Why the FTC should proceed with a privacy rulemaking

Signage is seen at the Federal Trade Commission headquarters in Washington, D.C., U.S.

On June 3, the House Committee on Energy and Commerce released a draft federal privacy bill, the American Data Privacy and Protection Act. According to an accompanying press release, the draft has support from U.S. Representatives Frank Pallone, Jr. (D-N.J.) and Cathy McMorris Rodgers (R-Wash.), Chairman and Ranking Member of the House Committee on Energy and Commerce, as well as U.S. Senator Roger Wicker (R-Miss.), Ranking Member of the Senate Committee on Commerce, Science, and Transportation.

When the bill was formally introduced into the House on June 21 as H.R. 8152, it also had the co-sponsorship of Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-Ill.), and Subcommittee Ranking Member Gus Bilirakis (R-Fla.). The next day, an amended version of the bill was reported favorably out of the Subcommittee on a voice vote.

Privacy law scholar Peter Swire properly welcomed this Federal privacy proposal as a “big deal.” If adopted, Swire notes, it would replace the patchwork of state privacy laws with a consistent national policy. Even if it does not pass this year, he adds, its compromises in the areas of state preemption and private rights of action would set the template for a new national privacy law that might pass “in the next Congress or two.”

Former Commerce Department General Counsel Cameron Kerry, now at the Brookings Institution, also called the draft a “huge deal.” He thinks it has narrowed the partisan differences on the bill and creates a genuine path to enactment this year. He urges Congress not to “miss this opportunity to get the job done—before election priorities close the window.”

But such a hope is not a strategy to provide timely privacy relief for consumers who have been abused by industry privacy practices for decades. Despite impressive bicameral, bipartisan support and legislative progress in the House, the proposal faces strong opposition in the Senate. It does not even have the backing of Senate Commerce Committee Chair Senator Maria Cantwell (D-Wash.), who can determine whether the bill is brought up for a Committee vote. She thinks the draft has “major enforcement holes” and is too weak as it stands to override state privacy laws. She intends to pursue her own bill, which is even less likely to pass the Senate than a bipartisan bill.

The proposed bipartisan draft is a better vehicle than a partisan measure. But it is extremely unlikely to get the 60 votes needed to pass the Senate this year. Senator Cantwell thinks that the Senate Majority Leader Senator Chuck Schumer (D-N.Y.), won’t even bring it to the Senate floor for a vote. The possible merging of abortion issues with privacy issues would further dim its legislative prospects this year. It has even less of a chance in the coming years as Republican leaders will likely control the next Congress and perhaps the next Administration. Once in control, they are almost certain to back away from needed Federal privacy rules for the foreseeable future.

A more promising response to the urgent privacy policy challenge would be for the Federal Trade Commission to open a privacy rulemaking under its Section 18 authority and to establish binding privacy Federal regulations for all the industries under its jurisdiction. FTC Chair Lina Khan and Commissioner Rebecca Slaughter have already indicated they favor this approach. The agency has twice noticed its intention to proceed with a privacy rulemaking. With the recent addition of privacy advocate Alvaro Bedoya as a third vote, the Commission can and should move ahead with this regulatory approach.

The Commission’s Section 18 Authority

In 1975, Congress passed the Magnuson-Moss Warranty Act that imposed greater procedural burdens on FTC rulemaking than are required under the Administrative Procedure Act. Further constraints were added in 1980. Codified at 15 U.S. Code § 57a, these procedures require the agency to publish for public comment an Advance Notice of Proposed Rulemaking (ANPRM) before initiating a rulemaking and in addition publish for further public comment a Notice of Proposed Rulemaking (NPRM). The agency must submit in advance both this ANPRM and NPRM to its Congressional oversight committees. The agency is also required to resolve any disputed issues of material fact through an informal hearing that provides limited cross-examination rights to interested parties. It must publish a Final Rule accompanied by a statement of basis and purpose. This infographic from the International Association of Privacy Professionals outlines the process.

Under Section 5 of the FTC Act, the Commission is able to take action against unfair or deceptive acts or practices. Section 18 authorizes the Commission to prescribe “rules which define with specificity acts or practices which are unfair or deceptive acts or practices…” The Commission may initiate a Section 18 when it has reason to believe that the practices to be addressed by the rulemaking are “prevalent.”

The Commission enforces knowing violations of its rules through civil penalties under 15 U.S. Code § 45(m)(1)(A) obtained by filing a suit in federal district court. Companies that violate a Section 18 rule are also liable for injury caused by a violation of a rule, but not for punitive damages.

