Does protecting consumers online and addressing potential harm associated with digital platforms require creating a new regulatory agency? Some members of Congress think so. The newly introduced American Privacy Rights Act (APRA) is a comprehensive privacy bill that elevates the Federal Trade Commission (FTC) to handle a wide swath of regulatory rulemaking and enforcement related to data-driven commerce. While the bill does not go as far as proposals for a stand-alone internet agency, it accomplishes something similar: it anoints the FTC as the U.S.’s digital regulator. Expanding the FTC’s regulatory authority through rulemaking will detract from the FTC’s proper role as an enforcement agency focused on promoting competition and protecting consumers.
The bill would direct the FTC to draft rules for what types of data a firm can collect and how firms offer products and services using collected data, and creates requirements for audits of product design that must be provided to the FTC prior to public release. If passed, these legislative provisions will grant the FTC wide latitude to draft rules that could shape the creation, distribution, and evolution of firms’ digital products and services. This expansion of the FTC’s regulatory authority through rulemaking and informal guidance is problematic for several reasons.
First, granting rulemaking authority to the FTC over several areas would expand the FTC’s regulatory powers, diverting focus and resources away from its primary role as an enforcement agency. The bill would provide the FTC with the authority to draft rules in four areas related to data security and privacy through the Administrative Procedure Act (APA) as well as nine areas to issue guidance to clarify compliance with the law as written by Congress. Any violation of the law is considered an unfair or deceptive act or practice, triggering enforcement based on Section 5 of the FTC Act.
APA rulemakings can be time consuming and costly for agencies, as they must devote staff time that could be spent enforcing existing law. Given that the agency has already struggled to fulfill its obligations since chair Lina Khan took office, this is hardly the time to give the FTC new responsibilities and divert further resources from its current task. The Commission has already proposed more rules with higher proposed costs than any FTC since 2005. This is at the discretion of a Chair who has faced allegations of abuse of power and overseen an exodus of career staff stemming from her refusal to follow standard processes and consider input from career staff. Considering the expansive authority that the bill could grant, policymakers focused on balancing consumer privacy with digital commerce, competition, and innovation should be wary of potential regulatory overreach and the associated costs.
Further, such expansion of FTC power would allow the Commission to shape markets and product design, harming competition and innovation and detracting from the Commission’s mission of promoting competition and protecting consumers. While the bill does attempt to create thresholds that exempt small and medium enterprises (SMEs) and support some potentially pro-competitive opportunities for SMEs, the broad rulemaking authority will likely ensnare far more commercial activity than is intended.
For an example of how rulemaking related to product design can have unintended consequences, consider the impact of the Children’s Online Privacy Protection Act (COPPA) rules on the development of online platforms and products designed for children. COPPA delegated rulemaking authority to the FTC to design and enforce rules regulating how websites collected data on children under the age of 13 when they visited a website. But because of the difficulties created by COPPA compliance, firms and individual content creators shifted productive capital elsewhere, resulting in fewer products designed for minors and less competition and innovation within this market. While children are using the internet more than ever, such rules have failed in their goal of protecting minors’ data.
Finally, the bill’s rulemaking requirements for impact assessments of algorithms and data usage create a presumption of harm for firms developing and investing in new technologies, further extending the FTC’s reach over digital products and services. Such a regulatory structure could dissuade firms from introducing new features that may improve the experiences for users or create new lines of business because of potential legal exposure. The rules would apply to “large data holders,” ensnaring large social media platforms as well as data brokers or other firms that happen to transfer or interact with large quantities of data, an increasingly important input for businesses. In its current form, firms would be obligated to submit information that amounts to “regulation by raised eyebrow.”
While information within these reports cannot be used as a basis for FTC enforcement generally, if a firm has an existing consent decree with the agency such limitations do not apply. Combining the threshold for large firms with such consent decree language could harm small businesses that rely on larger firms to promote their businesses or offer new complementary products and services. An example of prescriptive regulations and expanded liability’s negative consequences for industries that rely on consumer data is the decline in SMEs and increased advertising revenue for large technology firms in Europe following the introduction of the EU’s General Data Protection Regulation.
Addressing the lack of consistent rules for data privacy and security for consumer applications is a worthy endeavor, but the APRA’s text should raise questions rather than being the answer. The bill’s construction would enshrine the FTC as the internet’s de-facto regulator. It empowers the agency's expanded regulatory authority through various rulemakings and guidance, while also ascribing broad enforcement authority. This dual mandate would add untold regulatory and compliance costs for existing firms, while also reshaping market incentives and business practices for any firm that relies on digital user data. As lawmakers consider the best path forward for federal data privacy and security, they should step back and consider how well-intended regulation may miss the mark.
