The Federal Trade Commission (FTC) has just released its final privacy framework proposal, “Protecting Consumer Privacy in an Era of Rapid Change.” The agency released a draft report with the same title back in late 2010 and then asked for comments. [Here were my comments to the agency.] The FTC’s final report comes just a month after the Obama Administration released its 50-page privacy framework, Consumer Data Privacy in a Networked World, which included a privacy “bill of rights.” That report was primarily driven by the Department of Commerce. [I penned a Forbes column about that report the day it was released.] The new FTC report is fairly consistent with the earlier Commerce Department report. Here are some of the key themes or recommendations from the final FTC report:
- rooted in a set of baseline privacy principles with a strong push for “privacy by design,” more consumer choice, and better transparency.
- along with Dept of Commerce, the agency will work with industry to develop privacy codes of conduct and then give them teeth with possibility of FTC enforcement.
- pushes for industry to pursue voluntary “Do Not Track” mechanism, which to the agency apparently means “do not collect” any info.
- calls on Congress to pass data security legislation and legislation “to provide greater transparency for, and control over, the practices of information brokers.” Also, “to further increase transparency, the Commission calls on data brokers that compile data for marketing purposes to explore creating a centralized website where data brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”
- the agency will host a workshop later this year to discuss privacy withing “large platform providers.” The report notes: “To the extent that large platforms, such as Internet Service Providers, operating systems, browsers, and social media, seek to comprehensively track consumers’ online activities, it raises heightened privacy concerns.”
- the agency is also stepping up oversight on mobile privacy issues.
- the agency says it “generally supports the exploration of efforts to develop additional mechanisms, such as the ‘eraser button’ for social media,” but stops short of saying it should be mandated at this time.
Some of my initial random thoughts about the FTC report:
Not as bad as it could have been…
Overall, the FTC’s final privacy report not as heavy-handed as it could have been. There’s no sweeping, immediate effort to impose a top-down privacy regime or “Data Directive” that some of us feared would put the FTC in a position to become a full-blown Data Protection Agency and regulate every facet of the information economy.
… but “self-regulation” sure sounds a lot like European-style “co-regulation.”
Nonetheless, it doesn’t mean that can’t happen. It is clear that the new FTC and Commerce privacy reports signal the next step in the Obama Administration’s gradual move toward more of a “co-regulation” model for Internet governance on the privacy front. The Administration seems to favor a “government steers, industry rows” model for privacy policy that assigns a broad oversight role to federal regulators allowing them to “nudge” the tech industry in certain directions with the stern but amorphous “do this or else” sword of Damocles hanging over industry “self-regulatory” decisions on this front.
In his dissenting statement, Commissioner J. Thomas Rosch makes this point (on C-8):
The Report also acknowledges that it is intended to serve as a template for legislative recommendations. Moreover, to the extent that the Report’s “best practices” mirror the Administration’s privacy “Bill of Rights,” the President has specifically asked either that the “Bill of Rights” be adopted by the Congress or that they be distilled into “enforceable codes of conduct.” As I testified before the same subcommittee, this is a “tautology;” either these practices are to be adopted voluntarily by the firms involved or else there is a federal requirement that they be adopted, in which case there can be no pretense that they are “voluntary.” It makes no difference whether the federal requirement is in the form of enforceable codes of conduct or in the form of an act of Congress. Indeed, it is arguable that neither is needed if these firms feel obliged to comply with the “best practices” or face the wrath of “the Commission” or its staff.
Columbia Law School professor and former FTC adviser Tim Wu refers to this as an “agency threats” model of governance. That’s generally what the FTC is endorsing here. Intimidation is often a very effective regulatory policy. Thus, I hope we can dispense with this silly notion that this process represents truly voluntary self-regulation. Ask yourself this: If the FTC and Dept of Commerce had instead proposed this same framework for overseeing private media ratings or online speech “codes of conduct,” would anyone seriously call it “voluntary” or “self-regulatory”? I don’t think so. We’d understand that these implied threats constituted a form of indirect speech control. The only difference in this case–as I have noted here many times before–is that a bit of selective morality is in play when it comes to privacy policy; many of those who oppose regulation-via-intimidation in other contexts are, unfortunately, positively giddy about when it comes to privacy! And so we have arrived at the point where these tactics have become favored information control mechanisms in some contexts but not others.
