As part of a series of Hearings on Competition and Consumer Protection in the 21st Century announced in June 2018, the Commission will host a hearing to discuss the privacy aspects of Topic 5 on February 12-13, 2019, at the FTC’s Constitution Center building. (Topics 4 and 9, which address big data and artificial intelligence, also have privacy-related components; those topics will be the subject of separate hearings on November 6-8 and November 13-14, respectively. The data security portion of Topic 5 will be the subject of a separate hearing on December 11-12, 2018. The Commission will release information on those hearings separately.)
The Commission welcomes written comments on specific questions to be discussed at the February privacy hearing, as stated below. Interested parties may file pre-hearing comments electronically until December 21, 2018, and the Commission will additionally consider any comments it receives electronically until March 13, 2019. If any entity has provided funding for research, analysis, or commentary that is included in a submitted public comment, such funding and its source should be identified on the first page of the comment.
Background and Questions for Comment
The privacy of consumer data is a daily topic of news headlines, public discourse, and policy debates around the globe. Questions abound about consumers’ ability to make informed choices about data collection and use; potential harms to consumers resulting from data collection, sharing, aggregation, and use; the adequacy of existing legal and self-regulatory frameworks to protect consumers from those harms without unduly restraining legitimate business activity; and whether emerging frameworks improve on prior versions.
The Federal Trade Commission last undertook efforts to engage the public in considering data privacy issues in a comprehensive way from 2009-2012. During that time, the Commission held a series of public roundtable discussions, published a draft privacy framework, and obtained and considered more than 450 written public comments. The Commission’s work culminated in 2012 with a comprehensive privacy report.
Technologies and business models have changed significantly since the FTC issued the 2012 report. Consumers have benefited from the proliferation of mobile apps, mobile payment systems, Internet-connected devices (i.e., the Internet of Things), and other innovations. At the same time, consumers have expressed concern about the growing collection and use of their data, and businesses have enhanced their ability to link consumers’ behavior across devices and platforms.
Some jurisdictions have enacted new laws that contain new approaches for addressing privacy risks. The European Union, for example, enacted the General Data Protection Regulation (GDPR) (effective in May 2018), which includes data access, erasure, and portability rights and breach notification requirements. Some states have enacted comprehensive privacy laws or laws that address particular technologies, such as biometrics. For its part, the Commission has not only continued using its broad authority to prohibit unfair and deceptive practices, but also enforces more specific privacy statutes, such as the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and the Fair Credit Reporting Act.
In addition, the Administration is working toward development of principles and tools to protect consumer privacy. For example, the National Telecommunications and Information Administration (NTIA) is seeking comment on core privacy principles and the National Institute of Standards and Technology (NIST) is developing a privacy framework to help organizations manage privacy risks.
These rapidly-evolving changes in technology, business models, laws, and policy initiatives suggest that now is the right time for the Commission to re-examine the approach it developed in 2012. This includes addressing fundamental questions about what the goals of policymaking and enforcement in the privacy area should be, as well as the related question of how to define success.
The Commission has long taken a case-by-case approach to privacy, with protections calibrated to the particular law enforced as well as the sensitivity and use of personal information. However, the current approach needs to be examined in light of potential gaps in the Commission’s existing authority, as well as new risks, new opportunities, and new knowledge. Relevant questions include whether current approaches sufficiently protect consumer privacy; whether certain approaches may have unintentionally hindered innovation, growth, or competition, to the detriment of consumers and the economy; whether other approaches might better serve consumers and competition; and, if so, what those approaches should be. Accordingly, the Commission invites comments on the topics listed below, some of which have been examined in prior Commission materials and are being re-examined as part of the 21st Century Hearings initiative. Comments that contain empirical evidence and data are encouraged.
- What are the actual and potential benefits for consumers and to competition of information collection, sharing, aggregation, and use? To what extent do consumers today, or are consumers likely to, realize these benefits?
- What are the actual and potential risks for consumers and to competition of information collection, sharing, aggregation, and use? To what extent do consumers today, or are consumers likely to, realize these risks?
- The use of “big data” in automated decisionmaking has generated considerable discussion among privacy stakeholders. Do risks of information collection, sharing, aggregation, and use include risks related to potential biases in algorithms? Do they include risks related to use of information in risk scoring, differential pricing, and other individualized marketing practices? Should consideration of such risks depend on the accuracy of the underlying predictions? Do such risks differ when data is being collected and analyzed by a computer rather than a human?
