Research Programs
More
What are you looking for?
Showing 6 of 69 Publications by Daniel J. Gilman
Regulatory Comments Executive Summary The Federal Trade Commission (“FTC”) has issued an Advanced Notice of Proposed Rulemaking (“ANPR”) on “Commercial Surveillance and Data Security,”[1] initiating a proceeding . . .
The Federal Trade Commission (“FTC”) has issued an Advanced Notice of Proposed Rulemaking (“ANPR”) on “Commercial Surveillance and Data Security,”[1] initiating a proceeding intended to result in binding rules regarding “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.”[2]
There is reason to believe that streamlined and uniform federal data-security or privacy regulations could be both beneficial and within the FTC’s competence and authority. But the approach suggested by the ANPR—simultaneously sweeping and vague—appears very likely to do more harm than good. Most notably, the ANPR evinces an approach that barely acknowledges either the limits of the FTC’s authority or the tremendous consumer benefits produced by the information economy.
The FTC is uniquely positioned to understand the complexities entailed in regulating privacy and data security. It has expertise and experience in both consumer-protection and competition matters. With regard to privacy and data security, in particular, it has decades of experience bringing enforcement actions for violations of the FTC Act’s prohibition of deceptive and unfair practices. Its enforcement experience also has been bolstered by its statutory mission to conduct economic and policy research, which has, not incidentally, comprised numerous hearings, workshops, studies, and reports on issues pertinent to data policy.
The ANPR does not build on the Commission’s experience and expertise as it could, however, and its dearth of economic analysis is especially striking. Moreover, the Commission’s authority is not unbounded, and neither are its resources. Both limitations are salient when the Commission considers adopting substantive—or “legislative”— regulations under either Section 18 or Section 6 of the FTC Act. As we discuss below, the current proceeding is deficient on both substantive and procedural grounds. Absent an express grant of authority and the requisite resources from Congress, the Commission would be ill-advised to consider, much less to adopt, the kinds of sweeping data regulations that the Commercial Surveillance ANPR appears to contemplate.
The ANPR states that it was issued pursuant to the Commission’s Section 18 authority,[3] which both grants and restrains the FTC’s authority to adopt regulations with respect to “unfair or deceptive acts or practices in or affecting competition” (“UDAP”).[4] Rulemaking under Section 18 of the FTC Act[5] requires that the Commission follow a careful process. As a preliminary matter, it must identify for both Congress and the public an area of inquiry under the Commission’s jurisdiction; the Commission’s objectives in the rulemaking; and regulatory alternatives under consideration.[6] Unfortunately, the Commission has not met these obligations in this ANPR.
Under Section 18, the Commission may adopt “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce”[7] under Section 5 of the FTC Act. Section 18 imposes express procedural requirements, in addition to those set out for this ANPR. These include, but are not limited to, requirements for a Notice of Proposed Rulemaking (“NPRM”). Section 18 also incorporates by reference the procedures prescribed by the Administrative Procedure Act.[8]
As noted, Section 18’s requirements for an ANPR are brief and preliminary but they are nonetheless real. In contravention of the requirements of Section 18, this ANPR does not clearly describe any “objectives which the Commission seeks to achieve,” and it provides no indication of “possible regulatory alternatives under consideration by the Commission.”[9] Instead, it provides a laundry list of putative harms, and it fails to identify even the most basic benefits that may be associated with diverse commercial-data practices. It does not describe the Commission’s current assessment of, or position on, those practices. And it provides no sense of the direction the Commission intends to take regarding potential rules.
Failing to identify the Commission’s objectives or proposals under consideration, this ANPR fails in its basic purpose to “invite… suggestions or alternative methods for achieving [the] objectives.”[10]
Any rules the Commission issues under a Section 18 proceeding must emerge from a cost-benefit analysis.[11] Both the potential harms and the benefits of challenged conduct must be well-defined, and they must be weighed against each other. Even at this early stage of the process, the FTC is obligated to provide more than a suggestion that some harm might be occurring, and to provide more than a hint of how it might handle those harms.
This is also good procedure for policymaking more generally, irrespective of the Commission’s statutory obligations under Section 18. Before engaging in a deeply interventionist regulatory experiment—such as imposing strict privacy regulations that contravene revealed consumer preferences—the Commission should publicly state empirically justified reasons to do so. In other words, there should be demonstrable market failures in the provision of “privacy” (however we define that term) before centralized regulation co-opts the voluntary choices of consumers and firms in the economy, and before it supplants the ability to redress any residual, cognizable harms through law enforcement with broad, economywide, ex ante rules.
Thus, a vital threshold question for any rules issued under this proceeding is whether and why markets operating without specific privacy regulation generate a suboptimal provision of privacy protection. Without this inquiry, it is unclear whether there are problems requiring regulatory intervention and, if so, what they are. Without knowing their purpose, any rules adopted are likely to be ineffective, at best, and harmful, at worst. They may increase costs for consumers and businesses alike, chill innovation, mandate harmful prescriptions for alleged privacy harms while failing to address the most serious and persistent harms, or exacerbate the risks of harm—or all of the above.
Particularly in the United States, where informational privacy is treated both legally and socially as more of a consumer preference (albeit, perhaps, a particularly important one) than a fundamental right,[12] it is difficult to determine whether our current regime produces the “right” amount of privacy protection. That cannot be determined by observing that some advocates and consumers who are particularly privacy-sensitive opine that there should be more, or more of a certain sort; nor is it enough that there have been some well-publicized violations of privacy and cases of demonstrable harm. Indeed, the fact that revealed preferences in the market tend toward relatively less privacy protection is evidence that advocates may be seeking to create a level and a type of privacy protection for which there is simply no broad-based demand. Absent a pervasive defect that suggests a broad disconnect between revealed and actual preferences, as well as a pattern of substantial net harm, the Commission should be extremely cautious before adopting preemptive and sweeping regulations.
