Constitution Center
400 7th St SW
Washington
DC
20024
Event Description
This hearing was originally set to take place on February 12 -13 but has been rescheduled for April 9-10, 2019 due to the government shutdown.
As part of a series of Hearings on Competition and Consumer Protection in the 21st Century announced in June 2018, the Commission was to host a hearing to discuss the privacy aspects of Topic 5. (Topics 4 and 9, which address big data and artificial intelligence, also have privacy-related components; those topics were the subject of separate hearings on November 6-8 and November 13-14, respectively. The data security portion of Topic 5 were the subject of a separate hearing on December 11-12, 2018. The Commission released information on those hearings separately.)
The Commission welcomes written comments on specific questions to be discussed at the privacy hearing, as stated below. Interested parties may file until May 31, 2019. If any entity has provided funding for research, analysis, or commentary that is included in a submitted public comment, such funding and its source should be identified on the first page of the comment.
Background and Questions for Comment
The privacy of consumer data is a daily topic of news headlines, public discourse, and policy debates around the globe. Questions abound about consumers’ ability to make informed choices about data collection and use; potential harms to consumers resulting from data collection, sharing, aggregation, and use; the adequacy of existing legal and self-regulatory frameworks to protect consumers from those harms without unduly restraining legitimate business activity; and whether emerging frameworks improve on prior versions.
The Â鶹´«Ã½ Trade Commission last undertook efforts to engage the public in considering data privacy issues in a comprehensive way from 2009-2012. During that time, the Commission held a series of public roundtable discussions, published a draft privacy framework, and obtained and considered more than 450 written public comments. The Commission’s work culminated in 2012 with a comprehensive privacy report.
Technologies and business models have changed significantly since the FTC issued the 2012 report. Consumers have benefited from the proliferation of mobile apps, mobile payment systems, Internet-connected devices (i.e., the Internet of Things), and other innovations. At the same time, consumers have expressed concern about the growing collection and use of their data, and businesses have enhanced their ability to link consumers’ behavior across devices and platforms.
Some jurisdictions have enacted new laws that contain new approaches for addressing privacy risks. The European Union, for example, enacted the General Data Protection Regulation (GDPR) (effective in May 2018), which includes data access, erasure, and portability rights and breach notification requirements. Some states have enacted comprehensive privacy laws or laws that address particular technologies, such as biometrics. For its part, the Commission has not only continued using its broad authority to prohibit unfair and deceptive practices, but also enforces more specific privacy statutes, such as the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and the Fair Credit Reporting Act.
In addition, the Administration is working toward development of principles and tools to protect consumer privacy. For example, the National Telecommunications and Information Administration (NTIA) is seeking comment on core privacy principles and the National Institute of Standards and Technology (NIST) is developing a privacy framework to help organizations manage privacy risks.
These rapidly-evolving changes in technology, business models, laws, and policy initiatives suggest that now is the right time for the Commission to re-examine the approach it developed in 2012. This includes addressing fundamental questions about what the goals of policymaking and enforcement in the privacy area should be, as well as the related question of how to define success.
The Commission has long taken a case-by-case approach to privacy, with protections calibrated to the particular law enforced as well as the sensitivity and use of personal information. However, the current approach needs to be examined in light of potential gaps in the Commission’s existing authority, as well as new risks, new opportunities, and new knowledge. Relevant questions include whether current approaches sufficiently protect consumer privacy; whether certain approaches may have unintentionally hindered innovation, growth, or competition, to the detriment of consumers and the economy; whether other approaches might better serve consumers and competition; and, if so, what those approaches should be. Accordingly, the Commission invites comments on the topics listed below, some of which have been examined in prior Commission materials and are being re-examined as part of the 21st Century Hearings initiative. Comments that contain empirical evidence and data are encouraged.
General Questions
- What are the actual and potential benefits for consumers and to competition of information collection, sharing, aggregation, and use? To what extent do consumers today, or are consumers likely to, realize these benefits?
- What are the actual and potential risks for consumers and to competition of information collection, sharing, aggregation, and use? To what extent do consumers today, or are consumers likely to, realize these risks?
