November 18th, 2022
Comments on FTC Data Privacy:
Commercial Surveillance ANPR, R111004
Federal Trade Commission
Office of the Secretary
600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B)
Washington, DC 20580
National Taxpayers Union (NTU), the nation’s oldest taxpayer advocacy organization, appreciates the opportunity to provide comments on the recent Advance Notice of Proposed Rulemaking (ANPR) on data privacy from the Federal Trade Commission (FTC). Data privacy is a timely and important topic because the use of data can promote consumer wellbeing, drive economic innovation, and build a richer and more diverse digital ecosystem. Conversely, headlines of commercial data breaches and ransomware attacks demonstrate the risks of consolidating data. Furthermore, consent for the collection and use of consumer data has been a longstanding debate in the information age.
The scope of this issue and the novelty of the regulatory issues at hand combine to make it clear that Congress must be the driving force in balancing these benefits and challenges because the FTC lacks the statutory authority to promulgate and enforce effective rulemaking.
Both everyday Americans and a substantial portion of the economy depend on the collection, use, and analysis of massive amounts of consumer-centric information. As mathematician Clive Humby once said, “data is the new oil.” From the cookies that determine ads on YouTube, to the tailored content shown to you on TikTok, and to the Uber user data that helps get you from point A to point B, data collection touches a huge portion of our daily lives. The internet economy is a massive direct and indirect driver of the American economy. In 2020, estimates for the overall internet economy were around $2 trillion and the B2B and B2C industries were estimated to drive $500 billion in value.1
Data not only drives prosperity for American companies, but innovation in data use results in tremendous benefits for the American consumer as well. Take, for example, the recent Spotify feature that analyzes a given playlist and automatically suggests similar songs based on its composition. Or how Netflix is famous for offering viewers a range of different titles organized by theme that they would probably enjoy based on their viewing history. Another example is how Google Flights quickly became the top flight booking engine based on its ease of use and ability to analyze price trends over time on certain trip destinations.2 These consumer-friendly innovations would be far less likely if the federal government takes a heavy-handed or excessive approach to regulating data privacy.
Heavy-handed and excessive are adjectives that can be certainly applied to the European Union’s (EU) 2018 General Data Privacy Regulation (GDPR). This landmark rule sent shockwaves throughout the business world and continues to hamper internet commerce in the EU today. From 2016 to 2019, one in every three apps on the Google Play store left the European market, and new entrants to the market were halved.3 Four years on, firms exposed to the law experienced an eight percent decrease in profits, with particular harm focused on smaller businesses.4 The least affected businesses were also the largest - Facebook, Amazon, Google, faced “no significant impact” from GDPR.5 Large companies with massive legal teams were able to spend the significant sums for compliance and work around the issues of onerous regulation. The creation of GDPR was a misguided attempt at harmonizing a patchwork quilt of national privacy laws that went too far and was not responsive to business concerns over its extensive overregulation. American lawmakers and regulators should heed the warnings of GDPR and implement a consistent and pragmatic approach in legislation and regulation. The FTC must avoid making the mistakes of their European counterparts and should yield the regulatory pen to legislation in the works by Congress.
The FTC’s powers of regulation have waxed and waned over the decades of its existence. The statutory authority to regulate “unfair” or “deceptive” business practices is an extremely broad mandate that often tempts the FTC to stretch its boundaries, sometimes to an egregious degree. In the past, Congress has recognized this temptation to push the limits of the law, and therefore has implemented legislation to curb the FTC’s Section 18 rulemaking authority. These limits, collectively known as Magnusson-Moss procedures, are an explicit expression of congressional intent on the FTC’s rulemaking on issues that are not specifically granted to it by law.6 These Section 18 Mag-Moss trade regulation rules usually take around six times as long to release as regular rules made under the Administrative Procedures Act.7 If Congress was ignoring a pressing issue such as data privacy, then the FTC might have the mandate to act with new regulation. However, the 117th Congress is currently considering multiple landmark bills that have a reasonable chance of becoming law, such as the American Data Privacy and Protection Act of 2022 (H.R. 8152)8, and the Consumer Online Privacy Act of 2021 (S. 3195).9 NTU contends that the FTC does not have the mandate or the regulatory authority to properly develop and issue an expansive rule that this ANPR suggests it is contemplating. The United States Supreme Court has weighed in on many similar administrative law issues in the past, and the jurisprudence of the “major questions doctrine” suggests that any expansive regulation from this FTC would be struck down accordingly.10 The major questions doctrine becomes applicable when the underlying claim of (1) authority concerns an issue of “vast ‘economic and political significance,’” and (2) Congress has not clearly empowered the agency with authority over the issue.11 Based on the previously discussed impact of data on the American economy, as well as the massive negative impact of the corollary GDPR on the EU, as well as a clear lack of explicit authorization, it seems clear that this regulation is doomed under judicial review.
