Â鶹´«Ã½

Skip to main content
Image
Room
Auditorium

Event Description

This hearing was originally set to take place on February 12 -13 but has been rescheduled for April 9-10, 2019 due to the government shutdown.

As part of a series of Hearings on Competition and Consumer Protection in the 21st Century announced in June 2018, the Commission was to host a hearing to discuss the privacy aspects of Topic 5. (Topics 4 and 9, which address big data and artificial intelligence, also have privacy-related components; those topics were the subject of separate hearings on November 6-8 and November 13-14, respectively. The data security portion of Topic 5 were the subject of a separate hearing on December 11-12, 2018. The Commission released information on those hearings separately.)

The Commission welcomes written comments on specific questions to be discussed at the privacy hearing, as stated below. Interested parties may file  until May 31, 2019. If any entity has provided funding for research, analysis, or commentary that is included in a submitted public comment, such funding and its source should be identified on the first page of the comment.

Background and Questions for Comment

The privacy of consumer data is a daily topic of news headlines, public discourse, and policy debates around the globe. Questions abound about consumers’ ability to make informed choices about data collection and use; potential harms to consumers resulting from data collection, sharing, aggregation, and use; the adequacy of existing legal and self-regulatory frameworks to protect consumers from those harms without unduly restraining legitimate business activity; and whether emerging frameworks improve on prior versions.

The Â鶹´«Ã½ Trade Commission last undertook efforts to engage the public in considering data privacy issues in a comprehensive way from 2009-2012. During that time, the Commission held a series of public roundtable discussions, published a draft privacy framework, and obtained and considered more than 450 written public comments. The Commission’s work culminated in 2012 with a comprehensive privacy report.

Technologies and business models have changed significantly since the FTC issued the 2012 report. Consumers have benefited from the proliferation of mobile apps, mobile payment systems, Internet-connected devices (i.e., the Internet of Things), and other innovations. At the same time, consumers have expressed concern about the growing collection and use of their data, and businesses have enhanced their ability to link consumers’ behavior across devices and platforms.

Some jurisdictions have enacted new laws that contain new approaches for addressing privacy risks. The European Union, for example, enacted the General Data Protection Regulation (GDPR) (effective in May 2018), which includes data access, erasure, and portability rights and breach notification requirements. Some states have enacted comprehensive privacy laws or laws that address particular technologies, such as biometrics. For its part, the Commission has not only continued using its broad authority to prohibit unfair and deceptive practices, but also enforces more specific privacy statutes, such as the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and the Fair Credit Reporting Act.   

In addition, the Administration is working toward development of principles and tools to protect consumer privacy. For example, the National Telecommunications and Information Administration (NTIA) is seeking comment on core privacy principles and the National Institute of Standards and Technology (NIST) is developing a privacy framework to help organizations manage privacy risks.

These rapidly-evolving changes in technology, business models, laws, and policy initiatives suggest that now is the right time for the Commission to re-examine the approach it developed in 2012. This includes addressing fundamental questions about what the goals of policymaking and enforcement in the privacy area should be, as well as the related question of how to define success.

The Commission has long taken a case-by-case approach to privacy, with protections calibrated to the particular law enforced as well as the sensitivity and use of personal information. However, the current approach needs to be examined in light of potential gaps in the Commission’s existing authority, as well as new risks, new opportunities, and new knowledge. Relevant questions include whether current approaches sufficiently protect consumer privacy; whether certain approaches may have unintentionally hindered innovation, growth, or competition, to the detriment of consumers and the economy; whether other approaches might better serve consumers and competition; and, if so, what those approaches should be. Accordingly, the Commission invites comments on the topics listed below, some of which have been examined in prior Commission materials and are being re-examined as part of the 21st Century Hearings initiative. Comments that contain empirical evidence and data are encouraged.