At a minimum, the foregoing indicates that the Commission must undertake several steps before this ANPR is close to satisfying the requirements of Section 18, not to mention good government:
The Commission must also adequately account for the potential harms to innovation and competition that can arise from the adoption of new privacy and data-security regulations. Resources that firms invest in compliance cannot be invested in product development, customer service, or any of a host of other ends. And compliance with overly broad constraints will often curtail or deter the sort of experimentation that is at the heart of innovation.
Moreover, there is a potential tension between privacy and data security, such that mandates to increase privacy can diminish firms’ ability to ensure data security. The EU’s experience with the General Data Protection Regulation (“GDPR”) has demonstrated some of this dynamic.[15] These realities must be incorporated into the Commission’s assessment.
The Commission is obligated to consider the likely effects of data regulation on consumers and competition. That ought to be a requirement for regulation generally, but it is an express, statutory requirement for unfairness regulation under Section 18 of the FTC Act. The Commission is uniquely well-situated to meet that mandate by virtue of its distinctive, dual competition and consumer-protection missions. Indeed, the Commission’s antitrust-enforcement experience dates to the agency’s inception. In addition, the Commission can access the considerable expertise of its Bureau of Economics, which employs experts in both industrial organization and consumer-protection economics. Yet much of that expertise appears absent from the ANPR.
This ANPR does not specify, or even sketch, the data regulations being contemplated by the Commission. Neither does it specify the Commission’s goals in the rulemaking or alternative regulatory approaches under consideration, although both are required by statute. Consequently, one cannot assess the net effects of any proposed “commercial surveillance and data security” rule on competition or consumers, because there simply is no proposed rule to assess.
The economic literature, however, does suggest caution:
The literature on the effects of GDPR and other data regulations is particularly instructive. Although it is neither definitive nor complete, it has thus far found slender (at best) benefits to competition or consumers from data regulations and considerable costs and harms from their imposition. Further experience with and study of data regulations could yield a more nuanced picture. And, again, the FTC is well-positioned to contribute to and foster a greater understanding of the competitive effects of various types of data regulation. Doing so could be greatly beneficial to policymaking, competition, and consumer welfare, precisely because specific data practices can produce substantial benefits, harms, or a complex admixture of the two. But documented harms and speculative benefits of regulation recommend caution, not blind intervention.
The Commission should take account of a further reality: the rules it contemplates will be created in an environment filled with other privacy regulators. Although the United States does not have a single, omnibus, privacy regulation, this does not mean that the country does not have “privacy law.” Indeed, generally applicable laws providing a wide range of privacy and data-security protections already exist at both the federal and state level. These include consumer-protection laws that apply to companies’ data use and security practices,[19] as well as those that have been developed in common law (property, contract, and tort) and criminal codes.[20] In addition, there are sector-specific regulations pertaining to particular kinds of information, such as medical records, personal information collected online from children, and credit reporting, as well as regulations prohibiting the use of data in a manner that might lead to certain kinds of illegal discrimination.[21]
Despite the FTC’s noted experience in a certain slice of privacy regulation, Congress has not made the FTC the central privacy regulatory body. Neither has Congress granted the Commission the resources likely required for such a regulator. Congress has wrestled with complex tradeoffs in several areas and has allowed—through design and otherwise—various authorities to emerge. Where Congress has provided for privacy regulation, it has tailored the law to address specific concerns in specific sectors, or with respect to specific types of information. Moreover, in each case, it has balanced privacy and security concerns with other policy priorities. That balancing requires technical expertise, but it also entails essentially political judgements about the relative value of diverse policy goals; in that latter regard, it is a job for Congress.
There are, as well, questions of resource allocation that may attend an express statutory charge. We cannot gainsay the importance of the FTC’s privacy and data-security enforcement work under Section 5 of the FTC Act. At the same time, we cannot help but notice a misfit between the Commission’s congressionally allocated resources and the obligations that are entailed by data regulations of the scope contemplated in the ANPR. By way of contrast, we note that, since the compliance date of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rule, the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has investigated and resolved nearly 30,000 cases involving HIPAA-covered entities and their business associates; for appropriate cases of knowing disclosure or obtaining of protected health information, OCR has referred more than 1,500 cases to the U.S. Department of Justice (“DOJ”) for criminal prosecution.[22]
In his dissent from the issuance of this ANPR, former Commissioner Noah Phillips noted the massive and complicated undertaking it initiates:
Legislating comprehensive national rules for consumer data privacy and security is a complicated undertaking. Any law our nation adopts will have vast economic significance. It will impact many thousands of companies, millions of citizens, and billions upon billions of dollars in commerce. It will involve real trade-offs between, for example, innovation, jobs, and economic growth on the one hand and protection from privacy harms on the other. (It will also require some level of social consensus about which harms the law can and should address.) Like most regulations, comprehensive rules for data privacy and security will likely displace some amount of competition. Reducing the ability of companies to use data about consumers, which today facilitates the provision of free services, may result in higher prices—an effect that policymakers would be remiss not to consider in our current inflationary environment.[23]
This is particularly true given the Commission’s long history of work in this area. The Commission has undertaken decades of investigations and a multitude of workshops and hearings on privacy and related topics. This ANPR nods to that history, but it does not appear to make much use of it, possibly because much of it contains lessons that pull in different directions. Overall, that impressive body of work does not remotely point to the need for a single, comprehensive privacy rule. Rather, it has demonstrated that privacy regulation is complicated. It is complicated not just as a technical matter, but also because of the immense variety of consumers’ attitudes, expectations, and preferences with respect to privacy and the use of data in the economy.
