The 1970s are calling, and they want their regulation back.
Details of a draft privacy bill crafted by the Obama administration have emerged, and they’re frightening. The proposal would give the Federal Trade Commission broad powers to regulate the information economy, allowing it to reprise a role it hasn’t played since the 1970s, when it tried to break up the automobile and breakfast cereal industries and ban advertising to children in the name of healthy teeth. We all know how that story ended: the Washington Post mocked it as the “National Nanny,”and Congress literally shut it down and severely curtailed its power.
Although the FTC’s current approach to privacy has its critics—myself among them—its flexible application of its consumer protection authority to companies’ collection, use and storage of personal data is positively libertarian compared to what the Obama administration is proposing. Here are some highlights:
- The FTC would determine when data use is not “reasonable in the light of context.”
- When making this determination, the FTC would consider the risk of “emotional, professional or other harm to an individual.”
- If the FTC determines the use is not “reasonable in the light of context,” never fear. The company can still use the data if an FTC-approved “privacy review board” determines:
-It’s impractical to provide “heightened transparency and individual control;”
-The businesses goals will provide “substantial benefits,” some which must accrue outside the firm;
-These benefits must be greater than the privacy risks, which again include “emotional, professional, and other harm;” and the business has taken “reasonable steps” to mitigate remaining privacy risks.
-If your data analysis has the potential to result in “adverse actions concerning multiple individuals,” the FTC’s going to need you to perform a disparate impact analysis.
And this is just the tip of the iceberg. For example, the proposal also would give the FTC power to shape the collection and use of data in the information economy based on its conceptions of the following standards:
- Consumers must have “reasonable means to control the processing of personal data;” “reasonable notice in light of context;” “reasonable access to such notice.”
- Firms must delete or de-identify consumer data “within a reasonable period of time;” “collection, retention and use of consumer data must be “in a manner reasonable in the light of context;” and data security must be “reasonably designed.”
The FTC would be able to enforce these relatively subjective requirements with the threat of civil penalties “not to exceed $25,000,000.”
As I’ve written elsewhere, the FTC’s privacy program already rests on a shaky economic foundation. This proposal would only exacerbate the situation. Currently, the FTC must focus on consumer harm—to condemn a practice, it must either “cause substantial consumer injury” that is greater than any benefits, or be materially misleading. The recalibration to a consumer harm focus was the FTC’s attempt to restore credibility after the regulatory excesses of the 1970, and it worked—the FTC has gone from the poster-child of regulatory abuse to the world’s preeminent consumer protection agency. This bill would undo all of that and enshrine a standard under which subjective opinions, rather than objective indicators of consumer harm, would be the touchstone of privacy regulation. For example, three commissioners (or an FTC-approved privacy review board) could prevent a firm from using data if they believed that the use would damage someone’s career or cause them emotional distress, that any benefits from the use were less than these costs, or even if the benefits were larger than the costs, that too many of the benefits accrued to the firm. This sort of subjectivity breeds uncertainty, and regulatory uncertainty would chill innovation in the information economy. Of course, the bill is almost guaranteed to promote growth in another sector — lawyers practicing before the FTC.
And what’s the justification for this new framework? The unsupported assertion that regulation to “preserve individuals’ trust and confidence that personal data will be protected” is needed “to promote continued innovation and economic growth in the networked economy.” Is this the same sector that has grown in less than two decades to contribute $1 trillion to GDP and employ 2.4 million people, and which continues to be the envy of the world? Is this the same “networked economy” that scours the entire web in a microsecond, allows me to shop for anything 24 hours a day, connects over a billion people in social networks, and that gives us access to all manner of content — from breaking news, to live sports, to TV shows — just about anywhere on our iPhones and iPads? The administration has it backwards; these companies have prospered, and in the process improved everyone’s lives, because they have been left relatively free from government interference. There’s simply no evidence that government regulation is needed now to maintain its success. Much like the FCC’s recent “net neutrality” grab, the administration’s privacy proposal threatens to transform the regulatory regime covering the information technology sector from one of “permissionless innovation” to one in which the FTC again acts as the National Nanny. By sending the FTC back to the 1970s, the administration’s proposal threatens to do the same to the information economy.
James Cooper is the director of research and policy at the Law and Economics Center at George Mason University School of Law.