General Questions

  • What are the actual and potential benefits for consumers and to competition of information collection, sharing, aggregation, and use? To what extent do consumers today, or are consumers likely to, realize these benefits?
  • What are the actual and potential risks for consumers and to competition of information collection, sharing, aggregation, and use? To what extent do consumers today, or are consumers likely to, realize these risks?
  • The use of “big data†in automated decisionmaking has generated considerable discussion among privacy stakeholders. Do risks of information collection, sharing, aggregation, and use include risks related to potential biases in algorithms? Do they include risks related to use of information in risk scoring, differential pricing, and other individualized marketing practices? Should consideration of such risks depend on the accuracy of the underlying predictions? Do such risks differ when data is being collected and analyzed by a computer rather than a human?
  • Should privacy protections depend on the sensitivity of data? If so, what data is sensitive and why? What data is not sensitive and why not?
  • Should privacy protection depend on, or allow for, consumer variation in privacy preferences? Why or why not? What are the appropriate tradeoffs to consider? If desired, how should this flexibility be implemented?
  • Market-based injuries can be objectively measured—for example, credit card fraud and medical identity theft often impact consumers’ finances in a directly measurable way.  Alternatively, a “non-market†injury, such as the embarrassment that comes from a breach of sensitive health information, cannot be objectively measured because there is no functioning market for it. Many significant privacy violations involve both market and non-market actors, sources, and harms. Should the Commission’s privacy enforcement and policy work be limited to market-based harms? Why or why not?
  • In general, privacy interventions could be implemented at many different points in the process of collecting, processing, and using data. For example, certain collections could be banned, certain uses could be opt-in only, or certain types of processing could trigger disclosure requirements. Where should interventions be focused? What interventions are appropriate?
  • Should policymakers and other stakeholders attempt to improve accountability for privacy issues within organizations? Why or why not? If so, how? Should privacy risk assessments be mandated for certain companies? Should minimum standards in privacy protections be required?
  • How can firms that interface directly with consumers foster accountability of third parties to whom they transfer consumer data?
  • What are the effects, if any, on competition and innovation from privacy interventions, including from policies such as data minimization, privacy by design, and other principles that the Commission has recommended?
  • Do firms incur opportunity costs as a result of increased investments in privacy tools? If so, what are the tradeoffs between functionality, innovation, and security and privacy protections at the design level?
  • If businesses offer consumers choices with respect to privacy protections, can consumers be provided the right balance of information, i.e., enough to inform the choice, but not so much that it overwhelms the decisionmaker? What is the best way to strike that balance and assess its efficacy?
  • To what extent do companies compete on privacy? How do they compete? To what extent are these competitive dynamics dictated or influenced by consumer preferences, regulatory requirements, or other factors?
  • Some academic studies have highlighted differences between consumers’ stated preferences on privacy and their “revealed†preferences, as demonstrated by specific behaviors. What are the explanations for the differences?
  • Given rapidly evolving technology and risks, can concrete, regulated technological requirements – such as data de-identification – help sustainably manage risks to consumers? When is data de-identified? Given the evolution of technology, is the definition of de-identified data from the FTC’s 2012 Privacy Report workable?  If not, are there alternatives?
  • What should the role of the Commission be in the privacy area? What would define successful Commission intervention? How can the Commission measure success?

Questions About Legal Frameworks

  • What are existing and emerging legal frameworks for privacy protection? What are the benefits and drawbacks of each framework?
  • What are the tradeoffs between ex ante regulatory and ex post enforcement approaches to privacy protection?
  • The U.S. has a number of privacy laws that cover conduct by certain entities that collect certain types of information, such as information about consumers’ finances or health. Various statutes address personal health data, financial information, children’s information, contents of communications, drivers’ license data, video viewing data, genetic data, education data, data collected by government agencies, customer proprietary network information, and information collected and used to make certain decisions about consumers. Are there gaps that need to be filled for certain kinds of entities, data, or conduct? Why or why not?
  • Other than explicit statutory exemptions, are there limitations to the FTC’s authority to protect consumers’ privacy? If so, should they be removed? Why or why not? Should more limitations be implemented? Why or why not?
  • If the U.S. were to enact federal privacy legislation, what should such legislation look like? Should it be based on Fair Information Practice Principles? How might a comprehensive law based on Fair Information Practice Principles account for differences in uses of data and sensitivity of data?
  • Does the need for federal privacy legislation depend on the efficacy of emerging legal frameworks at the state level? How much time is needed to assess their effect?
  • Short of a comprehensive law, are there other more specific laws that should be enacted? Should the FTC have additional tools, such as the authority to seek civil penalties?
  • How should First Amendment norms be weighed against privacy values when developing a legal framework?

DISABILITY ACCOMMODATION

The FTC Hearings on Competition and Consumer Protection in the 21st Century will accommodate as many attendees as possible; however, admittance will be limited to seating availability. Reasonable accommodations for people with disabilities are available upon request. Request for accommodations should be submitted to Elizabeth Kraszewski via email at ekraszewski@ftc.gov or by phone at (202) 326-3087. Such requests should include a detailed description of the accommodation needed. Please allow at least five days advance notice for accommodation requests; last minute requests will be accepted but may not be possible to accommodate.

