Federal Trade Commission Should Make Privacy Rules Against ISP Data Collection, Experts Say

To protect consumers in the digital revolution, experts say serious federal action on privacy can lead the way.

Federal Trade Commission Should Make Privacy Rules Against ISP Data Collection, Experts Say
Photo of Alan Butler, executive director of the Electronic Privacy Information Center
WASHINGTON,

November

30

, 2021 – Privacy experts are calling on the Federal Trade Commission to start the process of empowering itself to penalize internet service providers that collect unnecessary data from their customers to push targeted advertisements.

While discussions on privacy matters have overwhelmingly been focused on big technology companies and how they use customer data, experts at a Federal Communications Bar Association privacy symposium on November 16 said ISPs should be in the crosshairs of federal regulators.

Specifically, according to

Alan Butler

, president of the Electronic Privacy Information Center, unnecessary ISP data collection “demands action” from the FTC.

“The current status is that internet service providers are within the jurisdiction of the FTC and the FTC should act” and not wait for other federal actors to initiate ISP consumer privacy rules, said Butler. In 2017, Congress voted to disallow the Federal Communications Commission, which regulates the telecom space, from making regulations on protecting ISP consumer privacy, leaving the door open for the FTC to regulate providers’ privacy practices.

But there’s a wrinkle. While the agency can investigate and penalize business practices that are “unfair” and “deceptive,” according to the Federal Trade Commission Act, the FTC cannot issue its own federal privacy rules under its current consumer protection authority. To do that, the FTC would need to initiate a policy-making process by which the agency develops and issues regulations, which can then become federal policy.

Some experts think the FTC would be the best entity for developing such rules and should start the process, while others think the FTC’s regulatory process wasn’t made to give the agency its own privacy authority.

A separate federal agency for privacy regulation

As the FTC could receive funding to establish a privacy bureau under the House of Representatives’ reconciliation bill, Butler left open the question of whether the FTC should proceed by issuing broad privacy regulations or whether it should be should be “parsed out” into specific issues.

“The FTC has to adopt rules that establish fair data practices and seek to protect secondary data uses and sensitive data,” such as customers’ biometric and demographic data, he said. Butler said FTC privacy regulations would be a “temporary solution,” but there must be a separate federal agency that regulates privacy in the United States. “Funding for an FTC privacy bureau in the reconciliation bill is an important step forward,” he said.

The law at play for an FTC privacy authority

The FTC’s ability to regulate privacy would be governed by the Magnuson-Moss Warranty-Federal Trade Commission Improvement Act. The Magnuson-Moss Act is notorious for adding several steps beyond the normal federal policy-making process, including a requirement that the FTC must find the problematic conduct to be “prevalent” in the marketplace.

“Magnuson-Moss was designed to choke off the FTC’s ability to engage in rulemaking,” said Georgetown law professor David Vladeck. Issuing privacy rules from the FTC would hard, he says, because the FTC must clear substantial hurdles before it can enforce any privacy rules.  “There’s a clear implication that the FTC is not able to promulgate a rule unless it can prove to a court after the rulemaking is done that the intrusive conduct is ‘prevalent.’ Well, Congress doesn’t define ‘prevalent,’” he added.

Butler argued that finding prevalence of data abuse won’t be hard. “The FTC wouldn’t struggle to find issues that are endemic to the industry,” he said. “The [agency] is capable of finding that its widespread use of location data unrelated to the use of the service as prevalent in the marketplace, and online behavioral tracking.” Thus, Butler argues, the FTC would be able to prove that data abuse substantially harms consumers and correctly uses its [proposed] authority to enforce privacy rules against technology companies.

Earlier this year, FTC chair Lina Kahn approved revisions to its Magnuson-Moss procedures, making it easier for the FTC to conduct its process for developing and issuing privacy rules. The rules grant the chair the authority to serve as the Chief Presiding Officer of the rulemaking hearing process, grants the commission the authority to control the conduct of the informal hearings, and eliminates a rule requiring the commission staff to publish a report analyzing the final rule before it is established as official agency policy.

Kahn said the changes to the rulemaking process will remove “extraneous and onerous procedures” that only delay the issuance of FTC rules.

FTC process could “surface” issues

Despite the difficulty of issuing privacy regulations, Vladeck said there may be value in initiating the process anyway, including “to surface the issues” of privacy and data collection by ISPs.

Vladeck highlighted “illegal dark patterns” as an example of a narrow issue the FTC can go after. The FTC characterizes “dark patterns” as methods companies use to keep consumers trapped in subscription services.

“The FTC is the only policeman on this beat,” Vladeck said, adding it could act as an effective enforcement regime against data abuses that affect consumers.