- The use of “big data†in automated decisionmaking has generated considerable discussion among privacy stakeholders. Do risks of information collection, sharing, aggregation, and use include risks related to potential biases in algorithms? Do they include risks related to use of information in risk scoring, differential pricing, and other individualized marketing practices? Should consideration of such risks depend on the accuracy of the underlying predictions? Do such risks differ when data is being collected and analyzed by a computer rather than a human?
- Should privacy protections depend on the sensitivity of data? If so, what data is sensitive and why? What data is not sensitive and why not?
- Should privacy protection depend on, or allow for, consumer variation in privacy preferences? Why or why not? What are the appropriate tradeoffs to consider? If desired, how should this flexibility be implemented?
- Market-based injuries can be objectively measured—for example, credit card fraud and medical identity theft often impact consumers’ finances in a directly measurable way. Alternatively, a “non-market†injury, such as the embarrassment that comes from a breach of sensitive health information, cannot be objectively measured because there is no functioning market for it. Many significant privacy violations involve both market and non-market actors, sources, and harms. Should the Commission’s privacy enforcement and policy work be limited to market-based harms? Why or why not?
- In general, privacy interventions could be implemented at many different points in the process of collecting, processing, and using data. For example, certain collections could be banned, certain uses could be opt-in only, or certain types of processing could trigger disclosure requirements. Where should interventions be focused? What interventions are appropriate?
- Should policymakers and other stakeholders attempt to improve accountability for privacy issues within organizations? Why or why not? If so, how? Should privacy risk assessments be mandated for certain companies? Should minimum standards in privacy protections be required?
- How can firms that interface directly with consumers foster accountability of third parties to whom they transfer consumer data?
- What are the effects, if any, on competition and innovation from privacy interventions, including from policies such as data minimization, privacy by design, and other principles that the Commission has recommended?
- Do firms incur opportunity costs as a result of increased investments in privacy tools? If so, what are the tradeoffs between functionality, innovation, and security and privacy protections at the design level?
- If businesses offer consumers choices with respect to privacy protections, can consumers be provided the right balance of information, i.e., enough to inform the choice, but not so much that it overwhelms the decisionmaker? What is the best way to strike that balance and assess its efficacy?
- To what extent do companies compete on privacy? How do they compete? To what extent are these competitive dynamics dictated or influenced by consumer preferences, regulatory requirements, or other factors?
- Some academic studies have highlighted differences between consumers’ stated preferences on privacy and their “revealed†preferences, as demonstrated by specific behaviors. What are the explanations for the differences?
- Given rapidly evolving technology and risks, can concrete, regulated technological requirements – such as data de-identification – help sustainably manage risks to consumers? When is data de-identified? Given the evolution of technology, is the definition of de-identified data from the FTC’s 2012 Privacy Report workable? If not, are there alternatives?
- What should the role of the Commission be in the privacy area? What would define successful Commission intervention? How can the Commission measure success?
Questions About Legal Frameworks
- What are existing and emerging legal frameworks for privacy protection? What are the benefits and drawbacks of each framework?
- What are the tradeoffs between ex ante regulatory and ex post enforcement approaches to privacy protection?
- The U.S. has a number of privacy laws that cover conduct by certain entities that collect certain types of information, such as information about consumers’ finances or health. Various statutes address personal health data, financial information, children’s information, contents of communications, drivers’ license data, video viewing data, genetic data, education data, data collected by government agencies, customer proprietary network information, and information collected and used to make certain decisions about consumers. Are there gaps that need to be filled for certain kinds of entities, data, or conduct? Why or why not?
- Other than explicit statutory exemptions, are there limitations to the FTC’s authority to protect consumers’ privacy? If so, should they be removed? Why or why not? Should more limitations be implemented? Why or why not?
- If the U.S. were to enact federal privacy legislation, what should such legislation look like? Should it be based on Fair Information Practice Principles? How might a comprehensive law based on Fair Information Practice Principles account for differences in uses of data and sensitivity of data?
- Does the need for federal privacy legislation depend on the efficacy of emerging legal frameworks at the state level? How much time is needed to assess their effect?
- Short of a comprehensive law, are there other more specific laws that should be enacted? Should the FTC have additional tools, such as the authority to seek civil penalties?
- How should First Amendment norms be weighed against privacy values when developing a legal framework?
