WASHINGTON D.C. — Today, the FTC released areportrecommending “best practices” around privacy and data security for the “Internet of Things” — connected smart home devices, smart cars and the like. The report echoes so-called “recommendations” made by the FTC in other reportssince 2010. Commissioner Josh Wrightdissented, lamenting that “‘security by design’ and other privacy-related catchphrases … do not appear to contain any meaningful analytical content.”Commissioner Ohlhausen concurred but objected tothe report’s call for baseline privacy legislation and embrace of data minimization, which she called a “precautionary principle.”
“At best, this is just another exercise in Workshop Theater; at worst, the FTC is trying to regulate the Internet of Things by stealth,” said TechFreedom President Berin Szoka. “We’ve been down this road before: In 1980, a heavily Democratic Congress twice tried to rein in the FTC’s Naderite regulatory spree. Now, the FTC is effectively circumventing those constraints, using workshop reports asde factoregulations.”
“This report pays only lip service to meaningful cost-benefit analysis,” said Geoffrey Manne, Executive Director of the International Center for Law & Economics. “The Internet of Things is a nascent and fast-evolving area. To make specific recommendations on the basis of little more than staff impressions of cherry-picked commentsabout theoretical harmsfrom a one-day workshop — without undertaking any real analysis of any meaningful data — amounts to regulatory malpractice. The FTC has a wealth of economics expertise in-house, which the Bureau of Consumer Protection willfully ignores. Before recommendinganything, the FTC needs to consider not only the enormous benefits of the Internet of Things, but, more importantly, whether the consumer benefits of any ‘recommendation’ outweigh its costson the margin. That’s regulatory economics 101.”
“Since 2010, we’ve seen a radical change: The purpose of FTC workshop reports is no longer to produce a better understanding of complex consumer protection issues,” concluded Szoka. “Instead, the Chairman and a small number of FTC staffers now seek to use workshop reports to put the agency’s institutional weight behind their own agenda, which is driven more by a neo-Naderite ideology than rigorous analysis.”
In the 1970s, the FTCran amuck, trying to ban advertising to kids and micromanage everything from funeral homes to labor practices.
In 1980, a heavily Democratic Congress required the FTC to build a rigorous record before regulating, and to constrain its vast ‘unfairness’ authority throughcost-benefit analysis.
Since 2010, the FTC has increasingly tried to convert its ‘recommendations’ into regulations in two ways:
Baking them into the consent decrees the FTC extracts from companies that don’t want to undergo the ordeal of fighting the agency.
Claiming that violations of recommendations made in a workshop report can trigger liability under Section 5 of the FTC Act: most notably, itscomplaintagainst LabMD rests in part on the FTC’s 2005 staff report about peer-to-peer file sharing.
Until 2010, FTC reports attempted to synthesize a complex record, which helped inform everyone’s understanding of evolving technologies and business practices, their benefits, and the consumer protection concerns they raise. Occasionally, an FTC report would recommend legislation — butneverthe kinds of sweeping ‘recommendations’ to private companies that have become commonplace since the FTC’s 2010 staff privacy report.
For example, a 2005 staff report on peer-to-peer file-sharing made only short,high-level suggestionsto industry.
In May 2014, in a series of footnotes, Commissioner Wrightobjected tothe FTC’sData Broker Reportmaking a series of legislative recommendations without adequate basis.
Szoka and Manne are available for comment atmedia@techfreedom.org,and see our other work onBig DataandFTC reform, especially: