Wednesday, September 29, 2021

FTC Commissioner Wilson Recruits Student Researchers to Inform and Inspire Efforts to Pass a Federal Data Privacy Law

Citing what she describes as "significant information asymmetries," Republican FTC Commissioner Christine Wilson long has advocated for a comprehensive federal data privacy law. In fact, she discussed that very issue in her keynote address at the Free State Foundation's Twelfth Annual Telecom Policy Conference in March 2020.

More recently, she partnered with Duke University on a research project designed to expedite the currently stalled legislative process.

To date, efforts to pass a federal privacy law have been stymied by partisan disagreements regarding two issues in particular.

One, whether a federal data privacy law should preempt similar state laws. As I have argued on numerous occasions, most recently in "Pressures Multiply for Congress to Act on Data Privacy," a Perspectives from FSF Scholars published earlier this month, it should.

The growing list of states with their own, inconsistent statutes – which currently includes California (both the California Consumer Privacy Act and the California Privacy Rights Act), Virginia (the Virginia Consumer Data Protection Act), and Colorado (the Colorado Privacy Act) – unreasonably complicates companies' compliance efforts and creates chaos for consumers.

Two, whether it should provide for a private right of action. It should not. Generally speaking, class-action lawsuits benefit attorneys, not consumers. Case-by-case enforcement by the FTC is the better approach.

Unable to find common ground on these questions, lawmakers have made no observable progress of late. However, the fact that the Senate Commerce Committee is holding a hearing today titled "Protecting Consumer Privacy," the first of its kind this year, perhaps offers a glimmer of hope.

Given the failure to date of Congress to pass privacy legislation, there have been repeated calls for the FTC to commence a rulemaking. On September 20, a group of Democratic Senators led by Richard Blumenthal (CT) wrote to FTC Chair Lina Khan urging her to do just that.

Notably, and in specific response to the lack of legislative momentum, at one point Commissioner Wilson herself reluctantly expressed her support for an FTC privacy rulemaking, a statement that I highlighted in a July 2021 post to the FSF Blog.

But in light of a pattern of agency actions that Commissioner Wilson troublingly regards as an "abrupt departure from regular order" – including, most recently, the September 15th decision along party lines to withdraw the Vertical Merger Guidelines that were issued in 2020, to which she and fellow Republican Commissioner Noah Phillips responded with a co-authored Dissenting Statement – she has had a change of heart.

In an Oral Statement submitted to the House Commerce Committee's Subcommittee on Consumer Protection and Commerce in July of this year, she wrote the following:

In recent months, I had become more receptive to a [Magnuson]-Moss rulemaking on privacy to address the information asymmetry between the providers of goods and services and their users. But the Commission recently voted along party lines to pare back procedural safeguards and limit opportunities for public input during agency rulemakings. Given these changes, I am less inclined to support a Mag-Moss rulemaking on privacy. Federal privacy legislation remains the optimal solution.

In an attempt to facilitate that "optimal solution," Commissioner Wilson several months ago partnered with Duke University's Professor David Hoffman, along with students from its law school and Sanford School of Public Policy, to produce "a resource for legislators" – specifically, research-driven insight into how other federal statutes have addressed these two sticking points.

The fruits of that effort, which focused on both federal statutes (ten on the topic of preemption, six regarding remedies) and the European Union's General Data Protection Regulation (GDPR), have been made available publicly here.

In a keynote address delivered at "Exploring Options: Overcoming Barriers to Comprehensive Federal Privacy Legislation," a related event held on September 21, 2021 (video available here), Commissioner Wilson offered her perspective on these findings.

While acknowledging that the research revealed that "federal statutes that preempt an entire field of law are rare," Commissioner Wilson argued that the more common approach — where Congress "establish[es] a federal floor and allow[s] states to pass more stringent laws" — is not well suited to "fields like … the Internet that transcend state and national borders."

Given that:

  1. "[T]he very nature of the Internet makes it likely that the most stringent state standard will become the de facto national standard," and
  2. A primary regulatory objective should be to ensure that businesses are subject to consistent obligations,

Commissioner Wilson suggested that a better way forward would be to ensure that those rights and responsibilities established at the federal level are sufficiently robust on their own: "If the [federal] law provides strong rights and imposes appropriate standards and obligations on businesses, as well as robust and accessible remedies, more stringent state laws should not be necessary."

She also indicated that, given the dynamic and constantly evolving nature of the online experience, she would support "vesting the FTC with carefully tailored rulemaking authority … to facilitate updating key definitions and provisions over time."

With respect to remedies, Commissioner Wilson began with the point that a strong privacy law, one that empowers and adequately funds the FTC's efforts, would undercut one of the primary arguments as to why a private right of action may be necessary – that is, the perception that current levels of enforcement are inadequate.

She also highlighted research demonstrating that "abusive class action practices increase costs for businesses – while providing little in the way of redress for consumers, changed business practices, and deterrence."

Stepping back, Commissioner Wilson then made the foundational recommendation that "we … broaden the conversation" beyond solely whether or not to include a private right of action to "focus on establishing a constructive remedial framework."

In that vein, she cited "Breaking the Privacy Gridlock: A Broader Look at Remedies" by Jim Dempsey, Chris Hoofnagle, Ira Rubinstein, and Katherine Strandburg, when making the following three points:

  1. Remedies should be tied to policy goals,
  2. No one remedy can successfully promote even a simple goal and therefore an effective law should include multiple remedies, and
  3. Intermediaries and third parties play a powerful role.

Asserting that "an 'all or nothing' approach will not serve the goals of privacy legislation," Commissioner Wilson suggested that alternative enforcement proposals be given serious consideration, including those that involve:

  • A supervisory authority and/or third-party intermediaries, or
  • A private right of action "in limited circumstances [with] substantive and procedural limits," exclusively "for specific, highly sensitive types of data," or providing only for injunctive relief.

In conclusion, she stated the following: "Ideally, the remedies contained in privacy legislation will turn on the kinds of injuries consumers may suffer."

At the same time, she teed up the question as to how the standing test set forth by the Supreme Court in its 2021 Transunion, LLC v. Ramirez decision might impact the options available to Congress.