There is an annual gathering of digital governance wonks in Boulder, Colorado, hosted by Silicon Flatirons. This year, the title of the conference captured our current zeitgeist. Almost all speakers agreed “The Internet’s Midlife Crisis” is more a series of converging crises, a web of policy goals that share the quality of being difficult to solve without federal congressional action. If this is, indeed, the midlife of internet policymaking, we are awakening from our routine to find there is so much yet to tackle: from competition to censorship to CSAM to cybersecurity to, of course, data privacy and algorithmic harms. 

Faced with this regulatory morass, Sen. Michael Bennet, D-Colo., again offered the solution he introduced in legislation last term: a new regulatory agency dedicated to oversight of digital platforms. Some voices favor this approach, while others prefer a law that would give new authorities to existing enforcers, like the U.S. Federal Trade Commission.

In a panel of current and former regulators, The Future of Agencies, there was some disagreement about such solutions, but general agreement that the policy crises we face today should be enough impetus to spark collective action. Former FTC commissioner Julie Brill would have us first come together to solve the most harmful crises, like “youth mental health and what’s happening to children online in terms of sexual and abusive material.” Brill called for a multidisciplinary approach that learns from other regulators in Europe and around the world. As an example of a helpful model, she pointed to the U.K.’s Digital Regulation Cooperation Forum, which brings together cross-government expertise on online services to tackle new policy priorities.

Brill also called on policymakers to “get back to the job of compromise.” The lost art of compromise was a theme of the panel discussion. Tom Wheeler, the former chairman of the Federal Communications Commission, put a fine point on it. Recalling the arduous path to passing the 1996 Telecommunications Act, he said there was only one real reason it reached the finish line: “The LECs got something and the IXCs got something.” At the time, local exchange carriers and interexchange carriers were strong antithetical voices in the market. “You have to go back to something that’s a win for everyone,” Wheeler advised. The ’96 act offered each side a “win” that allowed a new technocratic approach to telecom governance to become law.

It is hard to find a direct corollary in today’s privacy debates. Who are the “sides?” Consumers and industry? Democrats and Republicans? Dominant platforms and new entrants? State regulators and federal regulators? Former FTC Chair Maureen Ohlhausen cautioned us to avoid utility-style regulation for issues like privacy. Instead, with a bigger budget and clearly defined guidelines on new regulatory authorities, Ohlhausen is confident the FTC is the proper home of digital regulations. But even after Congress grants strong authorities, the work of effectuating regulation is never done. Wheeler told a vignette about his time as chairman of the FCC, testifying before Congress to advocate for the agency’s budget. He remembers an unnamed legislator turning to him and saying, “Mr. Wheeler, you don’t understand, I want you to do less with less.”

Compromise also undergirds President Biden’s support for federal privacy legislation, as shown in his State of the Union remarks. Biden’s listed policy priorities seem carefully chosen to fit multiple recent legislative proposals. Except for general “safety” rules, all listed children’s privacy solutions, both in his speech and in the White House fact sheet, would be addressed by either the Kids Online Safety Act or the American Data Privacy and Protection Act. Even as the White House avoids weighing in on the toughest debate, the fact sheet is not short on specific policies:

There should be clear and strict limits on the ability to collect, use, transfer, and maintain our personal data, especially for sensitive data such as geolocation and health information, and the burden must fall on companies – not consumers – to minimize how much information they collect. We must also demand transparency about the algorithms companies use that far too often discriminate against Americans and sow division. The President has called for imposing much stronger transparency requirements on Big Tech platforms and is calling for bipartisan support to impose strong limits on targeted advertising and the personal data that companies collect on all Americans.

Clear, achievable and enforceable data privacy standards are a win for everyone. But making everyone feel like a winner will take real work. Last year’s ADPPA represented one possible compromise. Although there may be any number of possible compromises with enough work, most voices in D.C. agree building on the existing compromise will be the quickest way to reach consensus.

Yet even as we work toward compromise, interests may be difficult to fully align. As Wheeler quoted Oscar Wilde, “There are only two tragedies in life: not getting what you want, and getting it. The reality for the industries that would be impacted by privacy legislation is that they have gotten what they want, which is nothing.”

Here's what else I’m thinking about:

• FTC Commissioner Alvaro Bedoya is calling for mental health experts to join the agency. In multiple speaking engagements this week, Bedoya highlighted his priority to expand expertise for quantifying and evaluating mental health harms, especially for kids and teens. As he explained on Twitter:“There is ample room for arguments that mental health harms are cognizable injuries under section 5. This is why it is part of FTC’s strategic plan to explore hiring psychologists on staff. We need in house experts to help us understand those injuries.”
• The Secure Access for Essential Reproductive Health Act for privacy. Sens. Bennet and Mazie Hirono, D-Hi., introduced the SAFER Health Act, which they say would expand patient privacy protections by strengthening HIPAA to prohibit medical providers from disclosing personal health information related to abortion or pregnancy loss without patient consent. Eight other Democratic senators are cosponsoring the bill.
• A new report, Competition in the Mobile App Ecosystem, from the National Telecommunications and Information Administration includes some analysis of the tension between platform-based privacy and security requirements and a healthy competitive environment. For further reading, the NTIA study cites a report from the American Antitrust Institute, Privacy and Antitrust at the Crossroads of Big Tech.
• Biometrics privacy violations last for five years in Illinois. In Tims v. Black Horse Carriers the Illinois Supreme Court held a 5-year statute of limitations applies to violations of the Biometric Information Privacy Act. The outcome is seen as a win for plaintiffs.
• Speaking of biometrics, five Senators are called on the Transportation Security Administration to stop using facial recognition. In a letter, the Senators called on TSA to cease deploying the technology until the agency clarifies its guidelines. “While TSA claims that facial identification scans are not mandatory, it is unclear how travelers will know that they can ‘opt-out,’ and what the consequences for travelers are if they choose to opt-out,” they wrote.

Upcoming happenings

• Feb. 14 at 10 a.m. EST, the Senate Committee on the Judiciary hosts a hearing on “Protecting our Children Online” (Hart 216).
• Feb. 16 at 5:30 p.m. EST, Future of Privacy Forum hosts its 13th Annual Privacy Papers for Policymakers (in-person only).
• Feb. 21 at 1 p.m. EST, the ABA Science and Technology Law Section ePrivacy Committee hosts a webinar, Hello from the Dark Side: Dark Patterns in Privacy.
• Feb. 22 at 8 a.m. EST, IAPP’s Diversity in Privacy Section hosts a Mentor Q&A (virtual).
• March 1 at 8:30 a.m. EST, Politico hosts Privacy: Who's Winning? (hybrid).

Please send feedback, updates, and personal crises to cobun@iapp.org.