Chris Hoofnagle begins his book, Federal Trade Commission: Privacy Law and Policy, asking “How did a small, independent antitrust agency come to be among the most important forces in consumer protection and privacy law?”
The FTC was created in 1914 primarily as a “trust buster,” in reaction to the excesses of corporate America at the turn of the 20th century, with its emerging class of “robber barons.” Today, as the U.S. economy shifts from energy and manufacturing to software and online services – with five of the top 10 companies by market capitalization being Apple, Alphabet, Amazon, Facebook, and Microsoft – market power has become an elusive notion. Traditionally defined as control over price, market power is now assessed in an environment where “free” is the prevalent price online and “competition is always a click away.” Against this backdrop, FTC Chairwoman Edith Ramirez, who announced her resignation last week, has asserted the agency’s role as the chief regulator for the technological age.
Indeed, under Chairwoman Ramirez, the FTC has truly become the Federal Technology Commission.
Privacy and data security are central pillars of technology policy and regulation. Two years ago, I wrote, “The role that antitrust played in the wake of the Industrial Revolution is being captured by privacy in the Digital Age. Privacy has become the boundary, the limiting principle, the litmus test for the delicate balance between the tremendous benefits and formidable risks of a dizzying array of technological innovations.” Just as antitrust policy relies on economic analysis, often driven by the agency’s Bureau of Economics, privacy regulation is contingent on a deep understanding of new technological innovations. How do companies and their adversaries de-identify and re-identify consumer information? When is granular geolocation information required to provide a service? How does cross-device tracking work? How should companies apprise their users of the complex array of data flows fueling their service models? Where does data sit in a cloud computing stack? What makes consumer sentiments shift with respect to new features and applications – and how do different groups of consumers react – sometimes responding with outrage and alarm and other times delirious about new ways to share secrets and personal information?
Chairwoman Ramirez, whom Time magazine called “the Woman Keeping Silicon Valley in Check,” embraced technology regulation in multiple ways. From an institutional perspective, Ramirez established the Office of Technology Research and Investigation (OTech) within the Bureau of Consumer Protection to “support all facets of the FTC’s consumer protection mission, including issues related to privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, fraud, big data, and the Internet of Things.” OTech, which evolved from the agency’s Mobile Technology Unit, has propelled the FTC’s technical leadership and expertise beyond that of any other regulator in this space, not only in the U.S., but also around the world.
OTech has strengthened the agency’s ties to the academic community. It launched PrivacyCon, which in two years has already become one of the premier venues for presentation and discussion of cutting edge privacy scholarship. In many ways, the new office’s academic conference mirrors the agency’s annual microeconomics conference, which is organized by the Bureau of Economics.
OTech tapped tech policy leaders such as Justin Brookman, who joined the agency as Policy Director after leading consumer privacy at the Center for Democracy and Technology; and hosted a series of Chief Technologists, including Carnegie Mellon University Professor Lorrie Cranor, who brought tremendous academic experience and ties to the research community; Ashkan Soltani, who was well acquainted with hacker culture and had been part of the team at The Washington Post that won the 2014 Pulitzer Prize for its part in covering the Snowden revelations; and Harvard University Professor Latanya Sweeney, one of the world’s preeminent experts on de-identification and k-anonymity.
OTech launched an internship program for graduate students, and last week hosted a pre-PrivacyCon networking event to facilitate connections between researchers and funding organizations interested in their work, in furtherance of the Obama Administration’s National Privacy Research Strategy, which the FTC helped draft.
Ramirez has driven change not only in the agency’s institutional capacity but also in the tenor of its engagement with the tech community. FTC Commissioners and senior staff started to participate in techie events such as CES, DEFCON and Black Hat. OTech reenergized the Tech@FTC blog, which was launched in 2012 by then-Chief Technologist Ed Felten. And most recently, it has launched its IoT Home Inspector Challenge, a prize competition that “challenges the public to create a technical solution (‘tool’) that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.”
The Chairwoman’s term has been marked by a series of tech policy initiatives, workshops and reports. Over the past four years, the agency hosted workshops on cross-device tracking, mobile security, the sharing economy, drones, smart TVs, ransomware, mobile and online disclosures, crowdfunding and peer-to-peer payments, and more. It issued an enforcement policy Statement on “native” advertising and deceptively formatted advertisements.
Following the tradition of the Bureau of Economics’ policy work, OTech has also informed policymaking with empirical scholarly research. For example, last month, a group of FTC affiliated researchers, led by Brookman, published “Cross-Device Tracking: Measurement and Disclosures with the Proceedings on Privacy Enhancing Technologies.”
Underlying the agency’s policymaking efforts under Ramirez was a keen focus on protecting consumers in a time of rapid technological change, with particular attention for the plight of poor and weakened individuals. In its staff report, “Big Data: A Tool for Inclusion or Exclusion?”, the agency addressed concerns that “companies could use big data to exclude low-income and underserved communities from credit and employment opportunities.” Traditionally outlawed by the Fair Credit Reporting Act, such harmful discrimination can now be covered under the guise of proxies and mirrors for race or social class and extended to areas not typically covered by FCRA, such as retail and online advertising. For example, citing research that has shown that online companies may charge consumers in different zip codes different prices for standard office products, the FTC warned, “If such pricing results in consumers in poorer neighborhoods having to pay more for online products than consumers in affluent communities, where there is more competition from brick-and-mortar stores, these poorer communities would not realize the full competition benefit of online shopping.”
