CAGW Files Comments to FTC on Commercial Surveillance and Data Security
Agency Comments
BEFORE THE
FEDERAL TRADE COMMISSION
Washington, D.C.
In the Matter of Advanced Notice of Proposed Rulemaking, Trade Regulation Rule on Commercial Surveillance and Data Security, 16 CFR Part 464.
R111004
Comments of
Thomas A. Schatz
President
Citizens Against Government Waste
November 18, 2022
Citizens Against Government Waste (CAGW) is a private, nonprofit, nonpartisan organization dedicated to educating the American public about waste, mismanagement, and inefficiency in government. On behalf of the more than one million members and supporters of CAGW, I offer the following comments regarding the advanced notice of proposed rulemaking (ANPRM) on Trade Regulation Rule on Commercial Surveillance and Data Security.
CAGW has been engaged on issues relating to consumer data privacy for more than a decade. On November 8, 2018, CAGW filed comments with the National Telecommunications and Information Administration (NTIA) expressing the organization’s recommendations for a national consumer data privacy framework.
The six recommendations are as follows: 1. Because of the unique nature of the internet ecosystem and its presence beyond state borders, a clear and concise national data privacy framework is necessary to provide consistency and certainty for businesses and consumers alike. 2. Businesses should provide consumers with easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed … with an opt-out choice to use their non-sensitive customer information for personalized third-party marketing. Businesses should be able to continue to rely on implied consent to use customer information for activities such as service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with the law, and first-party marketing. 3. Consumers should be provided with clear, comprehensible, accurate, and continuously available privacy notices by businesses collecting, using, or sharing consumer data that describe in detail the information being collected, how that information will be used, and whether the information will be sold or shared with third parties. Should customer information be sold or shared with a third party, customers must be notified about the types of third parties to whom their information has been given and for what purpose. 4. Consumers should expect reasonable limits on the amount of personal data that organizations will collect, use, and disclose, consistent with the context in which that data is provided. Every effort should be made to de-identify and delete data as promptly as possible when it is no longer necessary. 5. Different types of data require separate methods and standards of protection. For example, sensitive health care data and financial data require a higher level of security than a social media account or a computer’s IP address. Therefore, policies must be consistent with the type of data being collected and how it is to be used. 6. Consumers should expect that the personal data they share with other entities is maintained in a secure environment. Information technology systems are under constant attack; breaches have and will continue to occur. In the event of a data breach in which there is a reasonable likelihood of misuse and consumer harm, consumers should expect timely notification of the event, and an offer by the entity breached as to the remedies available to make the consumer as whole as possible, including credit protection services, fraud alerts, and credit monitoring through credit reporting agencies.[1]
CAGW’s primary purpose in these comments is to inform the commission that the ANPRM contravenes the scope of the authority granted to the commission by the FTC Act and Congress. The NTIA, Federal Communications Commission (FCC) and other agencies with such authority are reviewing consumer data privacy laws and practices. In 2016, the FCC adopted data privacy regulations,[2] which were repealed by Congress in March 2017 under the Congressional Review Act.[3] The ANPRM not only exceeds the FTC’s authority, but also complicates the solutions to the different consumer data privacy protection laws enacted by states across the country as well as efforts by other federal agencies.
According to a January 2019 Government Accountability Office report, Congress, not the FTC, should determine which agency or agencies should be responsible for oversight of internet privacy, including writing regulations and enforcing civil penalties, as well as balancing the consumers’ need for internet privacy and private industry’s ability to innovate and provide services.[4]
The inability of Congress to enact a comprehensive data privacy protection regime has created a conflicting, confusing, and complex hodgepodge approach to data privacy, leaving consumers and businesses struggling to decipher what they need to do based on where they are located, and uncertainty about whether consumers have adequate protection under current law should their identities or other personal information be disclosed without their permission, either deliberately, or through accidental disclosures.[5]
Many of the questions raised by the commission are better explored through oversight hearings and regular legislative order. This proven methodology leads to a viable legislative solution that will be better in the long-term than overreaching regulations issued by the FTC without congressional authorization.
