What You Need to Know About the FTC’s Hearing on Consumer Privacy
As part of the FTC’s hearings on Competition and Consumer Protection in the 21st Century, the agency convened a two-day hearing on consumer privacy. The hearing featured remarks from the FTC Commissioners and numerous panel discussions by leading experts in the field. After the dust settled, the hearing revealed insights from the Commissioners and both areas of consensus and deep fault lines among privacy stakeholders. Here’s what you need to know.
Remarks from the Commissioners
Chairman Simons’ remarks were relatively high-level. He acknowledged the tradeoffs of privacy regulation by highlighting both the innovative technological developments that have come from intensive data use—like smart cities and self-driving cars—and the privacy risks that can come from these technologies. He again reiterated his support for the FTC’s existing privacy enforcement strategy but stressed that the agency needed to do more.
Commissioner Philips continued to toe the line in calling on Congress to delineate the thorny value judgments of any privacy enforcement scheme, such as what constitutes a privacy harm. While he raised a wide range of economic concerns that could stem from greater privacy regulation, like chilling America’s data-driven economy or disadvantaging smaller companies, he nevertheless endorsed expanding the FTC’s privacy jurisdiction and enforcement authority.
Lastly, Commissioner Slaughter focused on the nuts and bolts of federal privacy legislation and its potential impacts. She expressed skepticism about the role of notice and choice in today’s digital world, based on her view of the burden it puts on consumers. In terms of the FTC’s role, she echoed the call for greater enforcement authority and resources, as well as rulemaking authority.
Areas of Consensus
There were a few areas that nearly everyone—from the Commissioners to privacy advocacy groups to industry stakeholders—agreed upon over the course of the two-day hearing. These included:
The need for federal privacy legislation. The devils are in the details of course, but there was broad consensus for Congress to do something.
The FTC should be the nation’s main privacy enforcer—perhaps unsurprisingly at an FTC hearing and given the agency’s longstanding role as the federal government’s chief privacy cop.
Consumers should have choice when it comes to their privacy. However, as we discuss below, how to give consumers meaningful choice was far from being in consensus.
The impact on smaller companies is a real concern. Stakeholders are concerned that smaller companies would face greater challenges in dealing with new privacy laws, but views of the extent of that concern and how to handle it diverged.
Areas of Disagreement
Despite the high-level consensuses described above, there was a lot of daylight between stakeholders on a number of issues. These included:
What constitutes a privacy harm. One panelist pointed to a general consensus that physical injury and financial loss constitute cognizable harms. However, many participants argued for a broader conception of privacy harm. Chairman Simons himself identified reputational injury as a privacy harm example, and one panelist argued that privacy harms could include a broad range of harms such as fear or anxiety. Perhaps in recognition of this disagreement, Commissioner Phillips argued that Congress should determine what constitutes harm.
How to give consumers meaningful choice. Industry representatives pushed heavily for notice and choice, a longstanding privacy principle. However, privacy advocates and academics argued that notice and choice was no longer viable in today’s environment. While many panelists acknowledged that any privacy tool would require consumers to shoulder some responsibility for their choices, there was no clear consensus around how much responsibility they should be given.
How to enforce a privacy law. There was a sharp divide over preemption of state laws and whether privacy legislation should include a private right of action. There was also a split between ex-post versus ex-ante enforcement. Advocates for the former argued that it was more flexible and could assess actual harms, as opposed to theoretical effects. Advocates for the latter argued that ex-post enforcement would be too little too late for highly sensitive data.
How to balance the economic impacts. While panelists discussed whether prescriptive privacy requirements could put smaller entities with fewer resources at a disadvantage, there was little consensus as to whether and how to resolve that issue. Some suggested carve-outs for small business, though another panelist pointed out that even small businesses could commit outsized privacy violations.
What’s next? The FTC is accepting comments on this hearing through May 31, 2019. It remains to be seen what additional public steps the agency will take as part of its reconsideration of its privacy approach.