The Commercial Surveillance ANPR poses 95 questions, many of which will find some answers in this prior history if it is adequately consulted. The Commission has generally evidenced admirable restraint and assessed the relevant tradeoffs, recognizing that the authorized collection and use of consumer information by companies confers enormous benefits, even as it entails some risks. Indeed, the overwhelming conclusion of decades of intense scrutiny is that the application of ex ante privacy principles across industries is a fraught exercise, as each industry—indeed each firm within an industry—faces a different set of consumer expectations about its provision of innovative services and offering of privacy protections.
These considerations all militate in favor of regulatory restraint by the FTC as a matter of policy. They also require restraint, and an emphasis on established jurisdiction, given the Supreme Court’s recent “major questions” jurisprudence.[24] As noted in the statements of several commissioners, West Virginia v. EPA[25] clarifies the constitutional limits on an agency’s authority to extend the reach of its jurisdiction via regulation. In brief, the broader the economic and political sweep of data regulations the Commission might propose, the more likely it is that such regulations exceed the FTC’s authority. If the “major questions doctrine” is implicated, the burden is on the agency to establish the specific grant of authority that is claimed.[26] Moreover, the Court was clear that a merely colorable claim of statutory implementation is inadequate to establish the authority to issue sweeping regulations with major economic and political implications.[27]
Download the full comments here.
[1] Trade Regulation Rule on Commercial Surveillance and Data Security, 87 Fed. Reg. 51273 (Aug. 22, 2022) (to be codified at 16 C.F.R. Ch. 1) [hereinafter “ANPR” or “Commercial Surveillance ANPR”].
[2] Id. at 51277.
[3] Id. at 51276.
[4] That is, “unfair or deceptive acts or practices in or affecting commerce,” as they are prohibited under Section 5 of the FTC Act, 15 U.S.C. § 45(a)(1).
[5] 15 U.S.C. § 57a.
[6] 15 U.S.C. § 57a(b)(2)(A).
[7] 15 U.S.C. § 57a(a)(1)(B).
[8] 15 U.S.C. § 57a(b)(1) (“When prescribing a rule under subsection (a)(1)(B) of this section, the Commission shall proceed in accordance with section 553 of title 5.”)
[9] 15 U.S.C. § 57a(b)(2)(i).
[10] 15 U.S.C. § 57a(b)(2)(ii).
[11] See Section III, infra (regarding the role of cost-benefit analysis under Magnuson-Moss and the statutory requirements of Section 18).
[12] Except, of course, when it comes to government access to private information, i.e., under the Fourth Amendment.
[13] See, e.g., ANPR, supra note 1 at 51273-75.
[14] The purported definition of consumer data in the ANPR, and the scope of activities around consumer data, are so overbroad as to encompass virtually the entirety of modern economic activity: “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information. These data include both information that consumers actively provide—say, when they affirmatively register for a service or make a purchase—as well as personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app. This latter category is far broader than the first.” Id. at 51277.
[15] See, e.g., Coline Boniface, et al., Security Analysis of Subject Access Request Procedures, in Privacy Technologies & Policy: 7th Annual Privacy Forum (Maurizio Naldi, et al. eds., 2019).
[16] See, e.g., James Campbell, Avi Goldfarb & Catherine Tucker, Privacy Regulation and Market Structure, 24 J. Econ. & Mgmt. Strategy 47 (2015); Alex Marthews & Catherine Tucker, Privacy Policy and Competition, Econ. Stud. at Brookings (December 2019), available at https://www.brookings.edu/wp-content/uploads/2019/12/ES-12.04.19-Marthews-Tucker.pdf.
[17] See, e.g., Jin-Hyuk Kim & Liad Wagman, Screening Incentives and Privacy Protection in Financial Markets: A Theoretical and Empirical Analysis, 46 RAND J. Econ. 1 (2015).
[18] See, e.g., Jian Jia, Ginger Zhe Jin & Liad Wagman, The Short-run Effects of the General Data Protection Regulation on Technology Venture Investment, 40 Marketing Sci. 661 (2021).
[19] See, e.g., FTC Act, 15 U.S.C. § 45(a) et seq.
[20] See Privacy-Common Law, Law Library —American Law and Legal Information, http://law.jrank.org/pages/9409/Privacy-Common-Law.html (last visited Oct. 16, 2022).
[21] See, e.g., Comments of the Association of National Advertisers on the Competition and Consumer Protection in the 21st Century Hearings, Project Number P181201, available at https://docplayer.net/93116976-Before-the-federal-trade-commission-washington-d-c-comments-of-the-association-of-national-advertisers-on-the.html: [T]he Health Information Portability and Accountability Act (“HIPAA”) regulates certain health data; the Fair Credit Reporting Act (“FCRA”) regulates the use of consumer data for eligibility purposes; the Children’s Online Privacy Protection Act (“COPPA”) addresses personal information collected online from children; and the Gramm–Leach–Bliley Act (“GLBA”) focuses on consumers’ financial privacy; the Equal Employment Opportunity Commission (“EEOC”) enforces a variety of anti-discrimination laws in the workplace including the Pregnancy Discrimination Act (“PDA”) and American with Disabilities Act (“ADA”); the Fair Housing Act (“FHA”) protects against discrimination in housing; and the Equal Credit Opportunity Act (“ECOA”) protects against discrimination in mortgage and other forms of lending. Id. at 6.
[22] Dep’t Health & Human Servs., Health Information Privacy, Enforcement Highlights, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html (HHS Office of Civil Rights, last reviewed Sep. 14, 2022).
[23] ANPR at 51293 (Dissenting Statement of Comm’r Noah J. Phillips).
