GAO Recommends That Congress Consider Comprehensive Consumer Privacy Legislation

min read

The Government Accountability Office (GAO) issued a report examining the federal government's jurisdiction over matters pertaining to data privacy. It recommended that Congress develop comprehensive legislation conferring appropriate enforcement and oversight authorities to the federal government in order to enhance consumer protections.

The Government Accountability Office (GAO) recently issued a report entitled "Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility." In it, the GAO examined the federal government's current role in overseeing internet and consumer data privacy and explored areas where lawmakers might consider reform. The GAO—an independent, nonpartisan agency that is sometimes called the "congressional watchdog"—functions as an advisor to Congress and federal agencies through issuance of "objective, reliable information" to assist the government in functioning effectively. Congressional Democrats on the House Energy and Commerce Committee initially requested that the GAO examine the issue. Given the barrage of recent consumer data breaches and scandals, the enactment last year of California's Consumer Privacy Act, and general congressional interest in developing a federal privacy law, the GAO's report is timely and provides valuable context to the larger question of the federal government's role in presiding over internet privacy.

Given that there is no federal comprehensive internet privacy law governing the collection, use, and sale of consumer data, the report first examines what authority the federal government uses to oversee matters related to internet privacy. The Federal Trade Commission (FTC) derives its statutory authority from the FTC Act to address instances in which consumers experience harm related to a misuse of their personal data. However, the act itself does not explicitly speak in terms of protecting consumer privacy. Rather, section 5 of the law prohibits "unfair or deceptive acts or practices in or affecting commerce" and empowers the FTC to take enforcement action in response to such activity. The FTC applies this authority to practices it deems "unfair" in relation to privacy when a company has allegedly failed to protect consumer data; similarly, the agency uses its authority to address "deceptive" practices to penalize a company for violations of its written privacy policies and/or representations concerning data security.

The GAO notes, however, that the FTC's authority in this regard is limited. For example, the FTC Act prohibits the agency from acting against common carriers such as telecommunication services, airlines, and railroads, and the agency does not have jurisdiction over banks, credit unions, or savings and loan institutions. Additionally, the FTC's enforcement cases are settled without the imposition of civil penalties in the first instance of an offense. Instead, the FTC generally enters into settlement agreements that require the company in question to take certain corrective actions, such as implementing appropriate privacy and security programs or providing monetary redress to consumers. It's also important to note that the FTC has yet to implement its section 5 unfair and deceptive practices authority through regulation. As the GAO explained in its report, federal agencies typically promulgate implementing regulations through traditional notice-and-comment rulemaking as set forth under section 553 of the Administrative Procedures Act (APA). The FTC, however, generally must follow a different rulemaking procedure as set forth in the Magnuson-Moss Warranty Act (Magnuson-Moss), which requires additional steps beyond those set forth in section 553 of the APA. In fact, the FTC has not promulgated any regulations using the Magnuson-Moss procedures since 1980, and according to interviews the GAO conducted with FTC staff, "the additional steps required under Magnuson-Moss add time and complexity to the rulemaking process."

Taken together, the GAO's analysis illustrates just how limited the FTC's authority is in overseeing consumer data privacy issues. Meanwhile, the report references analysis from the National Telecommunications and Information Administration (NTIA) indicating that 24 percent of Americans declined to make or avoided making financial transactions on the internet in 2017 due to concerns over identity theft, credit/card/banking fraud, data collection by online services, loss of control over personal information, data collection by government, and threats to personal safety.

The GAO supplemented its examination of the FTC's current authority with interviews soliciting input from stakeholders regarding an internet privacy enforcement approach and issues to consider in the development of a potential law. As one might expect, views were varied. Industry stakeholders noted that any regulations specific to the internet industry could quickly become obsolete, given that the sector can change significantly from one year to the next—and it often takes an agency much longer than a year to promulgate and adopt a rule. Some industry stakeholders also indicated that enforcement actions—such as settlement agreements—effectively establish precedents that companies can follow, similar to how case law developed in the courts provides guidance for companies. That said, industry groups—specifically trade associations—have previously criticized agencies for this approach, characterizing it as "regulation through settlements."

Government stakeholders referenced challenges they already encounter in the space, explaining that regardless of whether violations involve financial or other harms, it is often challenging to identify the responsible party for a privacy-related offense. That said, many of the non-industry stakeholders surveyed, including government and consumer advocates, expressed their belief that regulation combined with enforcement would be most effective. And pushing back on the industry claim that regulations can become obsolete and are the product of an inflexible process, these stakeholders noted that regulations can be based on broad performance standards and principles to avoid being overly prescriptive. They also noted that regulations can be amended or repealed faster than Congress can enact statutes. Finally, consumer advocates stated that enforcement alone is deficient because it does not adequately serve as a deterrent to affect companies' behavior and because it occurs after a consumer experiences a harm.

The GAO concluded that comprehensive internet privacy legislation establishing specific standards and including traditional notice-and-comment rulemaking, as well as broader civil penalty authority, could serve to improve the federal government's ability to protect consumer data privacy. Ultimately, the GAO recommends that Congress develop comprehensive legislation on internet privacy that enhances consumer protections and provides flexibility to address a rapidly changing technology environment. The GAO urges lawmakers to consider (1) which agency/agencies should oversee internet privacy; (2) what authorities an agency should have to oversee internet privacy—such as traditional notice-and-comment rulemaking and civil penalty authority; and (3) how to balance consumers' needs for privacy with industry's need for innovation.

EDUCAUSE has previously provided updates on congressional hearings examining this topic and is closely tracking the state of play on Capitol Hill as lawmakers continue to consider the potential for a federal data privacy law. The policy team will continue to keep members apprised as relevant developments unfold.

Kathryn Branson is an associate with Ulman Public Policy.

© 2019 Kathryn Branson. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.