DISABILITY ACCOMMODATION
The FTC Hearings on Competition and Consumer Protection in the 21st Century will accommodate as many attendees as possible; however, admittance will be limited to seating availability. Reasonable accommodations for people with disabilities are available upon request. Request for accommodations should be submitted to Elizabeth Kraszewski via email at ekraszewski@ftc.gov or by phone at (202) 326-3087. Such requests should include a detailed description of the accommodation needed. Please allow at least five days advance notice for accommodation requests; last minute requests will be accepted but may not be possible to accommodate.
-
April 9, 2019
9:00-9:05 am
Welcome and Introductory Remarks
Jim Trilling
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection9:05-9:20 am
Opening Remarks
Joseph J. Simons, Chairman
Â鶹´«Ã½ Trade Commission9:20-10:30 am
Goals of Privacy Protection
Participants:
Neil Chilson
Senior Research Fellow for
Technology & Innovation
Charles Koch InstitutePaul Ohm
Professor of Law
Georgetown University Law CenterAlastair Mactaggart
Chairman
Californians for Consumer PrivacyModerator:
James Cooper
Â鶹´«Ã½ Trade Commission, Bureau of Consumer Protection10:30-10:45 am
Break
10:45 am-
12:00 pmThe Data Risk Spectrum: From De-Identified Data to Sensitive Individually Identifiable Data
Participants:
Deven McGraw
General Counsel &
Chief Regulatory Officer
CiitizenMichelle Richardson
Director, Privacy & Data Project
Center for Democracy & TechnologyShane Wiley
Chief Privacy Officer
CuebiqJules Polonetsky
CEO
Future of Privacy ForumAoife Sexton
Chief Privacy Officer
°Õ°ùÅ«²¹³Ù²¹Moderators:
Cora Han
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionElisa Jillson
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection12:00-1:00 pm
Lunch Break
1:00-1:15 pm
Remarks
Noah Joshua Phillips, Commissioner
Â鶹´«Ã½ Trade Commission1:15-2:15 pm
Consumer Demand and Expectations for Privacy
Participants:
Lorrie Faith Cranor
Professor of Computer Science,
Engineering and Public Policy
Carnegie Mellon UniversityAriel Fox Johnson
Senior Counsel, Policy and Privacy
Common SenseLaura Pirri
Senior Legal Director
and Data Protection Officer
FitbitAvi Goldfarb
Professor of Marketing, Rotman Chair in Artificial Intelligence and Healthcare
University of Toronto, Rotman School of ManagementJason Kint
CEO
Digital Content NextHeather West
Senior Policy Manager
MozillaModerators:
Daniel Gilman
Â鶹´«Ã½ Trade Commission, Office of Policy PlanningLaura Riposo VanDruff
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection2:15-3:30 pm
Current Approaches to Privacy, Part 1
Participants:
Fred Cate
Vice President for Research, Distinguished Professor,
and C. Ben Dutton Professor of Law
Indiana UniversityMargot Kaminski
Associate Professor
University of Colorado Law SchoolLaura Moy
Executive Director
Center on Privacy & Technology
Georgetown University Law CenterMarkus Heyder
Vice President
and Senior Policy Counselor
Centre for Information Policy Leadership, Hunton Andrews Kurth LLPDavid LeDuc
Vice President, Public Policy
Network Advertising InitiativeShaundra Watson
Senior Director, Policy
BSA | The Software AllianceModerators:
Jared Ho
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionLaura Riposo VanDruff
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection3:30-3:45 pm
Break
3:45-5:00 pm
Current Approaches to Privacy, Part 2
Participants:
Lothar Determann
Partner
Baker McKenzieRebecca S. Engrav
Partner
Perkins CoieTracy Shapiro
Partner
DLA PiperJay Edelson
Founder & CEO
Edelson PCAlan Raul
Partner
Sidley Austin LLPModerators:
Andrea Arias
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionElisa Jillson
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection5:00-5:05 pm
Closing Remarks
Jim Trilling
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionApril 10, 2019
9:00-9:05 am
Welcome and Introductory Remarks