Further analysis of the two portions of the major questions doctrine test reinforce NTU’s opinion that this upcoming rulemaking is likely unconstitutional. From the types of questions and the scope that these questions suggest, along with the statements made by FTC leadership on this matter, it is clear that this ANPR is a prelude to expansive and overreaching rulemaking on a broad segment of the American economy. 12As FTC Chairwoman Lina Khan stated earlier this year, “Focusing enforcement efforts towards targeting and rectifying root causes can avoid a whack-a-mole approach that imposes [a] significant enforcement burden with few long-term benefits.” And contrary to the public statements from the FTC on this ANPR, the actual questions reveal nongermane goals for the upcoming rule. If the FTC is seeking to narrowly regulate on key issues of data privacy and consumer consent as wrapped under the loaded term of “commercial surveillance,” why then are they including questions on algorithmic errors (Q. 53, 56) and automated decision-making systems (Q. 57, 60)? While the FTC seems as if it would seek to implement a GDPR 2.0 in America, its statutory authority remains shaky at best to step into this space. Congress specifically granted authority to regulate types of data privacy under the Children’s Online Privacy Act of 1998 and the Gramm-Leach-Bliley Act, aka the Financial Services Modernization Act of 1999. If Congress had intended for the FTC to write expansive data privacy rules, it would have granted specific authority to do so. Furthermore, even if it did have the authority to make a comprehensive rule on a novel regulatory space, the FTC would not have the ability to preempt ex ante state legislation without congressional action, which should be one of the main goals for a federal data privacy regulatory regime.
From the body of evidence available, NTU believes it is clear that any new comprehensive data privacy rules must be explicitly authorized by Congress. The FTC should be cognizant of the failures and threats to businesses of GDPR when seeking to replicate an onerous and overly restrictive data privacy regime in the United States. Given the lengthy process of Magnusson-Moss rulemaking and with pending congressional legislation on this exact topic, NTU believes that the FTC should delay rulemaking until Congress has made it clear what regulators should prioritize under explicit new authority. Failure to recognize the jurisprudence and history of the FTC itself will likely result in legal challenges and a patchwork of federal and state data regulation across the country, which hurts consumers and businesses alike. The GDPR model has harmed European small businesses and similar regulation in the United States would harm vulnerable American companies and curtail innovation that improves the average American’s day to day life.
Thank you for your consideration of these comments. Please do not hesitate to reach out should you have any questions or if there is any way NTU can be of service.
Sincerely,
Nick Johns
Policy and Government Affairs Manager
Endnotes
1. Bureau of Economic Analysis. (2022). “New and Revised Statistics of the U.S. Digital Economy, 2005–2020.“
2. O’Neill, Sean. “Google Flights Gains Popularity Among Millennials as It Adds Booking Sites.” Skift, March 22, 2017.
3. National Bureau of Economic Research. (2022). “GDPR and the Lost Generation of Innovative Apps.”
4. Chen,Chinchih, Frey, Carl Benedikt, and Presidente, Giorgio. “Privacy Regulation and Firm Performance: Estimating the GDPR Effect Globally.” University of Oxford, 2022.
5. Id.
6. Rich, Jessica. “The FTC’s Magnuson-Moss Rulemaking Process – Still an Uphill Climb.” JDSupra, January 11, 2022.
7. Id.
8. H.R.8152 - American Data Privacy and Protection Act
9. S.3195 - Consumer Online Privacy Rights Act
10. Congressional Research Service. (2022). “The Major Questions Doctrine.”
11. Util. Air Regul. Grp. (UARG) v. EPA, 573 U.S. 302, 324 (2014)
12. Federal Trade Commission. (2021). “Memo from Chair Lina M. Khan to Commission Staff and Commissioners Regarding the Vision and Priorities for the FTC.”