FTC Hearings #12: The FTC’s Approach to Consumer Privacy Day 2

The FTC held its 12th Hearing on Competition and Consumer Protection on April 9 and 10, 2019. The overall theme of the two-day hearing centered on the FTC’s approach to consumer privacy. This is the 12th part of a series covering the FTC Hearings, the first day of this hearing can be found here and the collection of posts on the series can be found here.

Panel 1 – Role of Notice and Choice

The second day began with a basic yet highly important question from the moderators. When we refer to notice and choice in the privacy context, what do we mean? The first to speak was Jordan Crenshaw, Assistant Policy Counsel of the Chamber Technology Engagement Center (C_TEC) at the US Chamber of Commerce. Crenshaw’s opinion was that we mean certainty, in that consumers and businesses have certainty about how data is collected, shared, and used. Pam Dixon, Founder and Executive Director of the World Economic Forum, stated that notice and choice has a lot of different meanings depending on who you ask and the jurisdiction. In the US, notice is something that’s meaningful and robust. In regards to choice, Dixon doesn’t view it as individual control as that’s a paradigm that no longer fits the reality on the ground. The current system tends to push decisions towards the end of the privacy process and not towards the beginning and Dixon argued that’s a problem.

Katherine Tassi, Deputy General Counsel, Privacy and Product at Snap Inc., stated notice and choice don’t always go together, you can have one without the other. Tassi believes the notion of choice  is important as a flexible principle and every choice has an impact. Florencia Marotta-Wurgler, Professor of Law at New York University, discussed the added complexity of having notice and choice running through several layers and parties. Wurgler focused her thoughts on the feasibility and requirement of flexibility. Rachel Welch, Senior Vice President of Policy and External Affairs at Charter Communications, gave her company’s perspective that notice, consent, and choice are integral parts of the process. Consumers need to have this information as it helps develop confidence and trust between consumers and firms. Welch recognized the growing consensus that there’s a need for a federal framework with strong guidelines to follow in terms of how they interact with their consumers.

Panelists agreed there is no silver bullet for providing privacy solutions, however they disagreed on the specific role notice and choice have to play. Neil Richards, Koch Distinguished Professor of Law at Washington University in St. Louis, made the point that informed consent just does not scale. Consumers can only make a certain number of rational conscious thoughtful choices in a given day and the sheer complexity of these agreements is far too much for the average consumer to comprehend. Tassi stated she thinks notice and choice operate effectively only in certain contexts. Welch and Dixon both argued there is a place for more active consumer decisions and that waiting until the end of the process and giving consumers a bunch of boxes to check off is not powerful.

When asked to give their final remarks, panelists gave a bevy of responses and agreed a balance must be struck between the regulation of data for privacy and the benefits its uses provide. Crenshaw emphasized certainty and control for consumers, and having that cycle lead to trust for consumers and business. He also argued that there is a definite place for notice and trust, and for collaboration, and roles for meaningful federal legislation. Dixon asserted that there are tremendous benefits to data use that we need to preserve and brought up machine learning and knowledge creation as extremely valuable assets that must be fostered as well. Marotta-Wurgler spoke on how notice and choice is complex, and while it affords many benefits choice can be daunting and consumers are often not informed. She argued that there is a need and desire to have flexibility in any approach, that strict top-down regulation can create a lot of damage, and that focusing on more notice is barking up the wrong tree. Richards argued that notice and choice are not evil, they have virtues in appropriate contexts, but they are insufficient to protect the privacy of consumers. Tassi agreed that notice and choice can be effective in certain contexts but must be combined with other initiatives. Finally, Welch stated that we need a framework with key principles reinforcing consumer control and transparency.

Panel 2 – Role of Access, Deletion, and Correction

Moderators posed a broad deliberative question to kick off the second panel: What do you see as the goals for giving consumers access, rights to delete, correct, and port data, especially these days where there are complicated data systems involving artificial intelligence (AI) and big data? Chris Calabrese, Vice President of Policy for the Center for Democracy and Technology (CDT), stated that the tools of access, deletion, and correction empower consumers and by setting a strong standard for individual rights also positively impacts how consumers and businesses operate. Jennifer Barrett Glasgow,  Executive Vice President of Policy and Compliance at First Orion, echoed Calabrese’s statement. She characterized providing more intelligence as an improvement on transparency, not so much as the sole solution for transparency. Glasgow emphasized two words: context and reasonableness. Katie Race Brin, Chief Privacy Officer at 2U Inc., pointed out that besides the direct empowerment of consumers, having these rights in place also keeps these organizations honest. Gus Rossi, Global Policy Director at Public Knowledge, agreed with Brin that having these rights is also a way to bring some information symmetry to the market.

