At a Senate hearing last month, executives from some of the nation’s top tech companies—among them Twitter, AT&T, Google, and Apple—repeated a common refrain during their testimony on consumer privacy protections. With near unanimity, they urged lawmakers considering federal data privacy legislation to vest those powers in the Federal Trade Commission.

Although some retreated a bit when discussions turned to enhanced enforcement powers for the agency, the vote of confidence shouldn’t come as much of a surprise. For decades, the FTC has positioned itself, within the boundaries of its statutory authority, as a top cop on the consumer tech beat.

In 1995—long before Facebook, iPhones, or Google—then-Chairman Robert Pitofsky held a series of hearings that investigated the new breed of emerging high-tech companies and how his agency could best “deter unfair and deceptive conduct in privacy and data security matters.”

Fast forward to 2012, and the FTC issued an influential report, one with guidelines still in use, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” It called on companies handling consumer data to build in reasonable security for consumer data; limit collection and retention; and give consumers control over the information shared about them.

Similar conversations have continued over the years, most recently as part of a series of full-day hearings the FTC is holding on “Competition and Consumer Protection in the 21st Century.” The final event in the series will be held Oct. 15-17 at George Mason University. A session on Sept. 21 focused on “The Regulation of Consumer Data.”

“Technological innovation has raised serious and important questions of law and policy,” Commissioner Rebecca Slaughter said at the start of that day’s sessions. “These hearings are not a project of reaffirming our current policies and practices. To the contrary, they must be a critical rethink of what we do, how we do it, and what we should do differently or better to advance the FTC’s mission of promoting competition and protecting consumers. If at the end of the day we appear to be merely patting ourselves on the back for a job well done thus far, we will have failed.”

The Federal Trade Commission Act, notably under its Section 5 authority, gives the FTC purview for preventing unfair or deceptive acts or practices that may affect interstate commerce.

Over time, that authority was extended, within those parameters, to privacy and data security. The FTC monitors online and app privacy under the Children’s’ Online Privacy Protection Act. It is also considering its reach to the privacy risks of household appliances and cars connected to the Internet.

Critics—and there are plenty—say the FTC risks overstepping its statutory authority.

To prove unfairness, it must establish that a practice is likely to cause substantial harm or injury to consumers; that the injury is not reasonably avoidable; and it is not outweighed by countervailing benefits to the consumer or competition. The argument: This may not be a clear standard sufficient to give companies notice of what they can and cannot do with respect to consumer privacy.

The FTC, they say, runs the risk of essentially creating law without the clear authority or direction of Congress. Congress, for example, never granted the FTC express cyber-security oversight. Doing so exceeds its enforcement authority, critics say.

“These hearings are not a project of reaffirming our current policies and practices. To the contrary, they must be a critical rethink of what we do, how we do it, and what we should do differently or better to advance the FTC’s mission of promoting competition and protecting consumers. If at the end of the day we appear to be merely patting ourselves on the back for a job well done thus far, we will have failed.”
Rebecca Slaughter, Commissioner, FTC

For now, the FTC relies on out-of-court settlements and consent decrees for its enforcement efforts related to cyber-security breaches or inadequate privacy security policies.

More so than legal and constitutional debates, real-life controversies are fueling discussions about the FTC’s continued, and possibly expanding, role.

“The use of social media to attempt to influence the 2016 election, Cambridge Analytica, and [Europe’s] General Data Protection Regulation have caused many to question whether the current privacy and data security framework needs a rethink,” said James Cooper of the Consumer Financial Protection Bureau, a technology expert who moderated the Sept. 21 panel.

Some, he said, have suggested the United States “adopt a more European-like approach.”

Commissioner Maureen Ohlhausen was on staff at the FTC in 1998 when it brought its first online privacy case against Website-creation service Geocities. It ignored promises to consumers about how it would collect and use data.

Ohlhausen stressed the concept of “consumer sovereignty.”

“The consumer made a choice. And that choice wasn’t respected,” she said. “There is also a competition element there, because you certainly want to allow the marketplace to operate in an efficient way where you have someone not getting a competitive advantage because they’ve lied about what they’re doing and they actually aren’t adhering to it.”

The FTC must also focus on “protecting consumers from substantial injury,” Ohlhausen said, adding that the objective “is captured in our unfairness authority.”

