Is New Legislation Needed to Protect Online Privacy?
Administration officials insist they're not after heavy-handed regulatory approach, but if self-regulation can work, a baseline privacy law might still be needed.
Thu, March 29, 2012
CIO — Following the release of two prominent reports advancing the federal government's policy for online privacy, members of a House subcommittee on Thursday again took up consideration of whether new legislation is needed to protect consumers on the Internet.
At a hearing before the Energy and Commerce Committee's technology subcommittee, top officials with the Department of Commerce and the Federal Trade Commission walked a thin line in their remarks to lawmakers who at times appeared skeptical. Both officials expressed support for baseline privacy legislation that would implement consumer safeguards while avoiding burdensome mandates that could hinder the online economy. At the same time, they emphasized that their recent reports -- the consumer bill of rights that the Commerce Department developed in concert with the White House and the FTC's new report on best practices -- contain no new regulatory mandates.
"These are to some extent aspirational," FTC Chairman Jon Leibowitz told the panel. "We wanted to make it very clear that this isn't a regulatory document or an enforcement document."
Similarly, Lawrence Strickling, the Commerce Department's assistant secretary for communication and information, affirmed that the administration is backing a largely self-regulatory approach.
Both officials expressed support for a rudimentary privacy law, though neither endorsed any specific proposal.
The FTC and Commerce Department now plan to continue their collaboration with industry stakeholders to develop codes of conduct and implementation strategies to apply high-minded privacy concepts such as transparency and choice into practice.
If the FTC wins formal commitments from industry players to adhere to certain behavior, such as abiding by the rules of the do-not-track mechanism it is endorsing, those firms would then be subject to agency oversight under its authorities relating to unfair and deceptive practices. But in the event that the FTC finds a company to be in violation of those standards and reaches a consent order, as it did last year with Google and Facebook, the agency has no authority to issue financial penalties for civil offenses, a power that it is seeking from Congress.
"I think it just makes for a much more effective deterrent," Leibowitz said. "I think 46 [state] attorneys general, who have baby FTC acts, have this authority. You have to use it judiciously."
"Civil penalty authority for violations of the FTC Act," he added, "is unanimously supported by the commission."
This is not the first time the FTC, frustrated by the limitations of its authority to protect consumer privacy, has sought expanded powers from Congress. In 2009 and 2010, when lawmakers were debating financial reform legislation, one bill that passed the House included language that would have expanded the agency's rulemaking authority. The FTC had been advocating for that provision, which encountered forceful opposition from advertising industry groups, and was ultimately excluded from the final bill.