FTC Staff Report Misses the Mark on “Internet of Things” Regulation

Alden Abbott —  27 January 2015

Today the Federal Trade Commission (FTC) missed the mark in authorizing release of a staff report calling for legislation and regulation of the “Internet of Things.”

The Internet of Things is already affecting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications.  Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, and a myriad of other potential benefits.  The rapidly increasing use of such devices, which transfer data electronically, also raises privacy and security concerns.  In November 2014 the FTC convened a one-day workshop to study the rapidly changing Internet of Things.

On January 27, 2015, the FTC staff released a report based on the record established by the workshop and follow-on comments from the public.  Unfortunately, the report went far beyond describing the state of play and setting forth the views of interested parties.  In particular, the FTC staff recommended detailed approaches businesses should follow to promote security and privacy in the Internet of Things, and repeated its prior call for strong data security and breach notification legislation.  The FTC voted 4-1 to issue the staff report, with Commissioner Joshua Wright dissenting and Commissioner Maureen Ohlhausen concurring but expressing opposition to two of the report’s recommendations (calling for privacy legislation and for companies to delete “excessive” but valuable data).

Commissioner Wright’s thoughtful dissent centers on the report’s failure to apply cost-benefit analysis to its recommendations, without which it is not possible to determine whether the recommendations are socially beneficial or harmful.  As Wright points out (footnotes omitted):

“Acknowledging in passing, as the Workshop Report does, that various courses of actions related to the Internet of Things may well have some potential costs and benefits does not come close to passing muster as cost-benefit analysis. The Workshop Report does not perform any actual analysis whatsoever to ensure that, or even to give a rough sense of the likelihood that the benefits of the staff’s various proposals exceed their attendant costs. Instead, the Workshop Report merely relies upon its own assertions and various surveys that are not necessarily representative and, in any event, do not shed much light on actual consumer preferences as revealed by conduct in the marketplace. This is simply not good enough; there is too much at stake for consumers as the Digital Revolution begins to transform their homes, vehicles, and other aspects of daily life.”

More specifically, Wright critiques the FTC’s proposal that companies limit the scope of data retention (“data minimization”) to protect consumers’ “reasonable expectations” and deter data thieves – as he explains, this proposal fails to discuss the magnitude of such costs to consumers and supplies no evidence demonstrating that the benefits of data minimization will outweigh its costs to consumers.  In a similar vein, Wright opposes the report’s proposal that companies adopt specific “security by design” measures, noting that:

“Relying upon the application of these concepts and the Fair Information Practice Principles to the Internet of Things can instead substitute for the sort of rigorous economic analysis required to understand the tradeoffs facing firms and consumers. An economic and evidence-based approach sensitive to those tradeoffs is much more likely to result in consumer-welfare enhancing consumer protection regulation. To the extent concepts such as security by design or data minimization are endorsed at any cost – or without regard to whether the marginal cost of a particular decision exceeds its marginal benefits – then application of these principles will result in greater compliance costs without countervailing benefit. Such costs will be passed on to consumers in the form of higher prices or less useful products, as well as potentially deter competition and innovation among firms participating in the Internet of Things.”

In sum, Wright concludes:

“Before setting forth industry best practices and recommendations for broad-based privacy legislation relating to the Internet of Things – proposals that could have a profound impact upon consumers – the Commission and its staff should, at a minimum, undertake the necessary work not only to identify the potential costs and benefits of implementing such best practices and recommendations, but also to perform analysis sufficient to establish with reasonable confidence that such benefits are not outweighed by their costs at the margin of policy intervention.”

The FTC does best when it rigorously evaluates the costs and benefits of its regulatory recommendations and proposed enforcement actions.  Unfortunately, in recent years it has lost sight of this common sense principle (particularly in the consumer protection area) in imposing highly burdensome advertising substantiation and data security enforcement requirements through litigation and consent decrees.  The detailed recommendations in the Internet of Things report suggest that the FTC may be eyeing public reports as a new source of “friendly persuasion.”  Because many firms may choose to adopt costly FTC business practice “suggestions” so as to avoid costly investigations and litigation, the actual harm in foregone business innovation and consumer welfare losses may not be readily apparent.  The competitive process and American consumers, however, are the losers – as are smaller companies that can less afford to absorb the costs of FTC micromanagement than their larger rivals.

Alden Abbott

Posts

I am a Senior Legal Fellow at the Heritage Foundation. I write on antitrust, domestic and international regulatory policy, and law and economics. I am an Adjunct Faculty Member at George Mason Law School.

One response to FTC Staff Report Misses the Mark on “Internet of Things” Regulation

  1. 

    Right, the FTC wants more protection of data and non-data retention for customer privacy. Why don’t they start with the NSA?