US citizens, conditioned to expect inaction from Congress, have increasingly turned elsewhere for swift action on today’s pressing issues, including when it comes to privacy. With no major Congressional privacy bill anywhere near passing, more and more people have called for the Federal Trade Commission (FTC) — an independent US agency charged with enforcing federal competition laws and protecting consumers — to fill the void through regulations.
The FTC is an incredibly important body with tools at its disposal to address things like online data practices. The appointment of several key FTC officials over the last year, particularly antitrust expert Lina Khan, has also given people hope that the FTC will take a tougher line with Big Tech companies. Still, the FTC is limited in what it can do to ensure Americans’ privacy, which is why Congress must ultimately step up and get federal privacy legislation across the finish line.
The FTC: dependent on 20th-century tools to tackle 21st-century problems
The FTC was established in 1914 through the FTC Act to ensure that markets are competitive and consumers are protected. At the time, massive monopolies, such as Standard Oil and US Steel, dominated the US economy by gouging prices and stifling competition. In response, Congress passed the Sherman Act of 1890 and the Clayton Act of 1914, which laid out a variety of consumer protections and made it easier to classify monopolies. However, it eventually became clear that a regulatory body would be necessary to enforce the laws and craft industry rules. This led to the creation of the FTC, which has ensured businesses do not abuse their power for over 100 years.
This history provides critical context for any assessment of the FTC. First, the FTC is only as strong as Congress allows it to be. Congress confirms or rejects the President’s nominations for FTC Commissioners and determines the level of funding it receives. Second, the FTC was created to tackle massive industrial trusts that dominated the US economy over a century ago. As you might imagine, laws from the early 1900s did not anticipate computers, much less the internet, smartphones, or surveillance capitalism.
What the FTC can and cannot do on its own to protect your privacy
The FTC has two main ways to issue new regulations. New regulations must:
- Correspond to specific laws passed by Congress
- Be based on its power as the general regulatory authority
Congress’s inability to pass a comprehensive privacy bill has convinced many that the FTC should just go ahead and issue data rules through this second route. But this overlooks several challenges the FTC faces when it issues its own regulations.
It is a slow, complicated process to create new regulations
The FTC’s process for passing regulations without a direct Congressional mandate is arduous. The name for this process is Magnuson-Moss rulemaking, and while the details are complex, the short version is that Mag-Moss rulemaking is more burdensome than issuing rules based on a particular law. Mag-Moss imposes extra steps on the FTC, including longer timelines and more strenuous obligations for drafting and passing rules.
The FTC’s authority is limited by its mandate
While the FTC is charged with protecting consumers, there are limits on what it can do. Section 5 of the FTC Act clarifies that the FTC’s consumer protection powers apply to “deceptive” and “unfair” practices. For those who want FTC action on privacy, the good news is that many of the worst data practices on the internet are deceptive. Most of the FTC’s recent cases against Big Tech companies, like the $5 billion fine it imposed on Facebook in 2019, were filed when the FTC caught them lying about what they did with data.
The bad news is that the deception threshold leaves out all the other instances where companies disclose their invasive practices. This means that Big Tech companies do not need to stop collecting or abusing their users’ data. They can simply list how they use that data in long, difficult-to-parse Terms of Service and Privacy Policies that no one reads to meet their obligation under the law. If the FTC issued data regulations on its own, it would have a hard time going after practices revealed in terms and conditions.
Some have argued that the other category — unfair practices — is the FTC’s best path to data regulations. But here again, there are challenges. “Unfair” in this context broadly means behavior that is harmful to consumers. At first glance, that may sound like a justification for banning data brokers. But the FTC Act clarifies that a practice is only unfair if it causes “substantial injury” (and the FTC’s own policies add that “substantial injury” usually involves monetary harm). This explains why the FTC is active around data breaches and identity theft, but it doesn’t provide a basis for banning companies from reading your emails.
What the FTC has done with legislation to protect your privacy
Clearly, the FTC is limited in what it can do to protect privacy on its own. There are, however, reasons to be hopeful about an FTC equipped with privacy legislation to enforce. While the US doesn’t have a holistic data privacy law on the books, there are previous examples of Congress addressing specific data practices and then giving the FTC authority to oversee and enforce those issues:
- The Fair Credit Reporting Act — Gives Americans the right to know what data credit bureaus or consumer agencies have on them and obliges those entities to protect the data.
- The Gramm-Leach-Bliley Act — Requires financial institutions to keep consumer data confidential and lets consumers request that their data not be shared with third parties.
- The Children’s Online Privacy Protection Act (COPPA) — Requires websites to get parental consent before collecting info from minors (among other things).
Each of these laws gives the FTC direct oversight over its specific niche (and therefore an easier path to regulations). The problem is that relying on three very targeted laws is a piecemeal approach to addressing privacy that leaves a lot of ground uncovered. However, one comprehensive law with authority clearly granted to the FTC could go a long way.
Legislation is the key to more robust privacy protections and a stronger FTC
According to an AP-NORC/MeriTalk poll from September 2021, more than seven out of ten US citizens think the US government should establish national standards for how companies collect, process, and share personal data to help people protect their privacy. However, this initiative would have to be led by Congress, which thus far has failed to pass any major legislation regarding data privacy protection.
There are three things Congress can do that would empower the FTC to force Big Tech companies to take their users’ privacy seriously:
- Pass a comprehensive federal privacy law
- Broaden the FTC’s regulatory authority to oversee a wider range of data issues
- Increase FTC funding and staffing
Let’s look at each of these solutions in greater detail.
Pass an omnibus privacy bill
The most robust solution would be a national privacy law that addresses issues like data portability, the right to be forgotten, targeted advertising, etc., and names the FTC as the overseeing agency. This would make the FTC’s path to regulations easier and ensure that the United States finally tackles privacy head on rather than from the margins.
Empower the FTC by broadening its authority
Even with a strong law on the books, the FTC’s authority is still crucial. A good privacy law would need to clearly state that all of the abusive data practices it lists fall under the FTC’s purview and that the Commission is granted regulatory authority over them.
Congress could also broaden the FTC’s mandate by going straight to the FTC Act. Opening up the FTC’s general authority beyond instances of dishonest terms or financial loss would empower it to finally stop the wider list of data abuses that plague Americans, including data brokers and corporate surveillance.
Fully fund and staff the FTC
The FTC has been understaffed and underfunded for years. It has reached the point that the Commission does not have enough workers to examine merger proposals for antitrust violations. Even if Congress passed new privacy legislation, the FTC does not currently have the resources or manpower to tackle the world’s largest tech companies. Congress needs to increase the Commission’s funding and confirm its Commissioners faster so that the FTC can carry out its mission and hold Big Tech accountable.
Congress must also ensure the internet is a level playing field
Some critics have said that if people wanted to protect their privacy, they could simply choose to use different services. This argument doesn’t really hold up under close inspection. Big Tech companies dominate the internet and the platforms you use to access it. They have also used their size, power, and wealth to tilt the internet in their favor and eliminate or hobble privacy-focused competitors. This means issues around fair competition in the online marketplace are also privacy issues.
Congress must act to make the internet more competitive. Antitrust legislation that addresses self-preferencing via default apps, unfair app store fees, and other abusive practices would allow privacy-focused start-ups to compete with Big Tech companies on a level playing field.
This may sound disheartening to many US citizens, who have come to expect little from Congress and are still let down. But this does not have to be the case — members of Congress answer to the people of the United States.
If you are a US citizen and you want Congress to empower the FTC to protect your privacy and make the internet a level playing field, contact your representative.
A fairer internet where your privacy is protected is within our reach.