Indeed, this process is currently underway in Congress, with members working together on a bipartisan solution to the concerns being raised by the ANPRM. While CAGW has suggested several changes that need to be made before it is passed by Congress,[6] the American Data Privacy and Protection Act (ADPPA), reported out of the House Energy and Commerce Committee on July 20, 2022, by a vote of 53-2, provides the groundwork for a final legislative solution to resolve issues surrounding consumer data privacy protection, including agency guidance for many of the questions raised in the ANPRM.[7]
With respect to questions 24-29 of the ANPRM regarding the cost benefit of regulating online activities, the proposed regulations address the entire economy, not just the technology sector. The economic impact would increase costs for all businesses regardless of size or type. A regulation of this size and scope, absent Congressional authorization, would likely see a successful challenge in the court, pursuant to the U.S. Supreme Court decision in West Virginia vs. EPA, which sets a precedent for overruling agency regulations that exceed their congressionally-delegated authority, under the “major questions” doctrine, wherein a clear statement from Congress is necessary to prove that Congress intended the delegate authority “of this breadth to regulate a fundamental sector of the economy.”[8]
In her dissenting opinion on the issuance of the ANPRM, with which CAGW concurs, FTC Commissioner Christine Wilson stated, “Many practices discussed in this ANPRM are presented as clearly deceptive or unfair despite the fact that they stretch far beyond practices with which we are familiar, given our extensive law enforcement experience. Indeed, the ANPRM wanders far afield of areas for which we have clear evidence of a widespread pattern of unfair or deceptive practices.”[9] However, in the same statement, Commissioner Wilson holds out hope for the future of consumer data privacy protection, noting that she is “heartened that Congress is now considering a bipartisan, bicameral bill that employs a sound, comprehensive, and nuanced approach to consumer privacy and data security.” She further states, “The momentum of the ADPPA plays a significant role in my ‘no’ vote on the Advance Notice of Proposed Rulemaking (ANPRM) announced today. I am gravely concerned that opponents of the bill will use the ANPRM as an excuse to derail the ADPPA.”[10]
Should the FTC continue to pursue regulating consumer data privacy across the entire economy, it risks wasting taxpayer resources on the time and effort needed to develop such a massive regulatory scheme that is likely to not only be superseded by legislation but also overturned by litigation. CAGW strongly urges the FTC to set this rulemaking aside and let Congress act on a comprehensive consumer data privacy protection bill that will provide the FTC and all other federal agencies with the appropriate regulatory authority. There is no chance whatsoever that Congress will give the FTC the broad, unprecedented, and audacious authority the agency is seeking through the ANRPM.
CAGW recognizes the importance of protecting consumer privacy and preventing potential harm to those whose information has been compromised. However, it is well beyond the legal boundaries of the FTC’s authority to set rules for the entire country for the protection of consumer data privacy. Instead, Congress should enact laws protecting consumer privacy and set parameters for the federal agencies to administer these laws.
[1] Citizens Against Government Waste, “Comments on Developing the Administration’s Approach to Consumer Privacy (Docket Number: 18021780-8780-01),” National Telecommunications and Information Administration, November 8, 2018, https://www.ntia.doc.gov/files/ntia/publications/privacy_letter_ntia.pdf.
[3] A joint resolution providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” S.J.Res. 34, (2017), Pub. L. No. 115-22, https://www.congress.gov/bill/115th-congress/senate-joint-resolution/34.
[4] Government Accountability Office, Report to the Chairman, Committee on Energy and Commerce, U.S. House of Representatives, “Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility,” GAO-19-52, January 2019, https://www.gao.gov/assets/gao-19-52.pdf.
[8] U.S. Supreme Court, October Term, 2021, West Virginia et al. v. Environmental Protection Agency et al., Certiorari to the United States Court of Appeals for the District of Columbia Circuit, No. 20-1530, Argued February 28, 2022, Decided June 30, 2022, https://www.supremecourt.gov/opinions/21pdf/20-1530_n758.pdf.
BEFORE THE
FEDERAL TRADE COMMISSION
Washington, D.C.
In the Matter of Advanced Notice of Proposed Rulemaking, Trade Regulation Rule on Commercial Surveillance and Data Security, 16 CFR Part 464.
R111004
Comments of
Thomas A. Schatz
President
Citizens Against Government Waste
November 18, 2022
Citizens Against Government Waste (CAGW) is a private, nonprofit, nonpartisan organization dedicated to educating the American public about waste, mismanagement, and inefficiency in government. On behalf of the more than one million members and supporters of CAGW, I offer the following comments regarding the advanced notice of proposed rulemaking (ANPRM) on Trade Regulation Rule on Commercial Surveillance and Data Security.
