Rulemaking and its discontents: Moving from principle to practice in federal privacy legislation

We are gratified to see intensified commitment to enacting privacy legislation at the federal and state levels. Of course, the most important questions surrounding privacy legislation involve the substantive rights actually granted to individuals. In addition, there are a number of procedural questions that will be critical to both the policy success and political viability of any piece of legislation put forward, including federal preemption, private rights of action, and the scope of rulemaking authority. When the two of us were framing the 2012 White House Consumer Privacy Bill of Rights, rulemaking authority for the Federal Trade Commission was not part of the proposal. In part, this was a function of the politically possible. The legacy of “kidvid”—1970s regulations limiting children’s TV advertising that led Congress to clip the agency’s rulemaking power—still casts a shadow decades later and even companies and conservative lawmakers that might have supported the bill of rights would have opposed it if it included rulemaking.

Leaving out rulemaking from the privacy bill of rights was also a substantive choice. The proposal aimed to provide meaningful privacy protection by articulating clear rights for individuals and obligations for businesses. At the same time, it sought to allow flexibility and innovation by articulating broad principles instead of technically prescriptive rules. The bill of rights also reflected our view that traditional notice-and-comment rulemaking is a cumbersome tool for an issue that shifts rapidly with changes in technology, uses of data, and the innumerable variations in the context in which that data is shared.

In place of rulemaking, the 2012 White House report proposed codes of conduct developed by companies, civil society, experts, and other stakeholders as means to articulate the specific implementation of the substantive rights guaranteed in the bill. These codes would be legally enforceable by the FTC. This model, the white paper affirmed, “can provide flexibility, speed, and decentralization” and “can produce solutions in a more timely fashion than regulatory processes ….” The administration’s 2015 draft legislative proposal to codify the bill of rights included rulemaking only for FTC procedures for review and approval of codes of conduct.

Now times are different. Privacy and security challenges have multiplied as the universe of personal data expands, and the politics of privacy have changed dramatically. Since the Consumer Privacy Bill of Rights was developed, the Cambridge Analytica affair showed the real harm that misuse of personal information can cause. Massive data breaches and cyberattacks have also proliferated. Privacy has become a mainstream issue, and the level of urgency about privacy has risen sharply. While there remains much to debate about the shape of federal privacy legislation, most agree a baseline federal law is needed.

In the meantime, some question whether the FTC, the lead privacy protector for consumers, can adequately protect the country’s users of digital services with case-by-case enforcement and provide clear guidance to stakeholders with differing interests. The 11^th Circuit’s LabMD decision raises some doubts whether broad FTC powers are vulnerable to judicial review. As Congress takes up privacy legislation in a serious way, an appetite for rulemaking has emerged even among business groups and others who normally opt to oppose agency regulation.

The Role of Rulemaking Authority in Privacy Legislation

We recognize the useful role that rulemaking authority plays in enabling many expert agencies to guide enforcement and compliance efforts with nuanced, up-to-date, and technically-informed rules. With the experience of transposing the Consumer Privacy Bill of Rights into a draft law and attention to some of the more recent legislative drafting efforts, we see an important role for rulemaking in a federal privacy law. At the same time, some of the caution about overreliance on rulemaking authority we had in 2012 still applies today. We offer these principles on how to approach the delegation of legislative authority through rulemaking in privacy law.

A preference for rule development through case-by-case enforcement:

As a threshold matter, we believe that the substantive individual rights at the core of privacy law should be expressed directly in statute, not left to a subsequent rulemaking process. Individual rights should also be applied primarily through case-by-case enforcement by the FTC and state attorneys general. There will be hard policy and political questions in the definition of statutory rights and obligations, but we think this task should be done by legislators directly. While it is clear the FTC needs more enforcement authority to be effective in privacy protection, there is much to appreciate in the FTC’s case-by-case enforcement approach on privacy and cybersecurity, a body of consent orders and occasional litigation that Professors Solove and Hartzog have described as a “common law of privacy.” This iterative approach is consistent with the development of much U.S. law as well as with technology that evolves from version to version.

Moreover, there is a tension between flexibility and certainty for those who need to implement or enforce the provisions of a privacy law. Our preference for adjudication over rulemaking reflected a conscious choice to err on the side of flexibility over time for two closely-related reasons. The first is because, on a subject that varies as much with context as privacy does, overly detailed rules can easily be both over-inclusive and under-inclusive. And the second is that over-inclusive rules can deter beneficial innovation.

Similarly, neither a more detailed law nor detailed rules promulgated through an agency rulemaking process necessarily leads to better privacy outcomes. Prescriptive provisions may operate as a compliance checklist that avoids more fundamental questions about why data is being collected, what privacy risks are presented by the data use, and how to manage these risks.

