I had thought we were in the dog days of summer, but the Farmer’s Almanac tells me that I was wrong about that. It turns out that the phrase refers to certain specific dates on the calendar, not just to the hot and steamy days that descend on the nation’s capital in . . . well, whenever they do (and not just before Labor Day, that’s for sure). The true dog days, it turns out, are July 3-Aug. 11, no matter the weather. So maybe this is just the cat’s tuches of summer, as if that makes it better.
What’s going on, besides the rents? The Federal Trade Commission’s (FTC) pending case against Amazon is in the news (see, for example, here and here). There’s a sense in which that’s not surprising. After all, FTC Chair Lina Khan was thrust into prominence with her student note (and adult polemic) “Amazon’s Antitrust Paradox,” and neither she nor the administration have hid their animosity toward so-called “Big Tech.” Tim Wu—recently returned to Columbia Law School following a stint as special advisor to President Joe Biden for technology and competition policy, and author of “The Curse of Bigness”—has been an equal critic of Big Tech and of Amazon, in particular. Biden’s 2011 Executive Order on Promoting [and undermining] Competition in the American Economy (reportedly drafted by Wu) doubles down on the animus.
And then there’s a sense in which it is surprising, nonetheless: nobody has reported an actual complaint. At least, it’s not on the FTC website. And as a legal matter, while there might be an investigation, there is no case until the commission votes to bring one and, specifically, votes to issue a complaint. I’d always understood there to be an FTC policy of not discussing pending investigations, so where is the news coming from?
One area of decidedly vigorous competition in the tech sector appears to be the race to lead federal surveillance of “the surveillance economy,” which recalls the title of Shoshanah Zuboff’s anti-tech manifesto “The Age of Surveillance Capitalism: The Fight for a Human Future at the Frontier of Power.” At least three agencies—the FTC, the Securities and Exchange Commission (SEC), and the Consumer and Financial Protection Bureau (CFPB)—are all in a race, as is Congress. Winners—and losers—may be considerably more numerous.
Of course, there are activities that properly fall under the rubric “surveillance,” including both private and government conduct. Some such surveillance is—and ought to be—unlawful, and there may be room for additional regulation to address consumer harms. But recent regulatory initiatives have much more than that in mind.
For example, as I discussed in my very first roundup, the FTC in August 2022 published an advance notice of proposed rulemaking (ANPR) to consider the potential regulation of “commercial surveillance and data security” under its Section 18 authority. That may be old news, but it’s not dead news, as the commission has not closed the proceeding, published a notice of proposed rulemaking (NPRM), or even issued a report summarizing what it has learned thus far. It’s also worth recalling because of the sheer sweep of the ANPR.
In formal ICLE comments to the FTC, my colleagues Geoff Manne, Kristian Stout, and I observed that the ANPR appeared to define “commercial surveillance” as a “new term of art,” and one “potentially encompassing any commercial use of data that is—in some sense unspecified in the ANPR—‘consumer data,’ together with the also undefined ‘direct derivatives of that information.’” That is, the ANPR swept so broadly as to potentially extend to most of the digital economy.
The FTC has long been a key force in addressing certain privacy issues, both under its general Section 5 “unfair or deceptive acts or practices in or affecting commerce” authority, and under narrower grants of statutory authority, such as the Children’s Online Protection Act or the Fair Credit Reporting Act (FCRA). Indeed, the commission had characterized itself as “[f]or more than two decades . . . the nation’s privacy agency.”
Perhaps. I don’t mean to gainsay the impact the FTC has had on privacy and data-security issues, but many (myself included) seemed to think the commission was contemplating regulations that would extend well beyond the scope of its statutory remit, and that it was doing so with a conclusory attitude toward the harms to be addressed and a nearly wholesale dismissal of the vast consumer benefits produced by digital commerce. For example, then-Commissioner Noah Phillips had the following to say in his dissenting statement:
What the ANPR does accomplish is to recast the Commission as a legislature, with virtually limitless rulemaking authority where personal data are concerned. It contemplates banning or regulating conduct the Commission has never once identified as unfair or deceptive. That is a dramatic departure even from recent Commission rulemaking practice. The ANPR also contemplates taking the agency outside its bailiwick. At the same time, the ANPR virtually ignores the privacy and data security concerns that have animated our enforcement regime for decades. A cavalcade of regulations may be on the way, but their number and substance are a mystery.