Trade-offs associated with regulation still must be considered.
If the Obama Administration’s new co-regulatory model results in the sort of de facto regulatory regime that many wanted them to just impose forcefully right from the start, then we are right back at the same point we were before in terms of the trade-offs between information sharing and the largely unregulated economy of “free” online sites and services. As I noted in my filing to the FTC in this matter: ” There is no free lunch. While well-intentioned, government regulation that attempts to create a cost-free opt-out for data collection and targeted online advertising will likely have damaging unintended consequences. In terms of direct costs to consumers, Do Not Track could result in higher prices for service as paywalls go up or, at a minimum, advertising will become less relevant to consumers and, therefore, more “intrusive” in other ways.” To be clear, we could get this result even in absence of a top-down regulatory regime if the FTC and Commerce are able to use threats to accomplish their same regulatory objectives.
“Harmonization” is overrated.
The final FTC report continues the Obama Admin’s misguided obsession with “global harmonization” in terms of achieving more consistent international privacy norms and regulations. As I have noted before, this is an epic blunder. If our norms aren’t the same as Europe’s or the rest of the world’s, some might point out that’s why our Internet sector is better positioned and more highly regarded than the rest of the planet’s online sectors and operators! Even if you don’t accept that premise, you should be skeptical of the wisdom of doing whatever it takes to make America’s privacy policies more consistent with the regulatory models others follow. Sometimes when it comes to global standards and “harmonization,” the better approach is to just go our own way.
The FTC has been doing plenty without additional regulatory authority.
Ironically, the report opens with two pages (p. ii-iii) of “developments since issuance of the preliminary report,” listing the many ways the FTC has been active on this front over the past year in the absence of expanded authority. That includes major actions against two tech titans, Google and Facebook, which included the FTC slapping 20-year privacy audits on them. The FTC also lists many other enforcement actions (via COPPA, FCRA, and general Sec. 5 authority) and other educational steps it has taken over the past year. All of which begs the question: Why, then, do we need to expanded federal regulation and enhanced agency power over the information economy?
Does anyone still care about personal responsibility?
Sadly, the report doesn’t have much to say about the role of personal responsibility in this context. It does note that “All stakeholders should expand their efforts to educate consumers about commercial data privacy practices.” That’s good. But had this been an agency report on child safety issues, I have to imagine that the agency would have pointed out that best practices begin at home. As I noted in my filing to the agency, “For some reason, when the topic of debate shifts from concerns about potentially objectionable content to the free movement of personal information, personal responsibility and self-regulation become the last option, not the first. . . . those who advocate personal responsibility and industry self-regulatory approaches to free-speech and child-protection issues should be advancing the same position with regards to privacy. . . . it is not unreasonable to expect privacy-sensitive consumers to exercise some degree of personal responsibility to avoid unwanted content or communications in this context, just as they must in the context of objectionably content or online child safety.” Again, the Obama Administration doesn’t seem very interested in pushing personal responsibility as the first order of business with regards to online privacy the way it has for online safety issues. That’s a real shame.
There is another way.
In closing, I continue to believe that privacy is best governed by a set of evolutionary norms, ongoing online marketplace interactions and experiments, contractual negotiations, public pressures, educational efforts, user empowerment, personal responsibility, and targeted legal enforcement and the use of state torts when true harms can be demonstrated. That’s been the uniquely American approach to privacy protection and we should not abandon it lightly.
I’ll try to update this post after I read through the report a second time but wanted to just get these initial thoughts out for now.
Additional Reading:
- my big Mercatus Center filing to the FTC last year on privacy and Do Not Track regulation
- my recent Forbes oped, “The Problem with Obama’s “Let’s Be More Like Europe” Privacy Plan“
other TLF essays…
- Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy?
- Privacy as an Information Control Regime: The Challenges Ahead
- Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness
- Lessons from the Gmail Privacy Scare of 2004
- When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed
- And so the IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars
- Book Review: Solove’s Understanding Privacy