], well, that would be good to know.” Ohlhausen said she doesn’t think the FTC is “applying a strict liability standard” to companies in data security cases. The FTC requires companies to take “reasonable precautions” to keep consumer data safe, she said; companies need not worry about protecting themselves against security breaches like the one depicted in Mission: Impossible involving Tom Cruise’s character rappelling into a CIA facility to access a secured computer.

Ohlhausen said she still hopes a Do Not Track (DNT) solution emerges from the World Wide Web Consortium (W3C) process, despite the fact that participating stakeholders have recently encountered obstacles to consensus (CD July 17 p9). “This week the W3C sort of went back to the drawing board” when Peter Swire, co-chair of the W3C DNT working group, rejected a proposal put forward by the advertising industry, she said. “I certainly hope that they can come to an agreement.” Ohlhausen was noncommittal on a potential role for the FTC if browser makers and members of the advertising industry can’t agree on what constitutes a DNT signal and users attempt to enable a DNT signal but are still being tracked. “If someone has made a promise to them” that they won’t be tracked, “then we could look at it,” she said. “Without a promise, that’s not something that we can really get involved in."

The FTC did not have the authority to expand the definition of “operator” under the updated Children’s Online Privacy Protection Act (COPPA) rule, Ohlhausen said. The new rule should not include websites that do not collect personal information from children but include plugins that do, Ohlhausen wrote in her dissent when the updated rule was introduced (http://1.usa.gov/VSX16T). “I didn’t feel the Commission had the authority to expand that definition,” she said Thursday. The FTC does, however, have the authority to expand the types of data that are given protection under COPPA, she said. The inclusion of IP addresses in the updated rule was within the authority granted to the FTC by Congress when it passed COPPA, she said. The group of data including IP addresses is “very similar to the previous definition,” which included information that could lead to an online entity contacting a child user.

The FTC is working with foreign regulators “to get to a place where we're at least interoperable” on data security and privacy regulations, Ohlhausen said. In Europe, privacy is seen as a human right, whereas threats to privacy are seen as a “contractual harm” in the U.S., she said. “They see things fundamentally differently,” but it’s possible to get the two systems to work together, she said. When considering threats to privacy, it’s important to consider the benefits consumers gain through the collection of their data, she said: “There is this important balance between convenience, service [and] variety, that consumers really benefit” from the “good new and innovative services through the use of their data.” As a regulator, “I don’t see it as my job to take choices away from consumers,” she said.