In its report “Data Brokers: A Call for Transparency and Accountability,” the FTC called out companies for creating potentially sensitive categories, including “those that primarily focus on ethnicity and income levels, such as ‘Urban Scramble’ and ‘Mobile Mixers,’ both of which include a high concentration of Latinos and African Americans with low incomes.”
The crux of the FTC’s activity is, of course, enforcement, and Ramirez’s term was characterized by a flurry of privacy and security activity on the cusp of new technologies and business models. Over the past two years alone, the agency brought enforcement actions addressing revenge porn, in-store location tracking, cross app location data, “zombie cookies,” cloud-based electronic health records, and more. Deploying a combination of its “deception” and “unfairness” jurisdiction, the FTC brought a long line of technology innovators to heel, including Snapchat, Yelp, Fandango, Credit Karma, and many more. (Editor’s Note: Find details and analysis on all privacy and security FTC enforcement actions in the IAPP FTC Casebook.)
In April 2014, after Facebook announced its plans to acquire messaging giant WhatsApp, the FTC Consumer Protection Bureau reminded Facebook of its continuing obligation under a 2011 consent agreement to obtain affirmative consent from users before making changes to their privacy settings. Noting that WhatsApp’s privacy promises differed from Facebook’s, including an obligation to not collect location or contact data or share it with third-party marketers, the letter stressed that Facebook would need to obtain affirmative consent from WhatsApp users before using their data in ways inconsistent with those promises.
Ramirez led the agency to its first case in an area sure to generate significant activity over the next decade, the Internet of Things. Presaging near calamitous vulnerabilities such as the recent attack on the Internet backbone orchestrated by compromised webcams and baby monitors, the 2013 TrendNet case cited security flaws in the company’s home camera software, which led to hundreds of private video feeds being posted publicly online. In Goldenshores Technologies, the FTC faulted the maker of the ubiquitous flashlight app for violating consumer expectations by collecting and sharing with third parties their precise geolocation information. In Jerk, LLC, the FTC charged the operators of a website that harvested millions of personal profiles from Facebook to label individuals as “jerks.” In Instant Checkmate, the agency shone a light on the practices of online data brokers who hide in the shadow of the law, allegedly providing inaccurate information that suggests job applicants potentially were registered sex offenders, possibly causing employers to reject their job application.
Importantly, under Ramirez, the FTC stressed companies’ obligation to institute and maintain sound data security practices, including requiring secure passwords and authentication; storing sensitive personal information safely and protecting it during transmission; segmenting networks and monitoring remote and local access attempts; ensuring service providers implement reasonable security measures; and even securing paper, physical media and devices. Often raising the ire of defendants and critiques, the FTC has incrementally built what scholars called “a common law” of data security, including not only a constant drumbeat of enforcement actions but also guidance documents and a business education initiative called “Start with Security,” comprising a series of public workshops that have already visited San Francisco, Austin, Seattle and Chicago.
Ramirez’s appointment as Chairwoman in March 2013 nearly coincided with the transatlantic storm raised by Snowden’s June 2013 revelations about U.S. government access to data stored in the cloud. Dealing with the fallout of those disclosures, up to and including the invalidation by the Court of Justice of the European Union of the landmark EU-U.S. Safe Harbor arrangement, Ramirez instituted a series of enforcement actions under the Safe Harbor and, more recently, under the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR). Recognized as the cornerstone of the privacy and data security framework in the U.S., the agency under Ramirez also enabled the conclusion of the Safe Harbor’s successor, Privacy Shield.
The Chairwoman’s diplomacy was evident not only on the global stage but also in Washington. On January 12, 2015, ending an 80-year drought of visits to the agency by the chief executive, President Obama made his historic visit to the FTC, announcing forthcoming initiatives to address identity theft as well as consumer and student privacy. Reinforcing the importance of privacy in a digital age, Obama said in his speech there, “We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.”
Criticism and concerns
In reviewing an impactful term in office, it is important to also consider criticism as well as what lies ahead, as the White House changes hands and new agendas and policies will come into focus. In addressing criticisms of Ramirez’s actions, it depends whom you ask: Some critics viewed the Chairwoman as overly risk averse, suggesting that in the space of privacy and security the agency typically targeted low-hanging fruit instead of pushing the envelope to establish new rules and guidelines. Conversely, other critics claimed the FTC was overextending, leveraging its Section 5 jurisdiction into uncharted territory and becoming a self proclaimed data security cop on the beat, absent clear legislative authority or regulatory guidelines. Against those claims, the courts have so far upheld the agency’s stance, most notably in the Wyndham and LabMD cases.
In Europe, critics suggested the FTC enforcement actions, namely under the now defunct Safe Harbor, were of limited scope and technical nature, addressing such issues as failure to recertify in lieu of more substantive violations of privacy principles. Surely, with more than 4,000 companies on the hook for privacy obligations including notice and choice, access, data integrity, and onward transfers, numerous violations were overlooked. Yet in assessing such criticism, it is important to compare the FTC’s activity to that of European data protection authorities, whose enforcement stance has traditionally been lax.
Despite repeated calls for privacy legislation and tighter control of the data broker industry, the FTC continues to face unregulated pockets of the data ecosystem armed by only its broad authority against unfair or deceptive trade practices, which dates back to 1914. With that, after three years in office and six years as FTC Commissioner, Ramirez leaves the agency stronger and better equipped to deal with the challenges of the next years.
Photo: Courtesy of the U.S. Federal Trade Commission
If you want to comment on this post, you need to login.