[24] See W. Virginia v. Env’t Prot. Agency, 142 S. Ct. 2587, 2595 (2022) (citing a line of cases including Utility Air Regulatory Group v. EPA, 573 U. S. 302 (2014); Gonzales v. Oregon, 546 U. S. 243 (2006); FDA v. Whitman v. American Trucking Assns., Inc., 531 U. S. 457, 468 (2001); and Brown & Williamson Tobacco Corp., 529 U. S. 120, 159 (2000)).
[25] Id.
[26] See id. at 2613 (citing William Eskridge, Interpreting Law: A Primer on How to Read Statutes and the Constitution 288 (2016)).
[27] Id. at 2608-09.
TOTM The massive New Deal sculptures that frame Federal Trade Commission headquarters are both called “Man Controlling Trade.” And according to the Commission’s new Policy Statement Regarding . . .
The massive New Deal sculptures that frame Federal Trade Commission headquarters are both called “Man Controlling Trade.” And according to the Commission’s new Policy Statement Regarding Unfair Methods of Competition Under Section 5 of the Federal Trade Commission Act, “Three Commissioners Controlling the Economy” appears to now be one of the agency’s guiding principles. The last FTC roundup suggested that winter is coming. This week’s theme: bundle up because, baby, it’s getting cold outside.
Read the full piece here.
ICLE Issue Brief On Nov. 10, 2022, the Federal Trade Commission (FTC) issued a new policy statement regarding the scope of “unfair methods of competition” (UMC) under Section 5 of the FTC Act. The new statement fills the gap left by the Commission’s July 2021 rescission of its 2015 policy statement.
On Nov. 10, 2022, the Federal Trade Commission (FTC) issued a new policy statement[1] regarding the scope of “unfair methods of competition” (UMC) under Section 5 of the FTC Act. The new statement fills the gap left by the Commission’s July 2021 rescission[2] of its 2015 policy statement.[3] Democratic appointees Chair Lina Khan and Commissioners Rebecca Slaughter and Alvaro Bedoya voted in favor of the new policy statement, while Commissioner Christine Wilson, a Republican appointee, dissented.[4]
The new statement describes the policy changes that the Commission majority previewed in 2021: the FTC will target a much broader range of conduct than it has in the past, as it untethers “unfair methods of competition” from, inter alia, consumer welfare, the rule of reason, and actual or likely harm to competition.
The policy statement sketches an architecture for UMC determinations that, on closer inspection, is ephemeral or, at best, radically unspecified. Under the new statement, unfair methods of competition mean “conduct undertaken by an actor in the marketplace—as opposed to merely a condition of the marketplace, not of the respondent’s making, such as high concentration or barriers to entry.”[5] That seems largely unhelpful. But for the suggestion that, following established law, monopoly (or high concentration) or structural barriers to entry are still not to be deemed prohibited in or of themselves, this seems a statement that conduct will not be deemed unfair unless it is, in fact, commercial conduct. The contrast with “competition on the merits” lacks content: the FTC has no statutory charge to define competition on the merits, except in the breach; it has not defined “competition on the merits” in the past and it does not do so in the present policy statement.
We are provided with a necessary conjunction. Conduct will only be deemed unfair if it is both:
The first term of the conjunction is satisfied by conduct fitting under a complex, if vague, disjunction: conduct that is “coercive, exploitative, collusive, abusive, deceptive, predatory” or acts that “involve the use of economic power of a similar nature,” or conduct that “may” be “otherwise restrictive or exclusionary.”
The second term is noteworthy mostly for what it is not. It does not specify either harm to competition or harm to consumers, but rather a tendency (not necessarily a likelihood) to “negatively affect” (perhaps to harm) “competitive conditions.”
We are told UMC will apply only to conduct that satisfies both sides of the conjunction, but we are also told that the FTC will evaluate conduct under these two complex criteria on a sliding scale, such that, where the markers of “unfairness” are clear, a lesser showing of a tendency to have a negative impact on competitive conditions may suffice for a finding of liability, and vice versa.
Before we try to unpack the conditions proffered by the Commission’s new policy statement, we are told to disabuse ourselves of familiar terms and standards. First, the Commission expressly abandons the consumer welfare standard. In its place, we have a sort of any-party-in-the-marketplace standard, concerned with effects on “consumers, workers, or other market participants.”[7] Second, whether conduct “tends to” affect (negatively) any party “does not turn to whether the conduct directly caused actual harm in the specific instance at issue.” Effects need not be “current” or “measurable” or even “actual,” the distinctions between “unmeasurable” and “immeasurable,” and between “actual,” “likely,” and “possible,” notwithstanding,
Some of this relaxation of standards is supposed to be necessary to get at incipient harms under Section 5, and not just under Section 7 of the Clayton Act. But there’s a bit of a fudge on established notions of incipiency, and on the broader antitrust notion of actual or likely harm. An invitation to collude may be more or less likely to succeed, but it is, in any case, an attempt to do something that is per se unlawful; that is, something that is extremely likely to cause actual harm to competition and consumers should it come to fruition. There is no procompetitive rationale for an invitation to collude. But here, incipiency is divorced even from the notion that a given course of conduct by some specific party is likely to harm competition and consumers, whether it comes to fruition or not.
Second, the Commission expressly disavows the rule of reason, calling it “open ended” and capable of delivering “inconsistent and unpredictable results.”[8] At the same time, the new statement lacks any limiting principle, and it is hard to see how it could be more consistent or in any way predictable in application.