Elisa Jillson
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection9:05-10:20 am
Role of Notice and Choice
Participants:
Jordan Crenshaw
Policy Counsel
C_TEC, U.S. Chamber of CommerceFlorencia Marotta-Wurgler
Professor of Law
New York University School of LawKatherine Tassi
Deputy General Counsel,
Privacy and Product
Snap Inc.Pam Dixon
Founder & Executive Director
World Privacy ForumNeil Richards
Koch Distinguished Professor of Law
Washington University in St. Louis School of LawRachel Welch
Senior Vice President,
Policy and External Affairs
Charter CommunicationsModerators:
Peder Magee
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionRyan Mehm
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection10:20-10:35 am
Break
10:35-11:50 am
Role of Access, Deletion, and Correction
Participants:
Jonathan D. Avila
Vice President &
Chief Privacy Officer
WalmartChris Calabrese
Vice President, Policy
Center for Democracy & TechnologyAli Lange
Senior Public Policy Analyst
GoogleKatie Race Brin
Chief Privacy Officer
2U, Inc.Jennifer Barrett Glasgow
Executive Vice President,
Policy and Compliance
First OrionGus Rossi
Global Policy Director
Public KnowledgeModerators:
Jared Ho
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionRuth Yodaiken
Â鶹´«Ã½ Trade Commission, Office of Policy Planning11:50 am-
1:00 pmLunch Break
1:00-1:15 pm
Remarks
Rebecca Kelly Slaughter, Commissioner
Â鶹´«Ã½ Trade Commission1:15-2:15 pm
Accountability
Participants:
Martin Abrams
Executive Director
and Chief Strategist
Information Accountability FoundationMike Hintze
Partner
Hintze Law PLLCAri Ezra Waldman
Professor of Law
New York Law SchoolDan Caprio
Executive Chairman
The Providence GroupCorynne McSherry
Legal Director
Electronic Frontier FoundationKaren Zacharia
Chief Privacy Officer
VerizonModerators:
James Cooper
Â鶹´«Ã½ Trade Commission, Bureau of Consumer ProtectionAndrew Stivers
Â鶹´«Ã½ Trade Commission, Bureau of Economics2:15-3:30 pm
Is the FTC’s Current Toolkit Adequate? (Part 1)
Participants:
Christine Bannan
Consumer Protection Counsel
Electronic Privacy Information CenterJane Horvath
Senior Director of Global Privacy
AppleJon Leibowitz
Partner
Davis PolkMarc Groman
Principal
GCG LLCStuart P. Ingis
Partner
Venable LLPPeter Swire
Elizabeth & Tommy Holder Chair
of Law and Ethics
Scheller College of Business
Georgia Institute of TechnologyModerators:
Maneesha Mithal
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionJim Trilling
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection3:30-3:45 pm
Break
3:45-5:00 pm
Is the FTC’s Current Toolkit Adequate? (Part 2)
Participants:
Julie Brill
Corporate Vice President
& Deputy General Counsel
MicrosoftDavid A. Hoffman
Associate General Counsel
and Global Privacy Officer
IntelBerin Szóka
President
TechFreedomJustin Brookman
Director, Consumer Privacy
and Technology Policy
Consumer ReportsLydia Parnes
Partner
Wilson Sonsini Goodrich & RosatiDavid Vladeck
A.B. Chettle, Jr. Professor of Law
Georgetown University Law CenterModerators:
Maneesha Mithal
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionJim Trilling
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection5:00-5:10 pm
Closing Remarks
Maneesha Mithal
Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity ProtectionFileAgenda - Day 1 (4/9/19) (155.79 KB)FileAgenda - Day 2 (4/10/19) (137.95 KB)
- FileSpeaker Bios for Day 1 (183.14 KB)FileSpeaker Bio Day 2 (167.45 KB)
-
Event Materials
FilePresentation Slides Day 1 (1.28 MB)FilePresentation Slides Day 2 (61.29 KB)
-
Transcript - Files
FileFile
-
Videos
-
Location
Request for Comments
Interested parties may file pre-hearing until December 21, 2018, and the Commission will additionally consider any comments it receives electronically until May 31, 2019.
If parties already filed relevant comments in response to the Initial Topics for Comment, they need not refile those comments here.