Following the release of two prominent reports advancing the federal government's policy for online privacy, members of a House subcommittee on Thursday again took up consideration of whether new legislation is needed to protect consumers on the Internet.
At a hearing before the Energy and Commerce Committee's technology subcommittee, top officials with the Department of Commerce and the Federal Trade Commission walked a thin line in their remarks to lawmakers who at times appeared skeptical. Both officials expressed support for baseline privacy legislation that would implement consumer safeguards while avoiding burdensome mandates that could hinder the online economy. At the same time, they emphasized that their recent reports -- the consumer bill of rights that the Commerce Department developed in concert with the White House and the FTC's new report on best practices -- contain no new regulatory mandates.
"These are to some extent aspirational," FTC Chairman Jon Leibowitz told the panel. "We wanted to make it very clear that this isn't a regulatory document or an enforcement document."
Similarly, Lawrence Strickling, the Commerce Department's assistant secretary for communication and information, affirmed that the administration is backing a largely self-regulatory approach.
Both officials expressed support for a rudimentary privacy law, though neither endorsed any specific proposal.
Standards Under Discussion
The FTC and Commerce Department now plan to continue their collaboration with industry stakeholders to develop codes of conduct and implementation strategies to apply high-minded privacy concepts such as transparency and choice into practice.
If the FTC wins formal commitments from industry players to adhere to certain behavior, such as abiding by the rules of the do-not-track mechanism it is endorsing, those firms would then be subject to agency oversight under its authorities relating to unfair and deceptive practices. But in the event that the FTC finds a company to be in violation of those standards and reaches a consent order, as it did last year with Google and Facebook, the agency has no authority to issue financial penalties for civil offenses, a power that it is seeking from Congress.
"I think it just makes for a much more effective deterrent," Leibowitz said. "I think 46 [state] attorneys general, who have baby FTC acts, have this authority. You have to use it judiciously."
"Civil penalty authority for violations of the FTC Act," he added, "is unanimously supported by the commission."
This is not the first time the FTC, frustrated by the limitations of its authority to protect consumer privacy, has sought expanded powers from Congress. In 2009 and 2010, when lawmakers were debating financial reform legislation, one bill that passed the House included language that would have expanded the agency's rulemaking authority. The FTC had been advocating for that provision, which encountered forceful opposition from advertising industry groups, and was ultimately excluded from the final bill.
Now, the FTC is pressing industry groups hard to develop and implement by the end of the year a meaningful do-not-track system that would bring together Web companies and advertisers, grouped under the Digital Advertising Alliance, browser makers and the World Wide Web Consortium, an Internet-standards body.
Leibowitz has spoken favorably of the efforts that industry stakeholders have undertaken to achieve a meaningful self-regulatory framework. At Thursday's hearing, he emphasized that he is not looking to saddle Internet companies with a heavy-handed compliance burden and acknowledged that lawmakers and regulators must tread carefully as they contemplate new rules in such a dynamic and fast-growing sector of the economy.
When asked to clarify his support for a "baseline" federal privacy law, Leibowitz responded: "It means setting a standard that protects consumer privacy in a way that doesn't in any way undermine innovation."
Similarly, Strickling was quick to point out that the bill of rights developed by the Commerce Department and the White House (with input from the FTC and others) preserves the spirit of the self-regulatory framework that has long guided the online privacy space.
"There's nothing about any work that's happened before now that is in any way jeopardized or threatened by what we're going to put in place," Strickling said. "It will build on the work that's already been done by industry and consumer groups up till now."
Strickling also appeared to agree with Leibowitz that Congress should advance legislation that would rein in the practices of data brokers, which often operate beyond the view of public, shielding them from the scrutiny that has created something of a check on consumer-facing companies like Google. Leibowitz and other FTC officials have argued that the government needs to take a more active role in overseeing companies whose stock in trade is the collection, use and sale of consumer data.
But that doesn't sit well with some industry groups. To identify an outfit like Reed Elsevier's ChoicePoint as a data broker might be a relatively straightforward classification, but what about the growing number of online companies that rely on ads tied to consumer information as their primary source of revenue?
"I think we need to realize that the FTC has given great praise to self regulation with one hand, and we want to make sure that they don't take that away by having an overly broad definition of data broker," said Mike Zaneis, senior vice president and general counsel at the Interactive Advertising Bureau, a trade group representing the online ad industry.
"In this day and age, in the digital economy, we have to realize that every publisher, every marketer, every ad agency, every advertising network, every analytics firm that is operating on the Internet transacts in data," he added. "We have to understand that in this information economy, data is the new currency."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.
This story, "Will it Take a Law to Protect Online Privacy?" was originally published by CIO.