The “Magnuson-Moss” procedures provide substantial transparency, due process protection, and an opportunity for the public and businesses to express their views. Perhaps because of the greater procedural burdens compared to the rulemaking processes under the Administrative Procedure Act, it has been assumed for decades that it is too difficult for the FTC to use its rulemaking authority to address the unfair and deceptive practices rampant in today’s digital industries.

But many of the obstacles to efficient rulemaking are self-imposed through agency administrative rules and reflect an institutional culture of caution. In March 2021, Acting Chairwoman Rebecca Slaughter formed a task force designed to identify possible candidates for Section 18 rulemaking, noting that the process could reduce consumer harms through rules and civil penalties. In July 2021, the FTC streamlined its Section 18 process rules in a way that will allow it to avoid unnecessary delays and still maintain the statutory procedural protections. As former FTC Consumer Protection Bureau head Jessica Rich has noted, obstacles still remain, especially the amount of time a procedurally defensible Section 18 rulemaking would take. But these streamlined procedures open the way for the FTC to use its Section 18 authority in a significant way for the first time since the 1970s.

An FTC Section 18 Privacy Rulemaking

One of the first applications of these streamlined procedures might be in the area of privacy. President Biden’s July 2021 Executive Order urged the FTC to use its rulemaking authority to address “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” In September 2021, a group of eight Democratic Senators led by Senator Richard Blumenthal, D-Conn urged the FTC to “undertake a rulemaking process with the goal of protecting consumer data.”

In December 2021, Chair Khan released the agency’s regulatory priorities noting that the agency was considering whether a rulemaking on the “alarming . . . abuses stemming from surveillance-based business models” would be effective in “curbing lax security practices, limiting intrusive surveillance, and ensuring that algorithmic decision-making does not result in unlawful discrimination.” In its December 2021 filing with the Office of Management and Budget, the agency indicated that it was considering such a rulemaking. In June 2022, the FTC refiled its notice to proceed with this privacy rulemaking, adding its intent to launch an ANPRM in June 2022.

Individual Commissioners had been recommending this step for some time. In a law review article published in August 2021, Commissioner Rebecca Slaughter argued that the FTC should use its Section 18 rulemaking authority to address “the area of algorithmic justice” that might “affirmatively impose requirements of transparency, fairness, and accountability.”

In an October 2021 address to the International Association of Privacy Professionals, Commissioner Slaughter added that the FTC should exercise its Section 18 authority to “develop a public, participatory record” and use it to establish “bright-line rules around what data can be collected and how it can be used.” Her preferred “data minimization” approach would replace the traditional “notice and choice” framework with substantive constraints on data collection and use.

In April 2022, FTC chair Lena Khan reiterated that the FTC was considering a Section 18 privacy rulemaking. She joined Commissioner Slaughter in questioning the dominant “notice and consent” model of privacy governance and indicated that the FTC might consider “substantive limits rather than just procedural protections” and focus on “whether certain types of data collection and processing should be permitted in the first place.”

On May 16, the Senate confirmed the newest FTC Commissioner, Alvaro Bedoya, who would almost certainly give Chair Khan the three votes needed to initiate a privacy rulemaking. Commissioner Bedoya is a strong privacy advocate. He was the founding director of the Georgetown Law Center on Privacy and Technology which focused on digital privacy issues. He also dealt with privacy issues as chief counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law. He will clearly play a strong part in implementing the FTC’s privacy agenda. “What Chairman Khan is to antitrust, Alvaro Bedoya is to privacy, data protection, and civil rights,” said John Davisson, senior counsel at the nonprofit Electronic Privacy Information Center.

What about preemption and private rights of action?

The detailed outcome of an FTC privacy rulemaking is hard to discern at this point. It would almost certainly go beyond notice and consent. Depending on the agency’s assessment of its rulemaking authority, it might very well mimic the regulatory requirements contained in the breakthrough draft Congressional privacy proposal, including measures on transparency; user rights to data access, correction, deletion, and portability; a ban on algorithmic discrimination; disparate impact assessments for algorithmic applications; an opt-out of targeted ads; a ban on targeted ads to users under 17; and mandates for privacy impact assessments.

