FTC Defends Privacy Enforcement Role, Cites Limited Authority, Amid More Comments to NTIA
The FTC defended its ability to protect consumer privacy, noting limitations. In comments to NTIA (see 1811090050) released Tuesday, FTC staff cited the lack of civil penalty authority, broad rulemaking authority and ability to take action against nonprofits and common carriers. The Children's Online Privacy Protection Act is limited because it doesn’t address offline data or data about children, staff said. The agency “supports a balanced approach to privacy that weighs the risks of data misuse with the benefits of data to innovation and competition,” it said, with 5-0 support from commissioners.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The FTC cited “unintended consequences” of deploying an opt-in model, which would require users to authorize data collection. “If consumers were opted out of online advertisements by default (with the choice of opting in), the likely result would include the loss of advertising-funded online content,” staff wrote.
Telecom and tech entities in their comments sought a national privacy framework or other unified action that would include incumbents and newer companies like ISPs and tech platforms. Charter Communications said "a comprehensive and technology-neutral legal framework for online privacy that applies to all entities in the internet ecosystem will not only help instill consumer confidence but also enable businesses and consumers to take full advantage of the possibilities presented by technological advances." NCTA sought "parity," saying "consumers want uniformity in how their data is protected." The group sought a consumer "Right to Access, Delete, and Correct" data about them.
The telecom industry continues to oppose a state approach, such as in California. "A state-by-state legislative framework for privacy creates friction and uncertainty for consumers who use services that don’t stop at state borders," wrote Verizon. CTIA said "domestic fragmentation is compounded as some state governments increasingly regulate privacy, which is particularly problematic in light of the global and interstate nature of the Internet ecosystem." A footnote included California legislation.
Though the U.S. Chamber of Commerce previously supported a self-regulatory approach to privacy, it told NTIA Friday a “new approach is necessary.” The Chamber cited passage of privacy laws in Europe and California and the need for “harmonization and interoperability nationally and globally.” The FTC is the best privacy enforcer, the Chamber said, citing the agency bringing “over 500 cases protecting the privacy and security of consumer information.” NetChoice argued for a self-regulatory approach, with certification from NTIA, the FTC or another agency. The trade group cited COPPA as an example of a self-regulatory framework that has protected privacy.
Any new privacy law should put the U.S. in a stronger negotiating position “with the EU and other countries that have argued that US reliance on self-regulation and sector-specific regulations are not ‘adequate’ under their privacy rules,” the U.S. Council for International Business said. USCIB agrees personal data shouldn't be shared or used for “purposes other than those specified without the consent of the data subject.”
ISPs should follow FTC guidance on “opt-in consent for the use and sharing of sensitive information,” CTIA said. Internet providers also should offer an “opt-out choice to use non-sensitive customer information for personalized third-party marketing,” and use “implied consent” for first-party marketing, “fraud prevention, market research, product development, network management and security” and legal compliance, CTIA said.
All companies operating in the “internet ecosystem” should be subject to uniform federal privacy requirements overseen by the FTC, applied on a “competitively and technology-neutral basis” and based on a “risk-based approach,” the American Cable Association said.
TechFreedom urged legislation in the lame-duck Congress establishing a privacy law modernization commission. A similar commission developed fair information principles in the early 1970s, and “another helped Congress understand how to modernize the antitrust laws last decade,” TechFreedom said.
The Committee for Justice warned that recent privacy proposals modeled after the EU’s general data protection regulation would make the U.S. more like Europe -- where the digital economy has seen the repercussions of a strict regulatory regime -- but won’t protect consumers. Data protection policies also can deter “venture capital investments and strangle U.S.-based tech start-ups,” it said.
More than 30 civil rights, consumer and privacy groups released principles for privacy legislation. The groups included Public Knowledge, New America’s Open Technology Institute, Access Now, Center for Democracy & Technology and Center for Digital Democracy. They argued for privacy violation redress: “Legislation should avoid requiring a showing of a monetary loss or other tangible harm and should make clear that the invasion of privacy itself is a concrete and individualized injury.”