CAGW has been engaged on issues relating to consumer data privacy for more than a decade. On November 8, 2018, CAGW filed comments with the National Telecommunications and Information Administration (NTIA) expressing the organization’s recommendations for a national consumer data privacy framework.
The six recommendations are as follows: 1. Because of the unique nature of the internet ecosystem and its presence beyond state borders, a clear and concise national data privacy framework is necessary to provide consistency and certainty for businesses and consumers alike. 2. Businesses should provide consumers with easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed … with an opt-out choice to use their non-sensitive customer information for personalized third-party marketing. Businesses should be able to continue to rely on implied consent to use customer information for activities such as service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with the law, and first-party marketing. 3. Consumers should be provided with clear, comprehensible, accurate, and continuously available privacy notices by businesses collecting, using, or sharing consumer data that describe in detail the information being collected, how that information will be used, and whether the information will be sold or shared with third parties. Should customer information be sold or shared with a third party, customers must be notified about the types of third parties to whom their information has been given and for what purpose. 4. Consumers should expect reasonable limits on the amount of personal data that organizations will collect, use, and disclose, consistent with the context in which that data is provided. Every effort should be made to de-identify and delete data as promptly as possible when it is no longer necessary. 5. Different types of data require separate methods and standards of protection. For example, sensitive health care data and financial data require a higher level of security than a social media account or a computer’s IP address. Therefore, policies must be consistent with the type of data being collected and how it is to be used. 6. Consumers should expect that the personal data they share with other entities is maintained in a secure environment. Information technology systems are under constant attack; breaches have and will continue to occur. In the event of a data breach in which there is a reasonable likelihood of misuse and consumer harm, consumers should expect timely notification of the event, and an offer by the entity breached as to the remedies available to make the consumer as whole as possible, including credit protection services, fraud alerts, and credit monitoring through credit reporting agencies.[1]
CAGW’s primary purpose in these comments is to inform the commission that the ANPRM contravenes the scope of the authority granted to the commission by the FTC Act and Congress. The NTIA, Federal Communications Commission (FCC) and other agencies with such authority are reviewing consumer data privacy laws and practices. In 2016, the FCC adopted data privacy regulations,[2] which were repealed by Congress in March 2017 under the Congressional Review Act.[3] The ANPRM not only exceeds the FTC’s authority, but also complicates the solutions to the different consumer data privacy protection laws enacted by states across the country as well as efforts by other federal agencies.
According to a January 2019 Government Accountability Office report, Congress, not the FTC, should determine which agency or agencies should be responsible for oversight of internet privacy, including writing regulations and enforcing civil penalties, as well as balancing the consumers’ need for internet privacy and private industry’s ability to innovate and provide services.[4]
The inability of Congress to enact a comprehensive data privacy protection regime has created a conflicting, confusing, and complex hodgepodge approach to data privacy, leaving consumers and businesses struggling to decipher what they need to do based on where they are located, and uncertainty about whether consumers have adequate protection under current law should their identities or other personal information be disclosed without their permission, either deliberately, or through accidental disclosures.[5]
Many of the questions raised by the commission are better explored through oversight hearings and regular legislative order. This proven methodology leads to a viable legislative solution that will be better in the long-term than overreaching regulations issued by the FTC without congressional authorization.
