On behalf of the Competitive Enterprise Institute (CEI), I respectfully submit the following comments in response to the Federal Trade Commission’s (FTC) advanced notice of proposed rulemaking (ANPR) and request for comment on data security and commercial surveillance practices that harm consumers.
Founded in 1984, the Competitive Enterprise Institute is a non-profit research and advocacy organization focusing on regulatory policy from a pro-market perspective. CEI experts research and advocate policies to boost American technological innovation and economic competitiveness through technology policy and regulatory reforms in data privacy, artificial intelligence, and platform regulation, among other issues.
The Competitive Enterprise Institute appreciates the intention of the FTC to improve data privacy and security practices in the United States and the Commission’s efforts to solicit public comment on whether new trade regulation rules on commercial surveillance and data security are necessary.1 CEI has five primary responses to the FTC’s ANPR inquiry, which are summarized below.
- The advanced notice of proposed rulemaking’s broad scope exceeds the FTC’s statutory authority.
- Absent Congressional authorization, the Commission should focus on addressing specific privacy- related harms and fraud as provided for by the Federal Trade Commission Act.
- The FTC should explore regulatory alternatives, such as advisory guidelines and policy statements, instead of mainly relying on formal rulemaking processes.
- The Commission should ask Congress to create a privacy sandbox, which would allow startups and established companies to offer innovative privacy solutions under a lightened regulatory framework for a limited time. By allowing regulators and the private sector to work closely together, a privacy sandbox could enable the FTC and Congress to better calibrate privacy laws and regulations in keeping with changing technological developments.
- The FTC should examine international legislative and regulatory developments to help Congress develop a federal privacy framework that can better balance the competing priorities of privacy, data and national security, commercial needs, and innovation.
I. The advanced notice of proposed rulemaking’s broad scope exceeds the Federal Trade Commission’s statutory authority
The broad scope of the FTC’s recent advanced notice of proposed rulemaking exceeds the Commission’s statutory authority and is inconsistent with the Commission’s recent practice. In the 1970s, the FTC’s rulemaking based on a broad conception of “fairness” had few limits. That prompted Congress to step in and curb the Commission’s regulatory powers. Since then, FTC rulemaking has traditionally been rooted in identifiable harm, cost-benefit considerations, and economic analysis. That, in turn, has allowed the Commission to play a constructive, impartial role in protecting American consumers and enabling technological innovation.
However, the Commission’s recent inquiry veers from its usually restrained approach to rulemaking. Instead of focusing on specific privacy issues, the FTC asks a series of 95 overly broad questions—from youth protection and commercial surveillance practices to algorithmic fairness and error—many of which fall beyond the traditional scope of the agency’s harm-focused approach.3 The Commission also asks a series of questions related to “unfair methods of competition rulemaking”—a power that Congress has not vested in the FTC.4 Many such overly broad questions potentially affect the entire U.S. digital economy and implicate the major questions doctrine. As such, these issues are better addressed by Congress.
The FTC could argue that it intends to use the ANPR findings to inform Congress of a sound approach for a federal data privacy framework, but that does not appear to be the case. For example, in the ANPR, the FTC solicits public comment on biometrics, data minimization, and other data protection-related issues that Congress has extensively discussed in multiple legislative sessions and hearings, especially in the context of the recently proposed American Data Protection and Privacy Act (ADPPA).5
Given Congress’ already extensive consideration of these issues, the benefit to lawmakers from the FTC repeating such questions is limited. Instead, the broad range of questions and the FTC’s recent efforts to expand its privacy jurisdiction makes it likely that this ANPR is the first procedural step in the Commission’s efforts to redefine and shape the future of data privacy law without Congressional authorization.6
The ANPR’s timing also suggests a disconnect between Congress and the FTC and the Commission’s lack of willingness to work with lawmakers on privacy-related issues. There is a growing need for federal privacy legislation that preempts proliferating state-level privacy laws. Against this backdrop, the American Data Protection and Privacy Act was introduced in the House of Representatives in June 2022.7 Despite the bipartisan support for the proposed law, it featured many flaws. For example, the draft
legislation’s long list of exemptions would limit its preemption powers for state privacy statutes.8 However, instead of voicing such concerns and working with Congress to improve the legislation, the FTC appears more intent on making unilateral privacy rulings as a regulator.
Moreover, the Commission’s recent actions suggest it is willing to act beyond its statutory authority. For example, the proposed ADPPA specifies areas over which the FTC could exercise rulemaking and enforcement authority, including the definition of data security, individual rights, and the rights of third parties. The draft bill also proposes granting the FTC authority to craft regulatory guidelines in areas such as privacy by design, data minimization, and algorithm auditing. However, instead of acting within this narrow role under the ADPPA, the Commission seeks to expand its regulatory powers using an overly broad interpretation of its statutory authority. 9 Instead, the FTC should work with Congress to clarify which additional responsibilities the Commission might need to carry out its role as a privacy regulator going forward.