Skip to main content

Internet Privacy and Data Security: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility

GAO-19-427T Published: Mar 07, 2019. Publicly Released: Mar 07, 2019.
Jump To:

Fast Facts

This testimony focuses on the Federal Trade Commission's authority to oversee Internet privacy and security. Without a comprehensive federal data privacy law, the United States relies in part on FTC to use its broad authority to protect consumers from unfair and deceptive trade practices.

Most industry representatives we interviewed favored the current approach and warned that further regulations could hinder innovation.

Consumer advocates and most of the former FTC and FCC commissioners we interviewed favored having FTC issue and enforce regulations.

We previously recommended Congress consider comprehensive Internet privacy legislation.

 

A computer screen with blue and white coding on a black background.

A computer screen with blue and white coding on a black background.

Skip to Highlights

Highlights

What GAO Found

The United States does not have a comprehensive Internet privacy law governing the collection, use, and sale or other disclosure of consumers' personal information. At the federal level, the Federal Trade Commission (FTC) currently has the lead in overseeing Internet privacy, using its statutory authority under the FTC Act to protect consumers from unfair and deceptive trade practices. However, to date FTC has not issued regulations for Internet privacy other than those protecting financial privacy and the Internet privacy of children, which were required by law. For FTC Act violations, FTC may promulgate regulations but is required to use procedures that differ from traditional notice-and-comment processes and that FTC staff said add time and complexity.

In the last decade, FTC has filed 101 enforcement actions regarding Internet privacy; nearly all actions resulted in settlement agreements requiring action by the companies. In most of these cases, FTC did not levy civil penalties because it lacked such authority for those particular violations. The Federal Communications Commission (FCC) has had a limited role in overseeing Internet privacy. From 2015 to 2017, FCC asserted jurisdiction over the privacy practices of Internet service providers. In 2016, FCC promulgated privacy rules for Internet service providers that Congress later repealed. FTC resumed privacy oversight of Internet service providers in June 2018.

Stakeholders GAO interviewed had varied views on the current Internet privacy enforcement approach and how it could be enhanced. Most Internet industry stakeholders said they favored FTC's current approach—direct enforcement of its unfair and deceptive practices statutory authority, rather than promulgating and enforcing regulations implementing that authority. These stakeholders said that the current approach allows for flexibility and that regulations could hinder innovation. Other stakeholders, including consumer advocates and most former FTC and FCC commissioners GAO interviewed, favored having FTC issue and enforce regulations. Some stakeholders said a new data-protection agency was needed to oversee consumer privacy. Stakeholders identified three main areas in which Internet privacy oversight could be enhanced:

  • Statute. Some stakeholders told GAO that an overarching Internet privacy statute could enhance consumer protection by clearly articulating to consumers, industry, and agencies what behaviors are prohibited.
  • Rulemaking. Some stakeholders said that regulations can provide clarity, enforcement fairness, and flexibility. Officials from two other consumer protection agencies said their rulemaking authority assists in their oversight efforts and works together with enforcement actions.
  • Civil penalty authority. Some stakeholders said FTC's Internet privacy enforcement could be more effective with authority to levy civil penalties for first-time violations of the FTC Act.

Comprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government's ability to protect consumer privacy.

Why GAO Did This Study

This testimony summarizes the information contained in GAO's January 2019 report, entitled Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (GAO-19-52).

For more information, contact Alicia Puente Cackley at (202) 512-8678 or cackleya@gao.gov or Mark Goldstein at (202) 512-2834 or goldsteinm@gao.gov.

 

Full Report

GAO Contacts

Alicia Puente Cackley
Director
Financial Markets and Community Investment

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

ChildrenComputersConsumer privacyConsumer protectionData collectionDeceptive practicesFederal rulemakingFines (penalties)Internet privacyInternet service providersLaws and regulationsPersonally identifiable informationPrivacy protectionTelecommunications