One of the primary reasons for a national data standard has been the quasi-settling of state preemption and private right of action. The real breakthrough in the draft Congressional proposal was compromise on these contentious issues. It proposed to pre-empt a specific list of state privacy laws, while leaving general consumer protection law and state privacy torts untouched. It also proposed a 4-year delay on private rights of action and then a limitation on remedies to injunctions and recovery of court costs and compensatory damages, without the possibility of punitive damage.

This compromise would be lost under FTC regulation. FTC privacy rules promulgated under Section 18 would not preempt state law. The FTC rules would be in addition to current state privacy laws and would not prevent states from amending their current privacy laws or passing new ones. While FTC privacy rules would not create a new cause of action, it would not prevent plaintiffs from suing under existing state or federal law. Plaintiffs might argue, moreover, that violation of the new FTC privacy rules would count as evidence that consumers had suffered a cognizable injury under a cause of action authorized by current law.

The need for a coherent national privacy policy and some constraints on private rights of action argue for Congressional action. This is one reason that a legislative approach, if it were a realistic possibility, would be the preferred way forward. But in the absence of a realistic possibility of legislative movement, FTC privacy regulation, even with its inability to preempt state law and limit private rights of action, is the best practical path.

Would Congress overturn an FTC privacy rule?

Independent regulatory agencies are creatures of Congress, properly autonomous with respect to the incumbent Administration but responsible to their Congressional authorizing and appropriating committees and ultimately accountable to the will of Congress through the Congressional Review Act. Under this Act, passed by a Republican-controlled Congress in 1996, it is relatively easy for Congress to discipline an out-of-control regulatory agency. A motion of Congressional disapproval motion under the CRA is privileged—it cannot be filibustered in the Senate and requires only a majority vote to pass.

If the FTC established its own privacy regulations, would an affronted Congress rein in what it perceives to a rogue agency? It has happened to the FTC before. In response to the attempt by the FTC under Michael Pertschuk in the 1970s to promulgate children’s advertising rules that even the Washington Post described as the actions of a “national nanny”, Congress stripped the agency of rulemaking power in connection with unfair acts and practices. It regained this authority only through a legislative compromise in 1994 that defined consumer unfairness more narrowly in cost-benefit terms.

More recently, Congress used the Congressional Review Act in 2017 to repeal the 2016 broadband privacy rules established by the Federal Communications Commission under former Chairman Tom Wheeler, an action that also stripped the agency of power to establish substantially similar rules without approval from Congress.

These precedents suggest that the FTC would be well advised to act with some prudence as it goes forward with a privacy rulemaking. The key requirement of prudence is to consult regularly with Congressional privacy leaders in establishing final privacy rules. Privacy allies in the Senate might not have 60 votes to pass a national privacy law. But they probably would have the 51 votes needed to defend an FTC privacy regulation from a motion of Congressional disapproval in a Republican-controlled Senate.

To establish a lasting privacy regime, the FTC would have to ensure that its Congressional privacy allies are invested in its privacy regulation. Losing these privacy allies by promulgating rules far beyond the Congressional privacy consensus would greatly increase the danger of Congressional reversal.

It is time to act

An FTC privacy rulemaking is a risky, second-best way to establish federal privacy policy. Congress might overturn whatever the agency seeks to establish, and if it does the agency will lose its privacy rulemaking authority until it is affirmatively restored by Congress. Moreover, I have not even touched on the chances that a court would block some or all of an FTC privacy rule on the grounds that it exceeded agency authority to control unfair or deceptive acts or practices. Court reversal of an overly ambitious FTC privacy rule, or even a balanced one, might be even more likely in light of the Supreme Court’s decision to restrict the authority of the Environmental Protection Agency to regulate greenhouse gases.

There is no doubt that privacy legislation would be the better path if it were realistic. It would provide clear legislative authority and direction to the agency and could touch on issues such as pre-emption and private right of action that are beyond the agency’s reach. But an unachievable better path is the enemy of a good one. Congress is unlikely to enact a new privacy law, even with the progress made in the recent compromise.

The agency should not wait to see what Congress does. Even with the streamlined Section 18 procedures, it will be difficult for the agency to complete a substantively and procedurally defensible privacy rulemaking before the end of this Administration. Moreover, the reality of an FTC privacy rulemaking might encourage some legislators to accept a legislative compromise rather than leave the policy decisions to the agency, making a new national privacy law more likely. If Congress does act, the agency can always suspend the process it has initiated under existing law and open fresh rulemakings to implement the new law.

Given the realities of the current situation, FTC rulemaking is the best practical way forward for federal privacy policy. The agency should seize the moment and act now.