Panelists were then asked for the specific types of information they thought consumers should have access to and why. Jonathan D. Avila, Vice President and Chief Privacy Officer at Walmart, stated his belief that consumers should have access to certain types of data where the benefits of having access outweigh the costs. Rossi pointed out that it’s difficult to get into the nuances of these rights and attributes in the absence of a baseline privacy framework providing a reference. Rossi argued for starting by assuming that users should have access to everything and organizations that hold the data should justify why there are some pieces of information that should not or do not need to be shared with consumers. Ali Lange, Senior Public Policy Analyst at Google, agreed with Rossi for the most part that data should be made available unless it fits certain circumstances. Lange additionally encouraged not being too narrow in thinking about the reason for consumers’ requests of their data, consumers could just be curious or have their own intended uses. Glasgow simply stated the connotation of the use of the data is extremely important.

When asked what is needed by companies to provide these access, deletion, and correction services to consumers and whether some companies would be better able to do this because of their size, the panel generally agreed the issue is less driven by size and more by a company’s system. Panelists focused more on whether a company’s system is designed to handle such requests and pointed out that successful companies are able to offer such services as a business feature. One example was from Ali Lange and her discussion of Google’s data portability tool. Lange pointed out that people for the most part don’t use the tool to leave Google, they use it to enhance their control over their data and employ it for other uses.

Another important topic raised during the panel was the distinction and treatment of shared data and inference data. Brin attempted to distinguish between individual data and shared data and posed a further question: how do you balance the rights of two individuals whose data may overlap but who may have different data protection interests? Rossi underscored the importance of Brin’s question and argued it’s important that companies can balance rights of different consumers along with their own interests.

Panelists were also asked for final thoughts. Rossi stated that these rights serve to empower consumers, make the marketplace more stable, enable watchdogs to protect consumers, to challenge bad behaviors of organizations, and to question the hoarding of data. He argued that in the absence of a comprehensive privacy baseline and strong enforcement it’s unlikely these rights alone would have the effects we wish them to have. Lange agreed with Rossi and emphasized the importance of the tools created that allow consumers to take greater control of their data and that these tools yield information that can aid in improving products or services over time which benefits everyone. Glasgow returned to the concepts of context and reasonableness as overarching principles that must be applied to any regulation in this space. Calabrese stated his belief that we have an opportunity to empower consumers, to give them the information they want, to build new services, and to essentially create the framework we’re going to be using for the data economy over the next several decades. He argued that we should create a broad comprehensive right that serves consumers. Brin emphasized that these are important rights and tools for consumers for transparency and agreed with Glasgow on including reasonableness and context. Avila closed by recognizing that access, deletion, and correction are important rights recognized in the business community as essential to building customer trust.

In between the second and third panels, Federal Trade Commissioner Rebecca Kelly Slaughter gave a short speech. Commissioner Slaughter stated her belief that in order for a notice and consent regime to succeed both elements must be effective yet neither notice or consent today seem to be useful. Slaughter then pointed out one key problem is that it’s “easy to decry the limitations of a notice and consent framework and far harder to reach a conclusion about what should replace it.” She stated that there was no doubt that improved notice and consent over specific practices could and should be debated as part of a US privacy framework going forward but there are a number of paths to improve the current framework. Slaughter also emphasized solutions that don’t place all or even most of the burden on the consumer. She argued it is the job of the entity collecting, transferring, or using the data to accurately and fairly assess consumers’ expectations about how their data will be used and to meet those expectations and advocated for solutions that would deliver consumers meaningful choices.

Slaughter concluded stating that the “threats to privacy that consumers face in the marketplace are growing and grow ever more complicated… Our future as an effective enforcer in the area of data privacy hinges on the expansion of both our authority and our resources.”

Panel 3 – Accountability

The panel discussion on accountability began with a discussion on how accountability differs from other approaches to consumer privacy and what accountability really means to a layperson. Martin Abrams, Executive Director and Chief Strategist of the Information Accountability Foundation, answered with his belief that accountability is really about organizations being responsible about what they do with data and being answerable for being responsible. Abrams stated that part of accountability is the ex ante processes but it’s really about the requirements that organizations understand what they’re doing with data and the risks associated with it, and that they can mitigate those risks for all parties involved and have the ability to describe that.

