Against a backdrop of high-profile data breaches and abuses, the Federal Trade Commission (FTC) has taken center stage. On October 28, FTC Commissioners Rebecca Kelly Slaughter and Christine Wilson joined Brookings Distinguished Fellow Cameron Kerry for a fireside chat to discuss the agency’s mandate to protect consumer privacy in an increasingly data-driven world—and how federal privacy legislation could help the agency carry out its mission.
Over the past few months, the FTC has announced several settlements in major cases. These include a $575 million settlement with Equifax following a wide-reaching data breach, a $170 million settlement with YouTube due to allegations of COPPA violations, and a $5 billion settlement with Facebook—the largest privacy fine recorded to date—stemming from alleged deceptive data sharing practices with third-party services, including Cambridge Analytica. In addition, the FTC has hosted a series of 12 hearings on privacy and competition in the digital economy. To supporters of these settlements, these record-breaking fines and new oversight requirements bring immediate corporate change and consumer remedies. To critics, however, the settlements do not sufficiently deter future violations and instead reflect the FTC’s constant internal trade-off to settle privacy cases, rather than litigate or push for tougher penalties, in the face of limited agency resources and capacity.
Expanding the discourse of data privacy
The Federal Trade Commission currently addresses consumer privacy under its authority in Section Five of the FTC Act to regulate “unfair or deceptive acts or practices.” It has promoted corporate transparency and consumer choice in data privacy, which has led companies to present consumers with privacy notices that outline data collection policies and require consumers to click “I consent” in order to use a service.
Slaughter and Wilson agreed this system of “notice-and-choice” is inherently flawed—because consumers must consent to data collection in order to use common online services, notice-and-choice does not necessarily equate to meaningful transparency or choice. They both asserted that businesses require clear limitations beyond notice-and-choice, while Wilson additionally suggested that more meaningful transparency could help consumers make informed decisions about which online services to choose.
Expanding the conversation, Slaughter advocated for a more holistic look beyond data privacy to encompass data abuses. She explained that privacy, by definition, refers to the “sharing of information that people would rather not have shared” but added that “there are real harms that flow from that.” To address data abuses, Wilson and Slaughter both agreed that Congress has an opportunity to provide businesses with practical guiderails not only regarding acceptable data collection, but also data use.
When it comes to real-life, quantifiable harms that data abuses might affect, the commissioners illustrated many possibilities: physical injury, voter misinformation, terrorism, financial loss, algorithmic bias, reputational damages, and more. However, Slaughter also cautioned that the government cannot reasonably anticipate all harms, and that the FTC should be given the flexibility to address any emerging impacts. Furthermore, she pointed out that the agency cannot feasibly identify all harms during enforcement actions, because some harms like identity theft can take years to detect following a privacy breach. Lastly, she raised a concern that data abuses and notice-and-consent are especially challenging because their impact can fall disproportionately on vulnerable populations, citing a HUD case against Facebook’s recent practice of allowing housing advertisers to exclude online users by protected class.
In addition, the two commissioners discussed a new framing of consumer protection enforcement: limiting data collection and usage to align with consumers’ reasonable expectations. Advocating for a standard for reasonable expectations, Slaughter explained that scaling down reliance on notice-and-choice and limiting corporate data collection to what is necessary would shift the responsibility of protecting privacy from consumers to corporations. For example, online users might expect their location to be tracked while using a mapping application but not a flashlight application. When deciding what data collection might be permissible, Slaughter asked the following question: “Are [businesses] using the data for the service, or going beyond what [they are] providing to use the data for other information?”
However, the concept of what is “reasonable” introduces questions of its own. Alluding to the Fourth Amendment’s protections against “unreasonable searches and seizures,” Wilson expressed concern that the definition of “reasonable” could evolve with society. She explained that if society’s expectations of privacy diminish as the world becomes more digitized, a “reasonable expectations” standard might expand the scope of permissible data collection.
Finally, on the heels of a Senate Banking Committee hearing focused on data ownership, both Slaughter and Wilson voiced concerns over the issue. First, Slaughter discussed how a property-based system—where consumers could theoretically choose to sell or trade their own data—might aggravate the pitfalls of notice-and-consent and facilitate harmful data abuse. Second, she said that requiring organizations to pay for data could naturally advantage more capital-rich incumbents and potentially escalate concerns about fair competition. Additionally, Wilson said the complexity of tracking data ownership rights and the associated compliance costs could present high barriers for organizations, without a definitive benefit to consumers.
The FTC’s role in federal privacy legislation
Despite enforcement constraints (i.e. limited funding and restricted authority under the “unfair and deceptive” statute), Slaughter and Wilson defended the FTC as the most appropriate agency to regulate data privacy. They stressed that the agency’s institutional knowledge and dual mandate to protect consumers and uphold competition uniquely positions it to evaluate complex privacy cases in the context of data consolidation. However, both emphasized the FTC’s need for additional resources and legal authority, including the power to issue penalties for initial privacy offenses (and not just for violations of previous consent orders, as with Facebook and Google/YouTube), as well as privacy jurisdiction over non-profits and common carriers.
While both Wilson and Slaughter advocated for federal privacy legislation, the two found themselves on opposing sides of three legislative issues. Wilson stressed the importance that legislation include federal preemption to ensure consistency for corporations, to which Slaughter raised concerns. Meanwhile, Slaughter encouraged Congress to delegate broader rulemaking authority to the FTC and implement a private right of action, both of which Wilson cautioned against.
Despite these divergences, Slaughter ended the fireside chat with a message of bipartisan compromise, with which Wilson concurred. A “perfect” bill is rarely on the table; she explained that more often than not, stakeholders must choose between the status quo and what is possible. When the status quo is a system where consumers “often have to say yes to access a service that’s necessary for participation in society,” stakeholders will work together to break it.