  • April 9, 2019

    9:00-9:05 am

    Welcome and Introductory Remarks

    Jim Trilling
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    9:05-9:20 am

    Opening Remarks

    Joseph J. Simons, Chairman
    Â鶹´«Ã½ Trade Commission  

    9:20-10:30 am

    Goals of Privacy Protection

    Participants:

    Neil Chilson
    Senior Research Fellow for
    Technology & Innovation
    Charles Koch Institute

    Paul Ohm
    Professor of Law
    Georgetown University Law Center

    Alastair Mactaggart
    Chairman
    Californians for Consumer Privacy

     

    Moderator:

    James Cooper
    Â鶹´«Ã½ Trade Commission, Bureau of Consumer Protection

    10:30-10:45 am

    Break

    10:45 am-
    12:00 pm

    The Data Risk Spectrum: From De-Identified Data to Sensitive Individually Identifiable Data

    Participants:

    Deven McGraw
    General Counsel &
    Chief Regulatory Officer
    Ciitizen

    Michelle Richardson
    Director, Privacy & Data Project
    Center for Democracy & Technology

    Shane Wiley
    Chief Privacy Officer
    Cuebiq

    Jules Polonetsky
    CEO
    Future of Privacy Forum

     

    Aoife Sexton
    Chief Privacy Officer
    °Õ°ùÅ«²¹³Ù²¹

     

    Moderators:

    Cora Han
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    Elisa Jillson
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    12:00-1:00 pm

    Lunch Break

    1:00-1:15 pm

    Remarks

    Noah Joshua Phillips, Commissioner
    Â鶹´«Ã½ Trade Commission

    1:15-2:15 pm

    Consumer Demand and Expectations for Privacy

    Participants:

    Lorrie Faith Cranor
    Professor of Computer Science,
    Engineering and Public Policy
    Carnegie Mellon University

    Ariel Fox Johnson
    Senior Counsel, Policy and Privacy
    Common Sense

    Laura Pirri
    Senior Legal Director
    and Data Protection Officer
    Fitbit

    Avi Goldfarb
    Professor of Marketing, Rotman Chair in Artificial Intelligence and Healthcare
    University of Toronto, Rotman School of Management

    Jason Kint
    CEO
    Digital Content Next

    Heather West
    Senior Policy Manager
    Mozilla

    Moderators:

    Daniel Gilman
    Â鶹´«Ã½ Trade Commission, Office of Policy Planning

    Laura Riposo VanDruff
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    2:15-3:30 pm

    Current Approaches to Privacy, Part 1

    Participants:

    Fred Cate
    Vice President for Research, Distinguished Professor,
    and C. Ben Dutton Professor of Law
    Indiana University

    Margot Kaminski
    Associate Professor
    University of Colorado Law School

    Laura Moy
    Executive Director
    Center on Privacy & Technology
    Georgetown University Law Center

    Markus Heyder
    Vice President
    and Senior Policy Counselor
    Centre for Information Policy Leadership, Hunton Andrews Kurth LLP

    David LeDuc
    Vice President, Public Policy
    Network Advertising Initiative

    Shaundra Watson
    Senior Director, Policy
    BSA | The Software Alliance

    Moderators:

    Jared Ho
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    Laura Riposo VanDruff
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

     

    3:30-3:45 pm

    Break

    3:45-5:00 pm

    Current Approaches to Privacy, Part 2

    Participants:

    Lothar Determann
    Partner
    Baker McKenzie

    Rebecca S. Engrav
    Partner
    Perkins Coie

    Tracy Shapiro
    Partner
    DLA Piper

    Jay Edelson
    Founder & CEO
    Edelson PC

    Alan Raul
    Partner
    Sidley Austin LLP

    Moderators:

    Andrea Arias
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    Elisa Jillson
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

     

    5:00-5:05 pm

    Closing Remarks

    Jim Trilling
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection   

    April 10, 2019

    9:00-9:05 am

    Welcome and Introductory Remarks

    Elisa Jillson
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection   

    9:05-10:20 am

    Role of Notice and Choice

    Participants:

    Jordan Crenshaw
    Policy Counsel
    C_TEC, U.S. Chamber of Commerce

    Florencia Marotta-Wurgler
    Professor of Law
    New York University School of Law

    Katherine Tassi
    Deputy General Counsel,
    Privacy and Product
    Snap Inc.