When we come to positive criteria, we find the unfairness laundry list catalogued above. Yet most of those terms lack any clear meaning under U.S. antitrust law, even if they occur here and there in dicta in Supreme Court or lower-court opinions. For example, after reeling off six terms of the “unfair” disjunction (coercive, exploitative, collusive, abusive, deceptive, and predatory), the statement first cites Sperry & Hutchinson for the proposition that Section 5 reaches conduct “shown to exploit consumers.” True, 50 years ago, the Court did wax expansive on the scope of Section 5.[9] In doing so, the Court opined that a showing of the exploitation of consumers—harm to consumers—could constitute a violation of Section 5. But the current policy statement does not require harm to either competition or consumers; and the notion that the Court would today sustain a finding of UMC liability absent harm to either competition or consumers is dubious. Moreover, the Sperry & Hutchinson Court’s discussion of “exploitation” was in no way necessary to its decision in that matter; that was, namely, that the Commission had not made its case without the bounds of the antitrust laws:
The opinion is barren of any attempt to rest the order on its assessment of particular competitive practices or considerations of consumer interests independent of possible or actual effects on competition. Nor were any standards for doing so referred to or developed.[10]
In brief, the Court’s hoary discussion of “exploitation” has no clear precedential value. But if it did, the discussion would give no guidance to industry or the bar on the question what today’s Commission means by “exploitation.” The Commission’s statement offers no clue at all about the limits to the conduct the Commission purports to proscribe.
Elsewhere in the statement, the Commission cites Leegin in support of the proposition that Section 5 reaches “parallel exclusionary conduct that may cause aggregate harm.” The citation seems inapt, at best, given Leegin’s holding, “that Dr. Miles should be overruled and that vertical price restraints are to be judged by the rule of reason.”[11] The Commission characterizes Leegin as “holding that the extent of adoption of resale price maintenance across the industry is relevant to legality.” The Court does opine that “the number of manufacturers that make use of the practice in a given industry can provide important instruction” in a rule-of-reason inquiry into the legality of a practice.[12] But that is not the holding in Leegin, which reversed a 5th U.S. Circuit Court of Appeals decision applying a per se standard of liability, as had the trial court below it. Leegin emphasized the importance of the rule of reason (rejected by the current policy statement) and consumer welfare (rejected by the current policy statement) and noted that conduct such as retail price maintenance “may not be a serious concern unless the relevant entity has market power”[13] (again, rejected by the current policy statement). The Commission might also recall the 9th U.S. Circuit Court of Appeals’ decision in Boise Cascade: “to allow a finding of a Section 5 violation on the theory that the mere widespread use of a practice makes it an incipient threat to competition would be to blur the distinction between guilty and innocent commercial behavior.”[14]
Having provided an essentially vague and open-ended account of “unfair methods of competition,” the Commission rejects the notion that it must consider any justifications for conduct it deems facially violative of that “standard.” It may, but the statement is clearest on the question of what will not suffice. Neither a demonstration of “net efficiencies” nor a “numerical cost-benefit” test will suffice;[15] neither will benefit in another market, no matter how inextricably tied to the one in which there’s a purported tendency to foster the open-ended harms. We are told that “[s]ome well-established limitations on what defenses are permissible in an antitrust case apply in the Section 5 context as well”—as if, perhaps, we wondered whether pretextual justifications might do when net efficiencies or net consumer benefits would not.
To justify the broad expansion of its interpretation of its UMC authority, the Commission reaches extensively, if selectively, into the legislative history of the FTC Act. The statement argues that, when Congress passed the FTC Act in 1914, it intended the law to be broader than the Sherman Act. That claim, at that level of abstraction, is uncontroversial. The question had never been whether the bounds of Section 5 exceed those of the Sherman Act, to any degree, in any context. Rather, there were live questions about the extent to which Section 5 does so, and the methods by which standalone Section 5 violations might be determined. The FTC portrays the new statement as a “restoration” of “rigorous enforcement” of the ban on unfair methods of competition,[16] but it does so without any rigor of its own, or any clear justification for fixing on some certain days past as halcyon.
As Commissioner Wilson observes in her dissenting statement, the Commission’s selective appeals to legislative history elides the congressional backlash triggered by the FTC’s overplaying its hand in the 1970s. It also ignores much of the past century’s development of antitrust jurisprudence, in which the Sherman and Clayton Acts have proved effective, and the courts (and the antitrust agencies) have developed principles to provide guidance as to what makes conduct unlawful.
It is well-established, as Commissioner Wilson acknowledges, that Section 5 reaches “incipient violations” of the antitrust laws. But eliminating the need to show likely anticompetitive effects, market power, or consumer harm attached to any given course of conduct, along with the repudiation of measurement (or estimation) and efficiency—as the statement does—in favor of a focus on an ill-defined “tendency to generate negative consequences” for some market participant or other can only serve to diminish rigor in FTC analysis and predictability in its conclusions. Rather, as Commissioner Wilson suggests, it is likely to favor the personal views or intuitions of a sitting majority of commissioners.
Commissioner Wilson observes that the statement “resembles the work of an academic or a think tank fellow” with dreams of “remaking the economy.”[17] Adopting only vague notions of the meaning of unfairness, and lacking grounding in established antitrust analysis, the FTC promises enforcement and possible rulemaking based on the idea that appointed “expert” commissioners will be best suited to determine what conduct is unlawful. This increases the odds of arbitrary actions by the FTC. Commissioner Wilson explains that the policy statement reflects an “I know it when I see it” approach “premised on a list of nefarious-sounding adjectives” without antitrust or economic meaning or any clear methodology.[18]
Chair Khan responds to Commissioner Wilson by arguing that Congress purposefully created an expert agency that would target conduct outside the scope of the antitrust laws under a definition of unfair methods of competition that the agency itself would create.[19] Perhaps, but in 1914, “outside the scope of the antitrust laws” meant beyond the scope of the 1890 Sherman Act, as then understood, not beyond all antitrust statutes and amendments to follow, come what may. And however the Commission’s UMC authority was (and mostly was not) specified in the FTC Act, it is clear that the agency—as an institution—was supposed to develop its expertise and the notion of UMC with oversight by (and input from) Congress and the courts. Reaching past several decades of established agency practice and decisions of the federal courts, including those of the Supreme Court, was never part of the institutional design. Not incidentally, it calls into question the subject matter of the Commission’s purported expertise.
