This month, the Government Accountability Office (“GAO”) released a report recommending that Congress consider enacting a federal internet privacy law in the United States. The 56-page independent report was requested by the House Energy and Commerce Committee, which has scheduled a hearing on data privacy on February 26, during which it plans to discuss the GAO’s findings. The Senate Commerce Committee is scheduled to hold a similar hearing on February 27th.
According to the GAO, “Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.” The GAO stressed the importance of striking an appropriate balance between the benefits of data collection and addressing consumer concerns.
Specifically, the GAO recommended that the Federal Trade Commission (“FTC”) be responsible for enforcing internet privacy. Currently, the U.S. lacks an overarching federal privacy law governing the use, collection, and sale of consumer information. In lieu of a federal privacy law, the FTC has used its authority under Section 5 of the FTC Act to take action against unfair and deceptive practices with respect to privacy. However, as the report highlights, the FTC’s authority and enforcement abilities have been limited. The GAO also cited its own reports to support its conclusions about privacy and lack of regulatory oversight in the burgeoning IoT sector, automakers collecting smart car owner data (a summary of this report is available here), lack of oversight over companies that re-sell consumer information, and lack of protection for mobile users against undisclosed data collection practices.
The report also described the benefits of the collection of consumer information on the internet, which include: enabled services (e.g., mapping), low-cost or free services to consumers (e.g., social media), fostered innovation and customization. At the same time, the GAO report elevated concerns of consumers related to internet privacy, including: data breaches, financial harms, lack of understanding on data practices, and lack of control. As a result, in developing legislation, the GAO opined, Congress must strike the appropriate balance between these competing tensions, and consider issues such as:
- the proper agency to oversee internet privacy;
- what authorities an agency (or agencies) should have to oversee internet policy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority; and
- the appropriate balance between consumer privacy and the industry’s ability to deliver services and innovate.
The report was released amidst a myriad of federal legislative attention to consumer privacy issues, and numerous proposals for creating a federal U.S. privacy law. Additional coverage of these proposals can be found here:
- Democratic Senators Introduce Privacy Bill Seeking to Impose “Fiduciary” Duties on Online Providers
- Wyden Releases Draft Privacy Bill Increasing FTC Authority, Providing for Civil Fines and Criminal Penalties
- NTIA Publishes Stakeholder Comments on Consumer Privacy Proposal
- Senate Discusses a Federal Privacy Law with Privacy Experts: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act
- NTIA Requests Comments Regarding Federal Approach to Consumer Privacy
- Senate Examines Potential for Federal Data Privacy Legislation
- Senators Klobuchar and Kennedy Introduce Privacy Legislation