Ari Ezra Waldman, Professor of Law at New York Law School, used his introductory time to outline how the market is incapable of adequately allowing consumers to hold companies accountable and gave three main reasons:

1. Information asymmetries
2. Psychological barriers to rational choice
3. The market design by the tech companies themselves

Waldman argued that a legislative approach must shift the burden of protecting privacy from the user to the company. Karen Zacharia, Chief Privacy Officer at Verizon, stated that we are at a crossroads in the US and have two choices: First, continue along the path today with some state laws governing data breach and privacy, some federal sector specific laws, some self regulatory regimes, and some accountability programs in companies; or second, develop a federal privacy law. Zacharia advocated for a comprehensive federal privacy law applying to all players in the ecosystem, much of the content of which should be intertwined with accountability principles. She stated this law should have one federal regulator enforcing it, the FTC, and needs to be flexible, capable of applying to the technologies of the future and taking into account new approaches to protect privacy.

Discussing how transparency leads to accountability, Corynne McSherry, Legal Director of the Electronic Frontier Foundation (EFF), made the point that at a minimum, transparency means having a window into the actual practices of a company but accountability requires more than that. McSherry stated her belief that accountability also needs transparency into the ecosystem within which that company functions and a window into the actual nature of the risk.

The panel came to some disagreement when asked whether companies’ privacy policies are worthless or not and why. Mark Hintze, Partner at Hintze Law PLLC, stated that the mere process of creating a privacy policy creates accountability; it forces companies to do data mapping, privacy reviews, and to understand what data they’re collecting, all of which can be incredibly useful. The fact that consumers rarely read these things is not necessarily a fatal flaw; there are others that read them that can serve as proxies for consumers. Avi Waldman disagreed with Hintze on the actual degree of effect such policies have. Karen Zacharia argued that both Waltman and Hintze are correct and while privacy policies are not worthless they require more work to improve their worth.

Panel 4 – Is the FTC’s Current Toolkit Adequate? Part 1

The panel discussion on the FTC’s current regulatory toolkit began with the difficult question of how to evaluate the success of the agency’s privacy enforcement activities. Marc Groman, Groman Consulting Group LLC, noted that the FTC understandably tries to quantify its success through annual reports listing the number of cases brought and dollar value of fines assessed. Groman argued that the real metric should be if, at an equivalent panel five years from now, the topics of conversation will have moved past the definition of PII, the innovation vs. privacy dichotomy, and calls for privacy protection based on expanding the notice and choice regime. Christine Bannan, Electronic Privacy Information Center, argued that enforcement of existing consent decrees should be a bigger factor in assessing the FTC’s privacy enforcement. Jane Horvath, Apple, suggested evaluating how successful the FTC’s workshops are in encouraging and enabling companies to build privacy into their business models. Horvath also recommended that the FTC could hold events away from the Washington “privacy complex” to engage more directly with more consumers.

Professor Peter Swire, Georgia Institute of Technology, took a historical view of the FTC, laying out recent developments that are undercutting the FTC’s early wins in privacy enforcement:

1. Deception authority under the FTC Act was initially an important tool for getting companies to post their data practices. However, as companies have grown more sophisticated and hired smarter lawyers, the effectiveness of using deception authority in policing privacy policies has diminished.
2. Hotly contested litigation in Wyndham and LabMD has ended the easy days of the FTC stretching the limits of its authority through the use of consent decrees.
3. The Spokeo decision’s recognition that Article III standing requires concrete injury-in-fact even for statutory violations is likely to impact the FTC’s enforcement authority.

Discussion turned to gaps in the FTC’s current enforcement model. Stuart Ingis, Venable, suggested that if given appropriate authority, the FTC could enumerate bad practices, including injuries beyond purely economic harms. Christine Bannan suggested the Commission could exert greater oversight over third-party assessors mandated by consent decrees and should focus more on the relationship between privacy and antitrust. Peter Swire suggested that the FTC will need to find an approach to address algorithmic harms such as price discrimination, and also revealed that the WC3’s ill-fated Do-Not-Track effort was hindered by FTC antitrust scrutiny.

