The GAO recently concluded a comprehensive analysis of the U.S. federal regulatory landscape with respect to internet privacy, specifically focusing on FTC and FCC enforcement actions and authorities. GAO interviewed representatives from industry, consumer advocacy groups, academia, FTC and FCC staff, former FTC and FCC commissioners, and officials from other agencies. (See page 40 of the GAO report for a complete list of those interviewed.) GAO recommends that Congress consider developing comprehensive legislation on internet privacy that would enhance existing consumer protections and provide flexibility to address a rapidly evolving privacy environment.
The report focuses on internet data privacy rather than data security. It examines how internet content providers (called “edge providers”) and internet service providers collect, use, and share information gathered from their customers to enable their services and support advertising, and for other purposes. The report notes the widespread use of the internet and highlighted two recent nationwide surveys. The first, conducted by the U.S. Census Bureau for NITA in 2017, found that 78 percent of Americans age three and older use the internet, and a 2018 Pew Research Center nationwide survey found that 69 percent of American adults use some kind of social media.
Not surprisingly, stakeholders’ views varied on the benefits and concerns with collecting and using consumer data from the internet. The key benefits of information collection were identified as:
- Enabling certain services. Content providers sometimes must collect information to provide a service, for example, a mapping service that needs a current location to provide directions.
- Providing low-cost or free services. Search terms, for example, can provide consumers with advertising for products and services associated with the search term; this service is free to the advertiser.
- Supporting innovation and customization. Data collected about individuals and their interests may allow for targeted advertising about items of interest to the consumer.
Despite these benefits, the nationwide surveys have shown that there are concerns about the collection and use of customer information on the internet. Stakeholders elaborated on some of these concerns:
- Public disclosure and data breaches create fear about identity theft.
- Financial and other harms can occur with the misuse of personal information, including identity theft and credit card fraud.
- Consumer’s lack a clear understanding of what data is collected and how it is used.
- Consumer lack control over how their data is used.
The report also describes the different regulatory approaches for the FTC and the FCC, noting that these are the result of the differing statutory authority. Specifically, the FTC does not have viable notice and comment rulemaking authority, which means that the privacy rules issued by the FTC, such as the Children’s Online Privacy Protection Act, are the result of specific statutory directives. Notably, the FTC has used its existing Section 5 authority, which prohibits unfair or deceptive practices, to bring more than 100 privacy and data security actions. The report notes that the FTC’s statutory authority does not include the ability to seek civil penalties for violations of Section 5. In contrast, the FCC has brought some law enforcement actions, but also has operated by promulgating rules through rulemakings.
The report next addressed the effectiveness of current internet privacy oversight. Some industry stakeholders felt that enforcement is preferable to promulgating and enforcing regulations because of the belief that regulations can stifle innovation, create loopholes, and become obsolete. Other industry stakeholders were of the opinion that the FTC’s enforcement approach fails to provide clear guidance.
A majority of non-industry stakeholders identified limitations in the current internet privacy oversight approach because they viewed regulations issued in conjunction with enforcement as being more effective. According to these stakeholders regulations can provide clarity, may promote fairness and flexibility, and can be used a deterrent.
Various stakeholders who believe that the FTC’s current authority is limited identified three main actions that could better protect internet privacy:
- An overarching federal privacy statute to establish general requirements governing internet privacy of all sectors;
- Notice and comment rulemaking authority; and
- Creation of civil penalty authority.
As a result, the GAO concludes that recent developments regarding internet privacy suggest that now is an appropriate time for Congress to consider comprehensive internet privacy legislation. Specifically, GAO recommends that Congress consider:
- Which agency or agencies should oversee internet privacy
- What authority an agency or agencies should have to oversee internet privacy, such as notice-and-comment rulemaking authority and civil penalty authority
- How to balance consumers’ need for internet privacy with industry’s ability to provide services and innovate.
There are a number of federal bills pending or likely to be introduced this year in addition to bills proposed by industry groups, and both Houses of Congress will hold multiple hearings in the coming weeks to discuss the development of a comprehensive federal data privacy law.