Areas where rulemaking can be useful:

Although implementation of a baseline privacy statute should not depend on rulemaking, there are specific, more technical areas where rulemaking can help fill in details and keep up with changes in technology and the marketplace. We identify this illustrative – but necessarily exclusive—list of key areas where rulemaking can serve such functions:

• Define acceptably secure and privacy-protective procedures for individual access to personal information, including what can be required to authenticate identity and the time allowed for response;
• Establish the specific scope of data covered by rights to access, deletion, or download of individual information;
• Clarify technical issues associated with data portability;
• Implement transparent and accountable procedures by which the Commission can grant safe harbors associated with codes of conduct proposed by industries or individual companies such that the public and other stakeholders can comment on proposed codes of conduct (a concept we explain further below).
• Identify specific approved technical means for de-identifying data.

Some have proposed the rulemaking will be needed to define the scope of sensitive data, for example, to identify those classes of personal information that merit heightened consent procedures or other special protections. We do not take a position on this suggestion but note that it illustrates the challenges in deciding where to apply rulemaking procedures and where to rely on fixed statutory definitions and case-by-case enforcement. Those who favor rulemaking to define sensitive data may point out that changes in technology or social mores could influence the scope of what is sensitive, requiring ongoing application of agency expertise. But those favoring definition in statute may view the decision to offer extra protection to personal data related to health, political views, religious practices, etc., as substantive policy questions that should be answered by the legislature, not left to changing administrative decisions.

Risks of over-reliance on rulemaking:

We do see risks both to individual privacy and commercial interests from over-reliance on rulemaking authority, including delay, uncertainty, harmful partisan influence, and the likelihood that consumer voices lose out to business interests in the long run. First, agency rulemaking procedures, along with inevitable judicial challenges, can take years to complete. For one of us (Kerry), experience as a communications lawyer with broad telecommunications laws—the 1992 Cable Act and Telecommunications Act of 1996—that spawned massive and multiple rulemakings and litigation was aversion therapy for gigantic rulemakings. The FCC’s first report and order under the Telecommunications Act ran some 659 pages, with 48 pages of regulations appended, and then Chairman Reed Hundt’s acknowledgement to agency staff lists some 166 staff involved out of a total complement at the time of over 2,000. While statutes may include time limits to encourage timely rulemaking, these time limits are affected by judicial review.

Second, delay and political pressure can lead to uncertainty for all concerned. One only has to look at the history of net neutrality. Whatever one’s view of the merits, it is plain that since the FCC began active rulemaking on net neutrality in 2010, the rise and fall of two dramatically different sets of rules and ongoing judicial challenge has led to a long period of uncertainty (nearly a decade now) about just what the rules are. This uncertainty is unsatisfactory for the interests of both consumer and business. We should learn from this experience that whatever privacy law Congress may pass, the more it leaves to FTC rulemaking, the greater likelihood of delay and uncertainty about privacy protection.

Enforcement is less partisan than rulemaking:

Deeply-rooted and longstanding governance norms have politically insulated enforcement decisions of independent agencies to a much greater extent than rulemaking activities of the same agencies. As a general matter, political officials in the White House, up to and including presidents, generally accept that they should not instruct independent agencies such as the FTC on enforcement priorities or strategies. Even in our hyper-partisan times, such norms generally hold. By the same token, each administration makes very clear and often very political decisions about writing and rewriting agency regulations. Even independent agency rules and proposed rules are reviewed by cabinet agencies and the White House in well-accepted processes coordinated by the Office of Management and Budget. Different administrations appoint FTC commissioners with different views on enforcement, but once they are in place, their enforcement decisions are insulated from political pressure.

Consumer voices may lose out relative to industry in rulemaking disputes:

While many consumer and privacy advocates have issued strong demands for rulemaking as an essential component of federal privacy law, the mechanism may be to their disadvantage. In substantive disputes between consumer and industry voices, industry will have greater litigation resources and political clout that may win out, or at least extensively delay disputed rules. Hence, we would rather see a transparent and accountable legislative process in Congress to take the hard policy decisions that shape the substance of privacy rights.

Codes of Conduct as a Partial Alternative to Traditional Rulemaking

These misgivings about rulemaking raise the question of whether there are more adaptive and iterative ways to fill in the meaning of privacy legislation than rulemaking, and to provide more certain guidance than case-by-case adjudication. The FTC can investigate individual companies, and these cases are instructive. But its case-by-case approach has scaling challenges; the bandwidth of its enforcement staff to address the expanding range of privacy and data security issues is limited. The same applies to a significant extent to rulemaking, which demands a range of agency resources.