    Pam Dixon
    Founder & Executive Director
    World Privacy Forum

    Neil Richards
    Koch Distinguished Professor of Law
    Washington University in St. Louis School of Law

    Rachel Welch
    Senior Vice President,
    Policy and External Affairs
    Charter Communications

    Moderators:

    Peder Magee
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    Ryan Mehm
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection  

    10:20-10:35 am

    Break

    10:35-11:50 am

    Role of Access, Deletion, and Correction

    Participants:

    Jonathan D. Avila
    Vice President &
    Chief Privacy Officer
    Walmart

    Chris Calabrese
    Vice President, Policy
    Center for Democracy & Technology

    Ali Lange
    Senior Public Policy Analyst
    Google

    Katie Race Brin
    Chief Privacy Officer
    2U, Inc.

    Jennifer Barrett Glasgow
    Executive Vice President,
    Policy and Compliance
    First Orion

    Gus Rossi
    Global Policy Director
    Public Knowledge

    Moderators:

    Jared Ho
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    Ruth Yodaiken
    Â鶹´«Ã½ Trade Commission, Office of Policy Planning

    11:50 am-
    1:00 pm

    Lunch Break

    1:00-1:15 pm

    Remarks

    Rebecca Kelly Slaughter, Commissioner
    Â鶹´«Ã½ Trade Commission

    1:15-2:15 pm

    Accountability

    Participants:

    Martin Abrams
    Executive Director
    and Chief Strategist
    Information Accountability Foundation

    Mike Hintze
    Partner
    Hintze Law PLLC

    Ari Ezra Waldman
    Professor of Law
    New York Law School

    Dan Caprio
    Executive Chairman
    The Providence Group

    Corynne McSherry
    Legal Director
    Electronic Frontier Foundation

    Karen Zacharia
    Chief Privacy Officer
    Verizon

    Moderators:

    James Cooper
    Â鶹´«Ã½ Trade Commission, Bureau of Consumer Protection

    Andrew Stivers
    Â鶹´«Ã½ Trade Commission, Bureau of Economics

    2:15-3:30 pm

    Is the FTC’s Current Toolkit Adequate? (Part 1)

    Participants:

    Christine Bannan
    Consumer Protection Counsel
    Electronic Privacy Information Center

    Jane Horvath
    Senior Director of Global Privacy
    Apple

    Jon Leibowitz
    Partner
    Davis Polk

    Marc Groman
    Principal
    GCG LLC

    Stuart P. Ingis
    Partner
    Venable LLP

    Peter Swire
    Elizabeth & Tommy Holder Chair
    of Law and Ethics
    Scheller College of Business
    Georgia Institute of Technology

    Moderators:

    Maneesha Mithal
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    Jim Trilling
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    3:30-3:45 pm

    Break

    3:45-5:00 pm

    Is the FTC’s Current Toolkit Adequate? (Part 2)

    Participants:

    Julie Brill
    Corporate Vice President
    & Deputy General Counsel
    Microsoft

    David A. Hoffman
    Associate General Counsel
    and Global Privacy Officer
    Intel

    Berin Szóka
    President
    TechFreedom

    Justin Brookman
    Director, Consumer Privacy
    and Technology Policy
    Consumer Reports

    Lydia Parnes
    Partner
    Wilson Sonsini Goodrich & Rosati

    David Vladeck
    A.B. Chettle, Jr. Professor of Law
    Georgetown University Law Center

    Moderators:

    Maneesha Mithal
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    Jim Trilling
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection

    5:00-5:10 pm

    Closing Remarks

    Maneesha Mithal
    Â鶹´«Ã½ Trade Commission, Division of Privacy and Identity Protection   

  • Request for Comments

    Interested parties may file pre-hearing until December 21, 2018, and the Commission will additionally consider any comments it receives electronically until May 31, 2019.

    If parties already filed relevant comments in response to the Initial Topics for Comment, they need not refile those comments here.

FTC Privacy Policy

Under the Freedom of Information Act (“FOIAâ€) or other laws, we may be required to disclose to outside organizations the information you provide when you pre-register for events that require registration. The Commission will consider all timely and responsive public comments, whether filed in paper or electronic form, and as a matter of discretion, we make every effort to remove home contact information for individuals from the public comments before posting them on the FTC website.

The FTC Act and other laws we administer permit the collection of your pre-registration contact information and the comments you file to consider and use in this proceeding as appropriate. For additional information, including routine uses permitted by the Privacy Act, see the Commission’s Privacy Act system for public records and comprehensive privacy policy.

This event will be open to the public and may be photographed, videotaped, webcast, or otherwise recorded.  By participating in this event, you are agreeing that your image — and anything you say or submit — may be posted indefinitely at ftc.gov or on one of the Commission's publicly available social media sites.