- Should privacy protections depend on the sensitivity of data? If so, what data is sensitive and why? What data is not sensitive and why not?
- Should privacy protection depend on, or allow for, consumer variation in privacy preferences? Why or why not? What are the appropriate tradeoffs to consider? If desired, how should this flexibility be implemented?
- Market-based injuries can be objectively measured—for example, credit card fraud and medical identity theft often impact consumers’ finances in a directly measurable way. Alternatively, a “non-market” injury, such as the embarrassment that comes from a breach of sensitive health information, cannot be objectively measured because there is no functioning market for it. Many significant privacy violations involve both market and non-market actors, sources, and harms. Should the Commission’s privacy enforcement and policy work be limited to market-based harms? Why or why not?
- In general, privacy interventions could be implemented at many different points in the process of collecting, processing, and using data. For example, certain collections could be banned, certain uses could be opt-in only, or certain types of processing could trigger disclosure requirements. Where should interventions be focused? What interventions are appropriate?
- Should policymakers and other stakeholders attempt to improve accountability for privacy issues within organizations? Why or why not? If so, how? Should privacy risk assessments be mandated for certain companies? Should minimum standards in privacy protections be required?
- How can firms that interface directly with consumers foster accountability of third parties to whom they transfer consumer data?
- What are the effects, if any, on competition and innovation from privacy interventions, including from policies such as data minimization, privacy by design, and other principles that the Commission has recommended?
- Do firms incur opportunity costs as a result of increased investments in privacy tools? If so, what are the tradeoffs between functionality, innovation, and security and privacy protections at the design level?
- If businesses offer consumers choices with respect to privacy protections, can consumers be provided the right balance of information, i.e., enough to inform the choice, but not so much that it overwhelms the decisionmaker? What is the best way to strike that balance and assess its efficacy?
- To what extent do companies compete on privacy? How do they compete? To what extent are these competitive dynamics dictated or influenced by consumer preferences, regulatory requirements, or other factors?
- Some academic studies have highlighted differences between consumers’ stated preferences on privacy and their “revealed” preferences, as demonstrated by specific behaviors. What are the explanations for the differences?
- Given rapidly evolving technology and risks, can concrete, regulated technological requirements – such as data de-identification – help sustainably manage risks to consumers? When is data de-identified? Given the evolution of technology, is the definition of de-identified data from the FTC’s 2012 Privacy Report workable? If not, are there alternatives?
- What should the role of the Commission be in the privacy area? What would define successful Commission intervention? How can the Commission measure success?
Questions About Legal Frameworks
- What are existing and emerging legal frameworks for privacy protection? What are the benefits and drawbacks of each framework?
- What are the tradeoffs between ex ante regulatory and ex post enforcement approaches to privacy protection?
- The U.S. has a number of privacy laws that cover conduct by certain entities that collect certain types of information, such as information about consumers’ finances or health. Various statutes address personal health data, financial information, children’s information, contents of communications, drivers’ license data, video viewing data, genetic data, education data, data collected by government agencies, customer proprietary network information, and information collected and used to make certain decisions about consumers. Are there gaps that need to be filled for certain kinds of entities, data, or conduct? Why or why not?
- Other than explicit statutory exemptions, are there limitations to the FTC’s authority to protect consumers’ privacy? If so, should they be removed? Why or why not? Should more limitations be implemented? Why or why not?
- If the U.S. were to enact federal privacy legislation, what should such legislation look like? Should it be based on Fair Information Practice Principles? How might a comprehensive law based on Fair Information Practice Principles account for differences in uses of data and sensitivity of data?
- Does the need for federal privacy legislation depend on the efficacy of emerging legal frameworks at the state level? How much time is needed to assess their effect?
- Short of a comprehensive law, are there other more specific laws that should be enacted? Should the FTC have additional tools, such as the authority to seek civil penalties?
- How should First Amendment norms be weighed against privacy values when developing a legal framework?
The FTC Hearings on Competition and Consumer Protection in the 21st Century will accommodate as many attendees as possible; however, admittance will be limited to seating availability. Reasonable accommodations for people with disabilities are available upon request. Request for accommodations should be submitted to Elizabeth Kraszewski via email at email@example.com or by phone at (202) 326-3087. Such requests should include a detailed description of the accommodation needed. Please allow at least five days advance notice for accommodation requests; last minute requests will be accepted but may not be possible to accommodate.