The FTC has provided some clues as to what it hopes to accomplish, if not by any definite method or subject to any limiting principle. In the new policy statement, the Commission states that the “size, power, and purpose of the respondent” may be relevant to its UMC inquiry.[20] Abandoning the protection of consumer welfare, and looking to possible effects on “other market participants,” the FTC is setting its sight on so-called “bigness” and the protection of weaker competitors.
In his supporting statement, Commissioner Bedoya makes plain that the FTC should ensure a “level playing field for small business” and “all competitors,” arguing that it is not the FTC’s job to promote efficiency.[21] Commissioner Bedoya provides examples of conduct that the FTC may bring under the UMC umbrella, including conduct that may pass muster under the antitrust laws (or specifically, the rule of reason): local price cutting, tying conduct, exclusive contracts, rebates and preferential contracts, dominant control of inputs, manipulation, certain forms of refusal to deal, information collection on rivals, and coercion, threats, and intimidation. What Commissioner Bedoya and the Commission majority do not provide is a method for assessing when such conduct runs afoul of Section 5, or a policy rationale for condemning conduct without a showing of actual or likely harm to competition or consumers.
Finally, the policy statement also reiterates that the current FTC believes it has the power to create binding, substantive UMC rules. The combination of an assertion of overly broad and loosely defined substantive coverage of conduct, together with an assertion of broad remedial and legislative powers, previews an aggressive agency with heavy-handed enforcement and rulemaking to come.
* Daniel Gilman is a senior scholar with the International Center for Law & Economics (ICLE) and a former advisor at the Federal Trade Commission. Gus Hurwitz is ICLE’s director of law & economics programs.
[1] Policy Statement Regarding the Scope of Unfair Methods of Competition Under Section 5 of the Federal Trade Commission Act, Federal Trade Commission (Nov. 10, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/P221202Section5PolicyStatement.pdf [hereinafter “2022 UMC Policy Statement.”]
[2] Statement of Chair Lina M. Khan, Joined by Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter, on the Withdrawal of the Statement of Enforcement Principles Regarding “Unfair Methods of Competition” Under Section 5 of the FTC Act, Federal Trade Commission (Jul. 1, 2021), available at https://www.ftc.gov/system/files/documents/public_statements/1591498/final_statement_of_chair_khan_joined_by_rc_and_rks_on_section_5_0.pdf [hereinafter “2021 Withdrawal Statement.”]
[3] Statement of Enforcement Principles Regarding “Unfair Methods of Competition” Under Section 5 of the FTC Act, Federal Trade Commission (Aug. 13, 2015), available at https://www.ftc.gov/system/files/documents/public_statements/735201/150813section5enforcement.pdf.
[4] Dissenting Statement of Commissioner Christine S. Wilson, Federal Trade Commission (Nov. 10, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/P221202Section5PolicyWilsonDissentStmt.pdf [hereinafter “Wilson Dissent.’]
[5] 2022 UMC Policy Statement, supra note 1, at 8.
[6] 2022 UMC Policy Statement, supra note 1, at 9.
[7] Id.
[8] 2021 Withdrawal Statement, supra note 2, at 3.
[9] FTC v. Sperry & Hutchinson Co., 405 U.S. 233 (1972).
[10] Id., at para. 40.
[11] Leegin Creative Leather Products, Inc. v. PSKS, Inc., 551 U.S. 877 (2007).
[12] Id., at 17.
[13] Id., at 18.
[14] Boise Cascade v. FTC, 637 F.2d 573, 582 (9th Cir. 1980).
[15] 2022 UMC Policy Statement, supra note 1, at 11.
[16] FTC Restores Rigorous Enforcement of Law Banning Unfair Methods of Competition, Federal Trade Commission (Nov. 10, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/11/ftc-restores-rigorous-enforcement-law-banning-unfair-methods-competition.
[17] Wilson Dissent, supra note 4, at 2.
[18] Id.
[19] Statement of Chair Lina M. Khan, Federal Trade Commission (Nov. 10, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Section5PolicyStmtKhanSlaughterBedoyaStmt.pdf.
[20] 2022 UMC Policy Statement, supra note 1, at 9.
[21] Statement of Commissioner Alvaro M. Bedoya, Federal Trade Commission (Nov. 10, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/P221202Section5PolicyStmtBedoyaStmt.pdf.
TOTM Research still matters, so I recommend video from the Federal Trade Commission’s 15th Annual Microeconomics Conference, if you’ve not already seen it. It’s a valuable event, . . .
Research still matters, so I recommend video from the Federal Trade Commission’s 15th Annual Microeconomics Conference, if you’ve not already seen it. It’s a valuable event, and it’s part of the FTC’s still important statutory-research mission. It also reminds me that the FTC’s excellent, if somewhat diminished, Bureau of Economics still has no director; Marta Woskinska concluded her very short tenure in February. Eight-plus months of hiring and appointments (and many departures) later, she’s not been replaced. Priorities.
Read the full piece here
TOTM Faithful and even occasional readers of this roundup might have noticed a certain temporal discontinuity between the last post and this one. The inimitable Gus Hurwitz has passed the . . .
Faithful and even occasional readers of this roundup might have noticed a certain temporal discontinuity between the last post and this one. The inimitable Gus Hurwitz has passed the scrivener’s pen to me, a recent refugee from the Federal Trade Commission (FTC), and the roundup is back in business. Any errors going forward are mine. Going back, blame Gus.