Overlapping concerns were voiced by then-Commissioner Christine Wilson in her own dissenting statement.
Back to the bit about “the nation’s privacy agency.” The FTC has long been an important inter-sectoral player—at least in the privacy and data-security space, whatever else might count as “commercial surveillance”—but it has not been the only federal agency or, indeed, the most active. As we noted in our ANPR comments, the FTC has long shared responsibility for enforcing the FCRA with, among others, the CFPB; the U.S. Department of Education enforces the Family Educational Rights and Privacy Act (FERPA); and the U.S. Department of Health and Human Services (HHS) enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—which protects the privacy and security of health information, although it refers certain HIPAA cases to the U.S. Justice Department (DOJ) for criminal prosecution. Not incidentally, HHS has brought many more enforcement actions under HIPAA than the FTC has under its various statutory authorities. By an order of magnitude.
Now comes the SEC, among others. Earlier this month, the SEC adopted new cybersecurity regulations that add substantially to established disclosure obligations under the Securities Exchange Act of 1934 (SEC Act). The rules require, among other things, “periodic disclosures about a registrant’s process to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.”
That’s narrower, by far, than the scope of the FTC’s ANPR, but it imposes specific requirements on all publicly traded companies in the United States, which is no small matter. Indeed, the regulations prompted privacy scholar Chris Hoofnagle to say:
Five years ago, the Federal Trade Commission was America’s most consequential cyber regulator, but now . . . [the SEC] has emerged as the nation’s most important leader in the field.
A focus on data-security issues may indeed be the most productive route to narrowing the domain of regulatory intervention, although the likely costs and benefits of the new SEC rules are unclear.
And earlier this week, CFPB Director (and former FTC Commissioner) Rohit Chopra repeatedly referred to “data surveillance” and “the surveillance industry” in announcing “a rulemaking to ensure that modern-day digital data brokers are not misusing or abusing our sensitive data.”
To be clear, Chopra did not specify a proposed rule, much less publish one in the Federal Register. But he did make clear that the CFPB would be proposing rules governing data and data brokers under what appears, at first blush, a highly creative reading of the CFPB’s authority to regulate consumer-reporting agencies.
The windup was a CFPB request for information (RFI) on data brokers issued in March of this year, with a June submission deadline that was subsequently extended until July 15. That is to say, the comment period closed about a month ago. The regulations.gov website appears to list more than 4,000 submissions to the RFI, and the cynic in me wonders whether the CFPB and Director Chopra have fully processed that input in such a short time. But time flies.
The proof–or poison–will be in the pudding. We’re told that the CFPB will publish “an outline of proposals and alternatives under consideration for a proposed rule” (which reads like the promise of an ANPR) next month. So, we’ll see.
To be clear, the commercial use of consumer information by data brokers and others can lead to concrete consumer harms: some actionable under existing law and some, perhaps, requiring novel rules. But it can lead to consumer benefits, too, and well-crafted rules must take both benefits and harms into account if they’re to do more good than harm. And then, there’s the pesky matter of jurisdiction, and who decides what. I hope I’m not sharing TMI about my priors when I say that I am not optimistic about the particulars.
I have saved the worst for last: the Digital Consumer Protection Commission Act of 2023, in which Sens. Elizabeth Warren (D-Mass.) and Chuck Grassley (R-Iowa) propose “[t]o amend the Clayton Act to establish a new Federal commission to regulate digital platforms, including with respect to competition, transparency, privacy, and national security.”