The panel concluded with a discussion of new FTC enforcement tools that could accompany federal baseline privacy legislation. Peter Swire floated an idea he is workshopping with Pam Dixon for offering sectoral preemption as an incentive for companies to create industry codes through inclusive processes that would be subject to FTC approval. These codes would require periodic updates and reauthorization so as to be responsive to changes in technology. Jane Horvath presented Apple’s goals for federal privacy legislation, including promoting innovation on privacy protective technologies, data minimization, and specific regulations on data brokers. Jon Leibowitz, Davis Polk, thought that the FTC could take up data minimization if given appropriate delegation from Congress and should involve the creation of safe harbors. Groman emphasized that new legislation should cover both inferred and observed data about individuals. Finally, Professor Swire cautioned that it will be important to build a significant public record through the legislative process in order to defend a future federal privacy law in the courts.

Panel 5 – Is the FTC’s Current Toolkit Adequate? Part 2

The second panel on the FTC’s current toolkit began with a discussion of whether the agency could do more with its existing authority. Professor David Vladeck, Georgetown University Law Center, argued for an originalist reading to bring greater power to the agency’s unfairness authority, pointing to the 1972 Pfizer case. Justin Brookman, Consumer Reports, pointed to legal uncertainty over the collection of sensitive information resulting from the Vizio settlement and argued that the digital economy would benefit from the certainty of a detailed law. Berin Szóka, President of TechFreedom, cautioned that even if one does not believe the FTC’s authority over deceptive and unfair practices goes far enough, the appropriate path forward is to evolve through these legal concepts.

Next, former Commissioner Julie Brill, now at Microsoft, offered a bleak perspective on the declining influence of the FTC in corporate privacy decision-making. She argued that nowhere else in the world are stakeholders having the “unfair and deceptive” conversation over privacy and that post-GDPR, FTC privacy enforcement is hardly a topic at all in corporate boardrooms. Brill acknowledged that companies do care about FTC enforcement when the agency comes knocking, but that its standards are so vague that they cannot be operationalized in everyday planning.

On the topic of FTC resources, Justin Brookman offered the widely held view that the agency obviously needs more staff, more attorneys, more technologists, and rulemaking authority. Julie Brill considered FTC staffing in a global context: referencing a recent letter from FTC Chairman Simons revealing that the agency currently has only 40 full-time employees working on privacy and security, the equivalent of 1 employee for every 8.2 million people. For perspective, Ireland’s privacy authority has 180 equivalent employees, 1 for every 23,000 people. David Hoffman, Intel, stressed that additional FTC resources should not focus just on enforcement but also be used for the agency’s important role in privacy education.

Panelists also discussed the emergence of a “patchwork” of state privacy laws that would ramp up compliance burdens. Brill took the position that if Congress does not act, the states should pass their own legislation as a way to bring the United States back to relevance in the privacy conversation. Vladeck expressed doubts that a 50-state patchwork would ever develop because at some point the Dormant Commerce Clause of the Constitution would kick in through court challenges. Szóka thought that was an optimistic viewpoint, and argued that the concept of a patchwork is an inappropriate metaphor because in a borderless internet economy, every law would be regulating everybody.

Panelists next took up the goals of privacy protection. Moderators from the FTC stated, and the panelists agreed, that throughout the hearings a consensus had emerged around goals of enacting privacy legislation that will:

1. Prevent harm  
2. Increase transparency and consumer control
3. Meet consumer expectations and avoid surprises
4. Promote technology innovation

Julie Brill stressed that an additional goal of privacy legislation should be accountability, arguing that the use of risk assessments (in addition to data subject rights) provides for good data hygiene and minimization by default. Justin Brookman expressed doubts about the effectiveness of risk assessments, to which Brill responded that they would have to be underpinned by unfairness/deceptive authority, or something like the duty of loyalty proposed in Senator Schatz’s Data Care Act.
In closing, panelists had an opportunity to share what they would import from the GDPR to US privacy protection and what they would avoid. Vladeck supported the GDPR’s recognition of privacy as a right and called for a specific focus on data brokers. Hoffman said legislation should apply to all data, and not exempt public records because that information can result in harm when used by data brokers. Lydia Parnes, Wilson Sonsini, stressed that any law should be clear about what data is covered and should follow a consumer rights model. Berin Szóka contended that as there will always be vagueness in privacy standards, regulated entities need notice that is proportionate to their potential penalties. Finally, Julie Brill explained that any privacy approach should take a long-term perspective towards rebuilding consumer trust.