Regulatory Comments A preview of the response ICLE is preparing to the FTC's 95-question advance notice of rulemaking on "commercial surveillance and data security."
The Federal Trade Commission (“FTC”) has issued an Advanced Notice of Public Rulemaking (“ANPR”) on “Commercial Surveillance and Data Security,”[1] initiating a proceeding intended to result in binding rules regarding “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.”[2] On some possible approach, streamlined and uniform federal data security or privacy regulations could be both beneficial and within the FTC’s competence and authority. But the approach suggested by the ANPR—simultaneously sweeping and vague—appears very likely to do more harm than good. Most notably, the ANPR evinces an approach that barely acknowledges either the limits of the FTC’s authority or the tremendous consumer benefits produced by the information economy.
The FTC is uniquely positioned to understand the complexities entailed in regulating privacy and data security. It has expertise and experience in both consumer protection and competition matters; with regard to privacy and data security, in particular, it has decades of experience bringing enforcement actions for violations of the FTC Act’s prohibition of deceptive and unfair practices; and its enforcement experience has been bolstered by its statutory mission to conduct economic and policy research, which has, not incidentally, comprised numerous hearings, workshops, studies, and reports on issues pertinent to data policy.
The Commission’s authority is not unbounded, however, and neither are its resources. Both limitations become salient when the Commission considers adopting substantive—or “legislative”— regulations under either Section 18 or Section 6 of the FTC Act. As we discuss below, the current proceeding is deficient on both substantive and procedural grounds. Absent an express grant of authority and the requisite resources from Congress, the Commission would be ill-advised to consider, much less adopt, the kinds of sweeping data regulations that the Commercial Surveillance ANPR appears to contemplate.
The ANPR states that it was issued pursuant to the Commission’s Section 18 authority,[3] which both grants and restrains the FTC’s authority to adopt regulations with respect to “unfair or deceptive acts or practices in or affecting competition” (“UDAP”).[4] Rulemaking under Section 18 of the FTC Act[5] requires that the Commission follow a careful process: as a preliminary matter, it must identify, for Congress and the public, an area of inquiry under the Commission’s jurisdiction; the Commission’s objectives in the rulemaking; and regulatory alternatives under consideration.[6] Unfortunately, the Commission has not met these obligations in this ANPR.
Under Section 18, the Commission may adopt “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce”[7] under Section 5 of the FTC Act. Section 18 imposes express procedural requirements, in addition to those set out for this ANPR. These include but are not limited to requirements for a Notice of Proposed Rulemaking (“NPRM”). Section 18 also incorporates by reference the procedures prescribed by the Administrative Procedure Act.[8]
Any rules the Commission issues under a Section 18 proceeding must emerge from a cost-benefit analysis. Both the potential harms and the benefits of challenged conduct must be well-defined, and they must be weighed against each other. Even at this early stage of the process, the FTC is obligated to provide more than a suggestion that some harm might be occurring, and to provide more than a hint of how it might handle those harms.
Irrespective of the statutory obligations to do so, this is also good procedure for policymaking. Before engaging in a deeply interventionist regulatory experiment—such as imposing strict privacy regulations in contravention of revealed consumer preferences—there should be empirically justified reasons for doing so. In other words, there should be demonstrable market failures in the provision of “privacy” (however we define that term) before centralized regulation co-opts the voluntary choices of consumers and firms in the economy, and before it supplants the ability to redress any residual, cognizable harms through law enforcement with broad, economywide, ex ante rules.
Thus, a vital threshold question for any rules issued under this proceeding is whether and why markets operating without specific privacy regulation generate a suboptimal provision of privacy protection. Without this inquiry, it is unclear what problems the rules are needed to address. Without knowing their purpose, any rules are likely to be ineffective, at best, and harmful, at worst. They may increase costs for consumers and businesses alike; mandate harmful prescriptions for alleged privacy harms; or exacerbate the risks of harm—or all of the above. Whether such costs would be accompanied by concrete gains material to most consumers is also up for grabs.
Particularly in the United States, where privacy is treated both legally and socially as more of a consumer preference (albeit perhaps a particularly important one) than a fundamental right,[11] it is difficult to determine whether our current regime produces the “right” amount of privacy protection. It is surely not sufficient to make that determination, however, that privacy advocates and consumers who are particularly privacy-sensitive think there should be more, or more of a certain sort, nor is it enough that there have been some well-publicized violations of privacy and cases of demonstrable harm. Indeed, the fact that revealed preferences in the market tend toward relatively less privacy protection is evidence that advocates may be seeking to create a level of privacy protection for which there is simply no broad-based demand. Absent a pervasive defect that suggests a broad disconnect between revealed and actual preferences, as well as a pattern of substantial net harm, the Commission should be extremely cautious before adopting preemptive and sweeping regulations.
The Commission is obligated to consider the likely effects of data regulation on consumers and competition. That ought to be a requirement for regulation generally, but it is an express statutory requirement for regulation under Section 18 of the FTC Act. The Commission is uniquely well-situated to meet that mandate by virtue of its distinctive, dual competition and consumer-protection mandates. Indeed, the Commission’s antitrust-enforcement experience dates to the agency’s inception. In addition, the Commission can access the considerable expertise of its Bureau of Economics, which employs experts in both industrial organization and consumer-protection economics.
The Commercial Surveillance ANPR does not specify, or even sketch, the data regulations being contemplated by the Commission as required by statute. Consequently, one cannot assess the net effects of any proposed “commercial surveillance and data security” rule on competition or consumers, because there simply is no proposed rule to assess.
