In its 56-page Feb. 13 report, the GAO listed three issues that should be considered:
- Which agency or agencies should oversee Internet privacy.
- What authorities an agency or agencies should have to oversee Internet privacy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority.
- How to balance consumers’ need for Internet privacy with industry’s ability to provide services and innovate.
The Federal Trade Commission, the lead agency when it comes to Internet privacy, has not issued privacy regulations other than the legally required rules protecting financial data and children.
In the last decade, FTC filed 101 enforcement actions regarding Internet privacy. “In most of these cases, FTC did not levy civil penalties because it lacked such authority for those particular violations,” the GAO says.
The Federal Communications Commission had a limited role in overseeing Internet privacy, and from 2015 to 2017 asserted jurisdiction over the privacy practices of Internet service providers. In 2016, FCC promulgated privacy rules for ISPs that Congress repealed. FTC resumed privacy oversight of ISPs in June 2018, according to the report.
The GAO raised concerns about the collection and use of data such as a person’s browsing history, purchases, locations and travel routes. Specifically, the GAO mentioned the Internet of things, vehicle data privacy, information resellers, and mobile device location data.
As part of its investigation, the GAO interviewed a number of Internet privacy stakeholders from the tech industry (e.g. Facebook, Google) and consumer advocacy groups, and former FTC and FCC commissioners and academics. “Most Internet industry stakeholders said they favored FTC’s current approach—direct enforcement of its unfair and deceptive practices statutory authority, rather than promulgating and enforcing regulations implementing that authority. These stakeholders said that the current approach allows for flexibility and that regulations could hinder innovation. Other stakeholders, including consumer advocates and most former FTC and FCC commissioners GAO interviewed, favored having FTC issue and enforce regulations. Some stakeholders said a new data-protection agency was needed to oversee consumer privacy.”
Stakeholders identified three main areas in which Internet privacy oversight could be enhanced:
Statute. Some stakeholders told GAO that an overarching Internet privacy statute could enhance consumer protection by clearly articulating to consumers, industry, and agencies what behaviors are prohibited.
Rulemaking. Some stakeholders said that regulations can provide clarity, enforcement fairness, and flexibility. Officials from two other consumer protection agencies said their rulemaking authority assists in their oversight efforts and works together with enforcement actions.
Civil penalty authority. Some stakeholders said FTC’s Internet privacy enforcement could be more effective with authority to levy civil penalties for first-time violations of the FTC Act.
GAO suggested Congress look for inspiration in the Fair Information Practice Principles and a version of these principles created by the Organisation for Economic Co-Operation and Development.