The GAO conducted a comprehensive analysis of the US federal regulatory landscape with respect Internet privacy, specifically with respect to FTC and FCC enforcement actions and authorities. GAO interviewed representatives from industry, consumer advocacy groups, academia, FTC and FCC staff, former FTC and FCC commissioners, and officials from other agencies. (See page 40 of the report for a complete listing of those interviewed.) GAO recommends that Congress consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.
The report focuses on Internet data privacy rather than data security. It examined how Internet content providers (called “edge providers”) and Internet service providers collect, use, and share information from their customers to enable their services, support advertising and for other purposes. The report notes the widespread use of the Internet and highlighted two recent nationwide surveys. The first, conducted by the US Census Bureau for NITA in 2017, found that 78 percent of Americans ages 3 and older use the Internet and a 2018 Pew Research Center nationwide survey found that 69 percent of American adults use some kind of social media.
Not surprisingly, the stakeholders’ views varied on the benefits and concerns with collecting and using consumers’ data from the Internet. The key benefits of information collection were identified as:
- Enables certain services – for example, content providers much sometimes collect information in order to provide a service, such as a mapping service that must collect and use consumers’ current location to provide up-to-date direction.
- Provides low-cost or free services – for example, search terms can provide consumers with free advertising for products and services associated with the search term.
- Supports innovation and customization – for example, data collected about individuals and their interests may allow for targeted advertising about items that may be of interest to the consumer.
Despite the benefits noted above, the nationwide surveys have shown that there are concerns about the collection and use of customer information on the Internet. State holders elaborated on some of these concerns:
- Public disclosure and data breaches that create fear about identity theft.
- Financial and other harms associated with the misuse of personal information including identity theft and credit card fraud.
- Consumer’s lack of understanding of what data is collected and how it is used.
- Consumer lack of control of how their data is used.
The report next described the different regulatory approaches for FTC and the FCC noting that the different approaches are the result of the differing statutory authority. Specifically, the FTC does not have notice and comment rulemaking authority, which means that the privacy rules that the FTC has issued, such as the Children’s Online Privacy Protection Act, was the result of specific statutory directive. As a result, the FTC has used its existing Section 5 authority, which prohibits unfair or deceptive practices, to bring over 100 privacy and data security actions. The report notes that the Commission’s statutory authority does not include the ability to seek civil penalties for violations of Section 5. In contrast, the FCC has brought some law enforcement actions, but has also operated through rulemakings.
The report next addressed the effectiveness of current Internet privacy oversight. Some industry stakeholders felt that enforcement is preferable to promulgating and enforcing regulations because of the belief that regulations can stifle innovation, create loopholes, and become obsolete. Other industry stakeholders were of the opinion that the FTC’s enforcement approach does not provide clear guidance.
A majority of non-industry stakeholders identified limitations in the current Internet privacy oversight approach because they viewed regulations in conjunction with enforcement as being more effective. According to these stakeholders regulations can provide clarity, may promote fairness, flexibility and can be used a da deterrent.
Various stakeholders who believe that the FTC’s current authority is limited identified three main actions could would better protection Internet privacy:
- An overarching federal privacy statute would establish general requirements governing Internet privacy of all sectors
- Notice and comment rulemaking, and
- Civil Penalty authority. Des that
As a result, the GAO concludes that recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation. Specifically, GAO recommends that Congress consider:
- Which agency or agencies should oversee Internet privacy
- What authorities an agency or agencies should have to oversee Internet privacy including notice-and-comment rulemaking authority and civil penalty authority
- How to balance consumers’ need for Internet privacy with industry’s ability to provide services and innovate.
The PDF report can be downloaded at the GAO website.