“Some of the cases that we’ve brought in that space involve things like collecting and sharing real-time location data about consumers, because that can be abused in a way that can be used for stalking. So there’s health or safety risk,” she explained. The collection of financial information or the failure to protect sensitive financial information also fits the bill.

In some situations, such as the breach that exposed customers of the online adultery dating site Ashley Madison, she said, there was both reputation risk and substantial injury, as a few customers committed suicide once exposed.

“It’s very important that if a company makes a promise that it be held to that promise,” said Daniel Solove, a professor of law at George Washington University Law School. “Otherwise the entire self-regulatory regime collapses, because the privacy policies are meaningless then. So, it’s nice that the FTC is a backstop to that.”

Solove described an important component to an enforcement regime: consumer expectations.

“Even if it’s not a direct promise, consumers have expectations about how their data is going to be handled and used that are often and sometimes at variance with what’s said in a privacy policy or with what companies do,” he said. “It’s very important that consumers can use sites and engage in e-commerce and other commerce and know that what they expect generally is going to be the case, and there aren’t going to be unpleasant surprises down the road.”

What about those privacy and terms-of-use agreements that are supposed to outline all that?

 “We know from a lot of studies that a very, very small percentage of people actually read the privacy policies or privacy notices. Something like less than 1 percent,” Solove said.

 “It’s amazing how when you use the phrase privacy policy, everybody launches into a diatribe,” said David Vladeck of Georgetown University Law Center. “So I’m going to take a minute and launch into my own. One is they’re privacy policies. The original sin was calling them something that they’re not. None of them really deal with privacy. They deal with data use. And part of the problem is they’ve been misnamed. If you have a regulatory regime that is clear so you know that everything you do on the internet is safe or at least you have that promise, even if it’s not enforceable, then the privacy policy or the data use statement becomes less important.”

He predicted that the world of privacy agreements will continue to be more complicated. “If the goal is for consumers to understand at a technical level what’s going on and how all the information is being used, we’re not going to get there, guys,” Vladeck said. “Let’s think about what’s second best.”

Howard Beales, a professor of strategic management and public policy at the George Washington University School of Business, stressed that “harm” should be the foundation of any FTC action.

 “That’s where privacy regulation and privacy enforcement really ought to focus. If there’s not a harm, it’s not something that the FTC in particular should be worried about,” he said.

A global comparison

Solove fretted that the U.S. data privacy regime is fractured and compared unfavorably to European standards.

 “The problem with the U.S. approach is that we get no respect from the rest of the world,” he added. “We are kind of the Rodney Dangerfield of privacy in the U.S. … The FTC has done tremendously effective work. We do have a lot of protection. It’s just that it’s inconsistent. It’s hard to articulate. It’s very hard to explain to other countries, especially the EU, how the U.S. system works and how information is protected here. It’s so haphazard.”

“I haven’t seen a tremendous amount of legislative activity on privacy,” he explained. “It really has tapered off. Do we kind of say, ‘Hey, we’ll just be regulated by Europe and California?’ Or will we have meaningful regulation at the federal level that reflects the balances and approaches that the U.S. would like to have?”

Enforcement challenges

An ongoing problem for the FTC, given the proliferation of tech companies, is how to discourage bad behavior industry-wide, not just company-by-company. How can it create deterrent value?

“I don’t like the idea of civil penalties and especially in an area like privacy,” Vladeck said. Civil penalties, however, “presume a really clear standard of what’s a violation and what’s not. “That’s not so clear in a lot of the privacy areas. It is a lot clearer in data security. In a lot of privacy and some other areas, I think monetary relief is not appropriate.”

Could pressure for national and international conformity drive federal privacy law closer to these other models? Reactions were not optimistic.

“The enactment of the California statute and sort of the smart implementation of it, with deliberately slow implementation, has created an interest in many other states to see if they could replicate what California has done,” Vladeck said. “I don’t think that Congress is going to immediately race to enact federal privacy legislation.”

“My guess is that unless the business interests that are unhappy with the California law succeed in either scuttling it back in the California legislature or attacking it successfully in court, you’ll see other states moving to adopt a regime based on the California statute, which is to some extent based on the GDPR,” he said.