Indeed, this process is currently underway in Congress, with members working together on a bipartisan solution to the concerns being raised by the ANPRM. While CAGW has suggested several changes that need to be made before it is passed by Congress,[6] the American Data Privacy and Protection Act (ADPPA), reported out of the House Energy and Commerce Committee on July 20, 2022, by a vote of 53-2, provides the groundwork for a final legislative solution to resolve issues surrounding consumer data privacy protection, including agency guidance for many of the questions raised in the ANPRM.[7]
With respect to questions 24-29 of the ANPRM regarding the cost benefit of regulating online activities, the proposed regulations address the entire economy, not just the technology sector. The economic impact would increase costs for all businesses regardless of size or type. A regulation of this size and scope, absent Congressional authorization, would likely see a successful challenge in the court, pursuant to the U.S. Supreme Court decision in West Virginia vs. EPA, which sets a precedent for overruling agency regulations that exceed their congressionally-delegated authority, under the “major questions” doctrine, wherein a clear statement from Congress is necessary to prove that Congress intended the delegate authority “of this breadth to regulate a fundamental sector of the economy.”[8]
In her dissenting opinion on the issuance of the ANPRM, with which CAGW concurs, FTC Commissioner Christine Wilson stated, “Many practices discussed in this ANPRM are presented as clearly deceptive or unfair despite the fact that they stretch far beyond practices with which we are familiar, given our extensive law enforcement experience. Indeed, the ANPRM wanders far afield of areas for which we have clear evidence of a widespread pattern of unfair or deceptive practices.”[9] However, in the same statement, Commissioner Wilson holds out hope for the future of consumer data privacy protection, noting that she is “heartened that Congress is now considering a bipartisan, bicameral bill that employs a sound, comprehensive, and nuanced approach to consumer privacy and data security.” She further states, “The momentum of the ADPPA plays a significant role in my ‘no’ vote on the Advance Notice of Proposed Rulemaking (ANPRM) announced today. I am gravely concerned that opponents of the bill will use the ANPRM as an excuse to derail the ADPPA.”[10]
Should the FTC continue to pursue regulating consumer data privacy across the entire economy, it risks wasting taxpayer resources on the time and effort needed to develop such a massive regulatory scheme that is likely to not only be superseded by legislation but also overturned by litigation. CAGW strongly urges the FTC to set this rulemaking aside and let Congress act on a comprehensive consumer data privacy protection bill that will provide the FTC and all other federal agencies with the appropriate regulatory authority. There is no chance whatsoever that Congress will give the FTC the broad, unprecedented, and audacious authority the agency is seeking through the ANRPM.
CAGW recognizes the importance of protecting consumer privacy and preventing potential harm to those whose information has been compromised. However, it is well beyond the legal boundaries of the FTC’s authority to set rules for the entire country for the protection of consumer data privacy. Instead, Congress should enact laws protecting consumer privacy and set parameters for the federal agencies to administer these laws.
[1] Citizens Against Government Waste, “Comments on Developing the Administration’s Approach to Consumer Privacy (Docket Number: 18021780-8780-01),” National Telecommunications and Information Administration, November 8, 2018, https://www.ntia.doc.gov/files/ntia/publications/privacy_letter_ntia.pdf.
[2] Federal Communications Commission, “FCC Adopts Broadband Consumer Privacy Rules to Give Broadband Consumers Increased Choice, Transparency and Security for their Personal Data,” October 27, 2016, https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rules.
[3] A joint resolution providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” S.J.Res. 34, (2017), Pub. L. No. 115-22, https://www.congress.gov/bill/115th-congress/senate-joint-resolution/34.
[4] Government Accountability Office, Report to the Chairman, Committee on Energy and Commerce, U.S. House of Representatives, “Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility,” GAO-19-52, January 2019, https://www.gao.gov/assets/gao-19-52.pdf.
[5] Deborah Collier, Ryan Lanier, and Thomas Schatz, “The Path to a National Privacy Framework,” Citizens Against Government Waste, March 2022, https://www.cagw.org/reporting/national-privacy-framework.
[6] Council for Citizens Against Government Waste, “CCAGW Sends Letter to House Energy and Commerce Committee Regarding H.R. 8152, the American Data Privacy and Protection Act,” July 19, 2022, https://www.ccagw.org/legislative-affairs/letters-officials/ccagw-sends-letter-house-energy-and-commerce-committee.
[7] American Data Privacy and Protection Act, H.R. 8152, (2022), https://www.congress.gov/bill/117th-congress/house-bill/8152.
[8] U.S. Supreme Court, October Term, 2021, West Virginia et al. v. Environmental Protection Agency et al., Certiorari to the United States Court of Appeals for the District of Columbia Circuit, No. 20-1530, Argued February 28, 2022, Decided June 30, 2022, https://www.supremecourt.gov/opinions/21pdf/20-1530_n758.pdf.
[9] Federal Trade Commission, Dissenting Statement of Commissioner Christine S. Wilson, Trade Regulation Rule on Commercial Surveillance and Data Security, August 11, 2022, https://www.ftc.gov/system/files/ftc_gov/pdf/Commissioner%20Wilson%20Dissent%20ANPRM%20FINAL%2008112022.pdf.
[10] Ibid.