Tough Road Seen for Privacy Bill, Despite Consensus That FTC Lacks Authority
Despite high-level consensus from the FTC, consumer groups and industry on the need for stronger agency enforcement authorities, it will be very challenging to reach agreement on specifics for a new data privacy bill, tech interests told us.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The FTC’s stance on data privacy has taken shape with public statements from commissioners and the agency’s recent comments to NTIA (see 1811130058). Perhaps most telling was Chairman Joe Simons’ written response to the House Digital Commerce Subcommittee, offering support for a national data breach notification and data security law that would give the agency rulemaking authority, civil penalty authority and jurisdiction over nonprofits and common carriers.
His position will carry a lot of weight for the other two Republican FTC members, and Democrats seem to be aligning with Simons on specifics. Commissioner Rohit Chopra suggested rulemaking authority would allow the agency to penalize companies on first offenses, so the agency doesn’t have to rely on consent decrees. Commissioner Rebecca Kelly Slaughter publicly sought rulemaking and civil penalty authority (see 1810260040). Simons told the subcommittee he would begin a data security and data breach notification rulemaking process if given the authority (see 1807180051).
The agency’s NTIA comments note the FTC lacks those three authorities, but staff stops short of asking Congress directly to grant those authorities. With 5-0 member support, agency staff backed “a balanced approach to privacy that weighs the risks of data misuse with the benefits of data to innovation and competition.”
Simons warned against passing legislation that could harm competition and entrench tech industry incumbents, a point Commissioner Noah Phillips has echoed repeatedly. Phillips told C-SPAN that lawmakers want to protect consumers but must keep in mind that regulatory schemes can disrupt competition (see 1811160028). America’s risk-based approach to privacy has targeted the areas of greatest privacy need, while permitting “a tremendous amount of innovation,” he said recently, citing competitive harms of the EU’s general data protection regulation (see 1807270047).
Commissioner Christine Wilson’s thinking on privacy legislation remains largely unknown to outsiders, since she hasn't released any statements or spoken publicly. All five commissioners are expected to testify before the Senate Consumer Protection Subcommittee Tuesday (see 1811200051). Wilson could offer her take on privacy legislation if asked during the hearing, an agency spokesperson said.
The agency’s comments to NTIA are “very D.C., noncommittal,” former FTC Chief Privacy Officer Marc Groman, now at Groman Consulting, told us. Given the lack of a direct request for additional authorities, disagreement might remain among members about specifics, he said.
Software & Information Industry Association Senior Vice President-Public Policy Mark MacCarthy acknowledged there’s consensus the FTC should enforce a new national privacy law with adequate resources. However, like Groman, he said there doesn’t appear to be consensus on specifics.
It’s easy for lawmakers and stakeholders to agree at a high level that the FTC needs more authority, said Common Cause Media & Democracy Program Director Yosef Getachew. But when lawmakers get into specifics for a potential bill, opinions will be wide-ranging, he said. One disagreement could be over industry’s lack of support for opt-in user consent. He agreed consensus is widespread the FTC lacks proper authority, citing the common carrier exemption as a hole in the agency’s jurisdiction.
Any new law should fold nonprofits and other non-private entities into FTC jurisdiction, said NetChoice Vice President Carl Szabo. “Nonprofits collect an enormous amount of information and yet are not covered by privacy laws like California’s,” he said. “The groups that wrote California’s privacy law exempted themselves from coverage.”
Folding nonprofits into the FTC’s purview complicates the likelihood of bill passage, said Future of Privacy Forum CEO Jules Polonetsky. Many universities are nonprofits, for example, and those jurisdictional questions should be considered separately. He agreed on the need for direct fining, which should be “calibrated,” and common carrier enforcement. Privacy could be a rare, bipartisan issue, he predicted, agreeing there’s consensus on the need for a new law.