In developing the Consumer Privacy Bill of Rights we appreciated the nimbleness of this informal approach and the FTC’s ability to address unique circumstances of a particular sector compared to writing rules generally applicable to all companies covered by the FTC Act. The FTC has long produced policy reports and nudged action from various industry groups without enforcement or rulemaking.  At the same time, we were concerned that the resulting measures were developed in opaque negotiations with limited public input. Hence, the Consumer Privacy Bill of Rights included an open process by which stakeholders, whether industry associations or advocacy groups, could propose codes of conduct as adequate compliance with its substantive provisions. The 2015 draft legislation sought to codify this proposal by providing for FTC approval of codes of conduct, with the carrot of enforcement “safe harbors” whereby compliance with the approved codes would be deemed compliance with the law. The bill also made the inclusivity of the process that produces codes of conduct a factor in the timetables for review, giving preference to those that are open and inclusive (but leaving a door open to approve codes developed without public participation).

This method of policy development lost some favor because processes that the Commerce Department convened following the 2012 privacy report had mixed outcomes. The first such process addressed transparency standards for mobile apps, an emerging technology where smartphone screen size limited traditional disclosure. This one reached a result supported by many of the participants, but not full consensus. The second process, on facial recognition, fell apart before it could arrive at any kind of agreement.

These outcomes left privacy and consumer advocates unhappy, feeling they had invested significant resources in efforts in which they were greatly outnumbered by business interests that had no incentive to reach agreement other than goodwill.

On the other hand, one other process of Commerce Department’s multistakeholder policy development was successful: the 2016 development of privacy standards and practices for drone operators. The Federal Aviation Administration, under fire for not using its authority over drones to address privacy concerns, turned to Commerce for its expertise on privacy and standards development. The prospect that the FAA could step in with regulations if a voluntary consensual approach did not succeed gave stakeholders a real incentive to negotiate, and this process successfully achieved a consensus on a set of “voluntary best practices.”

In describing the process as “successful,” we are referring to the fact that it actually reached an outcome (unlike the facial recognition process), rather than the substance of the compromise reached. Some commenters correctly point out that some civil society organizations did not participate in discussions of the drone best practices and even some of those that supported the outcome as a sensible compromise made clear they preferred to go further.

Margot Kaminski’s law review article rightly concludes that “the current backdrop of FTC enforcement is not enough to get industry to the table” and even operates as a disincentive to adopt voluntary rules that will become enforceable under the FTC’s deception authority. Among steps to change the incentives, she first suggests “enactment of something like the Consumer Privacy Bill of Rights Act … backed by FTC enforcement.” By providing for FTC approval of codes of conduct, that draft legislation would provide a check both on the inclusivity of the process and the outcome.

This does not mean that such forms of coregulation should be the only way to fill in the meaning of a baseline privacy statute. Privacy scholar William McGeveran is right that such multiparty arrangements are unlikely to succeed where there is a wide disparity of positions to reconcile (a problem with the facial recognition process).  Voluntary consensus mechanisms are one tool in a toolbox that, as we discuss above, should be included alongside individual case-by-case enforcement and targeted rulemaking. As such, they can be helpful in providing clarity and flexibility on particular issues that legislation cannot anticipate specifically enough.

This experience suggests that such coregulatory processes can work if there are real stakes to provide incentives and level the playing field among the interests in the room. In this light, we think some of code of conduct or voluntary standards development process linked to FTC approval is worthy of consideration in the current privacy debate.

Conditional rulemaking authority could strengthen co-regulatory standards. This would be a mirror image of “regulatory forbearance,” by which the FCC has exempted competitive carriers from rate regulation and other requirements applied to incumbent carriers. This authority was codified in Section 10 of the 1996 Telecommunications Act, which directs the FCC to forbear from regulation under the Act if it determines such regulation is not necessary to prevent unjust or discriminatory rates or otherwise protect consumers. Such a determination requires consideration “whether forbearance from enforcing the provision or regulation will promote competitive market conditions.” A mirror provision empowering the FTC to initiate rulemaking where it finds market conditions are not adequately protecting consumers through voluntary standards and practices would provide a powerful incentive both for self-regulation and for consensual codes of conduct.

The current appetite for FTC rulemaking, even in quarters that would have opposed it adamantly in 2012, makes it likely that some form of rulemaking will be part of any comprehensive privacy legislation. Contrary to our approach in the Consumer Privacy Bill of Rights, we see a place for such authority to increase certainty for consumers, businesses, and enforcers. But we believe the concerns that motivated our approach then abide today. In this light, we suggest that the role of rulemaking be focused and concrete and that Congress include incentives for more iterative, adaptive, and nimble policymaking.

How necessarily broad principles in privacy legislation are interpreted and applied to a dynamic personal data environment will impact whether privacy rights are effectively realized and whether businesses have a clear path to complying with the law.

Update 6/10/2019: The section on Codes of Conduct was updated to address comments from Profs. Kaminski and McGeveran.