The Commission should take account of a further reality: the rules it contemplates will be created in an environment filled with other privacy regulators. Although the United States does not have a single, omnibus, privacy regulation, this does not mean that the country does not have “privacy law.” Indeed, there already exist generally applicable laws at both the federal and state level that provide a wide scope of protection for individuals, including consumer-protection laws that apply to companies’ data use and security practices,[18] as well as those that have been developed in common law (property, contract, and tort) and criminal codes.[19] In addition, there are sector-specific regulations pertaining to particular kinds of information, such as medical records, personal information collected online from children, and credit reporting, as well as regulations prohibiting the use of data in a manner that might lead to certain kinds of illegal discrimination.[20]
Despite the FTC’s noted experience in a certain slice of privacy regulation, Congress has not made the FTC the central privacy regulatory body. Congress has wrestled with complex tradeoffs in several different areas and has allowed—through design and otherwise—various authorities to emerge in this area. Thus, given the Supreme Court’s recent “major questions” jurisprudence,[21] it is necessary to understand that the rules that emerge from this process must be properly constrained.
In his dissent from the issuance of this ANPR, Commissioner Noah Phillips noted the massive, complicated undertaking it initiates:
Legislating comprehensive national rules for consumer data privacy and security is a complicated undertaking. Any law our nation adopts will have vast economic significance. It will impact many thousands of companies, millions of citizens, and billions upon billions of dollars in commerce. It will involve real trade-offs between, for example, innovation, jobs, and economic growth on the one hand and protection from privacy harms on the other. (It will also require some level of social consensus about which harms the law can and should address.) Like most regulations, comprehensive rules for data privacy and security will likely displace some amount of competition. Reducing the ability of companies to use data about consumers, which today facilitates the provision of free services, may result in higher prices—an effect that policymakers would be remiss not to consider in our current inflationary environment.[22]
This is particularly true given the Commission’s long history of work in this area. The Commission has undertaken decades of investigations and a multitude of workshops and hearings on privacy and related topics. This ANPR nods to that history, but it does not seem to make much use of it, possibly because much of it contains lessons that pull in different directions. Overall, that impressive body of work does not remotely point to the need for a single, comprehensive privacy rule. Rather, it has demonstrated that privacy regulation is complicated. It is complicated not just as a technical matter, but also because of the immense variety of consumers’ attitudes, expectations, and preferences with respect to privacy and the use of data in the economy.
[11] Except, of course, when it comes to government access to private information, i.e., under the Fourth Amendment.
[12] See, e.g., ANPR at 51273-75.
[13] The purported definition of consumer data in the ANPR, and the scope of activities around consumer data, are so overbroad as to encompass virtually the entirety of modern economic activity: “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information. These data include both information that consumers actively provide—say, when they affirmatively register for a service or make a purchase—as well as personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app. This latter category is far broader than the first.” Id. at 51277.
[14] See, e.g., Coline Boniface, et al., Security Analysis of Subject Access Request Procedures, in Privacy Technologies & Pol’y. APF 2019. (Maurizio Naldi, et al. eds., 2019); see also Peter Swire and DeBrae Kennedy-Mayo, The Effects of Data Localization on Cybersecurity, Georgia Tech Scheller College of Business Research Paper No. 4030905 (2022), available at https://ssrn.com/abstract=4030905 or http://dx.doi.org/10.2139/ssrn.4030905.
[15] See, e.g., James Campbell, Avi Goldfarb & Catherine Tucker, Privacy Regulation and Market Structure, 24 J. Econ. & Mgmt. Strategy 47 (2015); Alex Marthews & Catherine Tucker, Privacy Policy and Competition, Econ. Stud. at Brookings (Dec. 2019), available at https://www.brookings.edu/wp-content/uploads/2019/12/ES-12.04.19-Marthews-Tucker.pdf.
[16] See, e.g., Jin-Hyuk Kim & Liad Wagman, Screening Incentives and Privacy Protection in Financial Markets: A Theoretical and Empirical Analysis, 46 RAND J. Econ. 1 (2015).
[17] See, e.g., Jian Jia, Ginger Zhe Jin & Liad Wagman, The Short-run Effects of the General Data Protection Regulation on Technology Venture Investment, 40 Marketing Sci. 661 (2021).
[18] See, e.g., FTC Act, 15 U.S.C. § 45(a) et seq.
[19] See Privacy-Common Law, Law Library —American Law and Legal Information, http://law.jrank.org/pages/9409/Privacy-Common-Law.html (last visited Oct. 16, 2022).
[20] See, e.g., Comments of the Association of National Advertisers on the Competition and Consumer Protection in the 21st Century Hearings, Project Number P181201, available at https://docplayer.net/93116976-Before-the-federal-trade-commission-washington-d-c-comments-of-the-association-of-national-advertisers-on-the.html:
[T]he Health Information Portability and Accountability Act (“HIPAA”) regulates certain health data; the Fair Credit Reporting Act (“FCRA”) regulates the use of consumer data for eligibility purposes; the Children’s Online Privacy Protection Act (“COPPA”) addresses personal information collected online from children; and the Gramm–Leach–Bliley Act (“GLBA”) focuses on consumers’ financial privacy; the Equal Employment Opportunity Commission (“EEOC”) enforces a variety of anti-discrimination laws in the workplace including the Pregnancy Discrimination Act (“PDA”) and American with Disabilities Act (“ADA”); the Fair Housing Act (“FHA”) protects against discrimination in housing; and the Equal Credit Opportunity Act (“ECOA”) protects against discrimination in mortgage and other forms of lending.
Id. at 6.
[21] See, e.g., W. Virginia v. Env’t Prot. Agency, 142 S. Ct. 2587, 2595 (2022).
[22] ANPR at 51293 (Dissenting Statement of Comm’r Noah J. Phillips).