Because, why not just create a new federal agency out of whole cloth? And why not assign diverse responsibilities ranging across competition matters, privacy (starting to sound familiar to followers of the FTC?) and, indeed, national security, so that a new commission can address a laundry list of harms, both actual and purported, clear and hazy?
The commission would get quite a bit of deference as an expert agency. Under the proposal, it would have broad subpoena, regulatory, enforcement, and licensing authority (for platforms). While its decisions might be appealed to a federal court, the proposal would have such appeals restricted to questions of law: “the findings of the Commission as to the facts (including the definition of relevant markets and market shares), if supported by substantial evidence, shall be conclusive.”
Chevron on steroids, and then some.
But don’t fret. Sens. Warren and Grassley’s new agency would only regulate certain entities. “Covered entities” would only be those that “process or transfers personal data” and is subject to the FTC Act, or is one of the entities expressly excluded from the FTC’s jurisdiction, such as a common carrier, a bank, savings and loan, or federal credit union, an air carrier subject to the Federal Aviation Act, or a firm subject to the Packers and Stockyards Act. So . . . nearly all of the economy, apart from government entities?
There’s a further restriction: many of the agency’s rules, decisions, and penalties would only apply to “dominant platforms.” These would be entities designated as such by the new commission, but only those that have “not fewer than – 50,000,000 United States-based monthly active users; or 100,000 United States-based monthly active business users” And only those publicly traded firms that, for a period of time before an alleged violation had been owned or controlled by an entity with annual sales greater than $550 million (adjusted for inflation going forward) or, for a few months, a market cap greater than $550 billion (adjusted for inflation going forward).
So, that’s the kicker. This would be legislation designed to create an agency with sweeping regulatory authority to regulate only certain Big Tech firms, subject to only limited appeal to actual federal courts. As they say in the one-pager, “an independent, bipartisan regulator charged with policing the biggest tech platforms, like Facebook, Google, and Amazon.” As if that provides a clear theory of an expert agency.
None of this is supposed to suggest a global, hand-waving exoneration of an entire sector. But just off the top of my head, one might want less of a laundry list of actual, potential, and entirely unclear harms—say, bad stuff having something to do with tech, but let’s stipulate not all tech firms, and not those in a specific tech sector, but just, like, really big ones—and more identifiable and durable market failure that causes substantial (and demonstrable) consumer harm not easily avoided by consumers themselves, but that can be efficiently remediable by an expert and duly authorized regulator.
You know, a bit less finger pointing (and finger wagging), a lot less kicking the can into the regulatory void, and a bit more of a clear idea of why a new agency is needed. Or wanted. This doesn’t seem to be that. At all. But what could possibly go wrong?
I’d analyze the proposal in more detail if it had legs. It doesn’t seem to, but one worries for the future. If it comes to that, there will be much to say. For now: oy.
I’ve had little to say about the ongoing dustup (or worse) between the FTC—or Chair Khan, at any rate—and the House Judiciary and Oversight & Accountability committees. There was this in my “Total Drama Island” edition of the Roundup way back in February, where I observed that the back and forth did “not bode well” for the commission’s expansive rulemaking endeavors. You can thank me, Captain Obvious, for that one. (“Dr. Obvious,” if I’m being stuffy and grand. Dr. D’oh, if you want alliterative.)
Without providing any more context (compliance experts call this “building a fence around the Torah”), I’ll note that I received a call from someone at the FTC suggesting that this was “going to get ugly.” And so it went. There was a bicameral letter in March from Sen. Ted Cruz (R-Texas) and Rep. Jim Jordan (R-Ohio); a June letter from Cruz announcing an investigation; and, just yesterday, reports of a new letter alleging likely violations of federal law.
I’ve no special insight into the Hill, and no analysis to offer. I really don’t know where it’s going. But ugly is where it’s gotten already, and this is starting to look like more than drama. I believe it was Samuel Johnson who said: “words are like weapons, they wound sometimes.”
No, wait, that was Cher. Great minds, and all that.