Late last year in Washington something of consequence happened: Two federal agencies decided to jointly regulate consumer privacy issues. And just this week, dozens of consumer and privacy advocates are pushing one of those agencies – the Federal Communications Commission - to vigorously enforce consumer privacy rights.
Given the turf-conscious nature of Washington, the success of last year's unusual agreement is deserving of critical review. There are high stakes for American consumers who expect privacy violations to be policed properly. For businesses in the converging communications, Internet, and app spaces that rely on their ability to use customer data, doubling the number of privacy cops could create significant headaches.
Traditionally, the Federal Trade Commission (FTC) has been the lead agency for consumer privacy issues. The U.S. has a handful of consumer privacy laws that are sector- or industry-specific. For example, there are statutes on the books that provide authority to regulate the data of health care patients, students and minors. For nearly everything else the FTC has a sort of catch-all consumer privacy enforcement authority not authorized by statute but built up principally over the last 25 years through a series of policy pronouncements and enforcement actions against companies. The FTC uses its core power to police unfair or deceptive trade practices when companies do not live up to their own statements concerning, and promises regarding, their collection, sharing, usage and protection of their customers’ personally identifiable information. Unless a separate privacy statute grants regulatory authority to a different federal agency, the FTC has assumed it is the privacy cop on the beat.
The Federal Communications Commission (FCC) polices the behavior of telecommunications carriers and historically has held only limited privacy authority. Specifically, until this spring, the FCC could only act to prevent carriers from misusing their customers’ Customer Proprietary Network Information. CPNI is a data category tied to specific customers and that either does specifically or could identify them with particularity. Other than this limited grant of privacy enforcement power, Congress never chose to empower the FCC to protect consumer privacy. This limited authority, however, did not create a privacy gap. Carriers assumed that their other statements concerning their data practices would be legally binding promises to consumers and that any deviation from those statements or violations of those promises could subject them to FTC fines and worse.
The new scheme is the product of the FCC awarding itself broader privacy authority through the Open Internet Order it finalized last spring. The Order is most well known for its imposition of so-called net neutrality rules on telecommunications carriers. While the press and policymakers’ attention were focused on the Order’s establishment of rules concerning carriers’ handling of data flowing across their networks, the FCC slipped in rules greatly expanding its authority to investigate and enforce perceived privacy violations of companies that provide consumers with broadband Internet access.
It is among the worst kept secrets in Washington that the FCC’s substantial expansion of its privacy authority was controversial. FTC officials and staff would smile wryly when asked about sharing their privacy beat. FCC staff bristled at suggestions that they had seized territory without warning that belonged to others. Congressional overseers fretted quietly – and sometimes not so quietly – about perception of mission creep. Consumer advocates worried that the pairing would be messy and might lead to gaps that delayed important privacy actions when companies were failing to live up to or outright abusing their data responsibilities to their customers.
Converging technologies, coupled with mergers across formerly distinct industries drove this privacy authority expansion, but questions abound. Are apps that serve as messaging services an Internet business, a communications platform, or both? If a telecommunications carrier merges with an Internet-driven, online business, what kind of company is created and which agency is it best regulated by with respect to its consumer data privacy and security practices? The fast converging worlds of formerly distinct businesses defy easy classification.
Businesses and consumers are in for a novel experiment.
Can two federal agencies properly police consumer privacy issues, or will their overlapping jurisdiction lead to confusion, redundancy and gaps? The Memorandum of Understanding (MOU) signed by both agencies leaves much to be decided. The agencies seem to have signed little more than an agreement to agree. While the signatories reiterate their respect for the other agency and each pledges cooperation and consultation on areas where “one agency’s actions will have a significant effect on the other agency’s authority or programs,” general counsels and chief privacy officers across the country will be left to wonder which agency’s requirements they must satisfy.
Consumers might benefit from additional focus on protection of consumer privacy if shared responsibility leads to laser-like focus on real consumer harms rather than ephemeral concerns. Privacy damage and resulting economic injury created by data breaches and hacking attacks are the top concerns of consumers reported to the FTC and have been so for more than a dozen years in a row. For this power-sharing agreement to benefit consumers, it must cause both agencies to focus on substantive privacy injuries that cause tangible harm to consumers rather than simply increase the chances that minor deviations from stated data practices are caught by zealous regulatory attention.
If having two cops pushes companies to better align their data practices with consumers’ preferences or compete with each other on privacy, then the MOU will be rightly celebrated by consumer advocates.
This MOU also subtly threatens current privacy enforcement efforts, and consumer advocates should watch the watchers. Despite some rhetoric to the contrary, all federal agencies, and especially the FTC, are resource-constrained. The FTC must root out myriad threats to consumers, from competition to scams to robo calling and beyond. Privacy cop is just one of its roles. If the effect of the FCC entering the privacy-policing world is that the FTC shifts resources towards better achieving its other missions, the gains for consumers needing privacy protection could be nullified or even reversed. While new, cooperative efforts are being established, one agency may defer to the other, leaving a gap in consumer privacy coverage.
Two proud agencies might, alternatively, lead to enormous headaches for companies. Mergers across formerly distinct industries and converging technologies are creating overlapping regulatory responsibilities but they also leave unclear lines of demarcation.
It is plausible that both agencies might decide to wrestle with some companies’ alleged privacy violations but arrive at different conclusions. That distinct possibility will leave general counsels of corporations in a quandary about which agency’s dictates it must follow. Confusion and inconsistency benefit no one. One thing is certain: Outside counsel lawyers will profit handsomely during the transition period while this is all worked out.
An agreement to agree between the FTC and FCC poses both great opportunities for meaningful consumer privacy advances and for coverage gaps to go unaddressed. It certainly will increase attention and costs for corporations that reside in the increasingly merged world of telecommunications and Internet services. If the result is that work is simply shifted from one agency to another, little public benefit will result from the FCC’s increased privacy efforts.
photo credit: SFPD and the Iraq war protest - 232 via photopin (license)