On September 27th, the Senate Committee on Commerce, Science, and Transportation held a general oversight hearing of the FTC, which covered a multitude of major policy issues and included testimony from Chairwoman Edith Ramirez, Commissioner Maureen Ohlhausen, and Commissioner Terrell McSweeny. Chairman John Thune (R-SD) convened the hearing, joined by Senator Richard Blumenthal (D-CT) who sat in for Ranking Member Bill Nelson (D-FL), who was not in attendance. Several other Committee members also participated in the hearing, cycling through as schedules permitted on what appeared to be a jam-packed day. Members in attendance included: Senators Dean Heller (R-NV), Amy Klobuchar (D-MN), Brian Shatz (D-HI), Jerry Moran (R-KS), Steve Daines (R-MT), Dan Sullivan (R-AK), Edward Markey (D-MA), Tom Udall (D-NM), Kelly Ayotte (R-NH), Maria Cantwell (D-WA), and Deb Fischer (R-NE).
The Commissioners’ opening statements focused on key issues related to the agency’s mandate including enforcement, policy development, business education, and competition promotion. But for members and Commissioners alike, privacy and data security were the clear headline issues of the day. A variety of related topics were also raised, including protecting children online, the Internet of Things (IOT), tourism, credit reports, telecommunications, and deceptive claims. A brief summary of these issues follows.
Privacy, Data Security, and FTC Enforcement
Several members referenced the recent Yahoo breach of customer data to highlight the importance of protecting consumer privacy and raised related policy issues such as what reasonable measures companies should take to protect sensitive personal data, standards for providing notification of data breaches, and whether the Commission has sufficient enforcement tools to address these concerns.
Chairman Thune posed questions related to both data security and the Commission’s enforcement authority, and inquired whether “substantial harm” must always be economic harm. Chairwoman Ramirez posited that there was no such limitation, and while in most cases substantial harm would be economic, it was proper in her opinion for the Commission to consider intangible harms related to privacy, such as infringement of privacy rights or the potential risks that come from the unauthorized release of personal information.
Senator Blumenthal used the Yahoo case to inquire whether changes are required to Section 5 of the Federal Trade Commission Act to make the FTC a more effective enforcer of data breaches. Chairwoman Ramirez responded that, while the existing law works, it could be improved by giving the FTC authority to issue civil penalties and jurisdiction over non-profit organizations. Commissioner Ohlhausen added that she was supportive of a federal data breach notification requirement.
Senator Sullivan, pressing on the notification issue, inquired about what current law requires with respect to timing, particularly in the case of Yahoo. Chairwoman Ramirez echoed Commissioner Ohlhausen’s support for federal notification legislation that would set a uniform standard for security and incorporate a reasonableness approach. She further speculated that 30 or 60 days might be appropriate, but acknowledged the need to strike a balance between over-notifying consumers and providing them with timely, accurate information with which to take protective measures.
Senator Shatz pointed out that, when a breach affects hundreds of millions of consumers’ data, prevention, and not just notification, becomes paramount. He suggested that Congress should reexamine what constitutes “reasonable” data security requirements, and whether existing law would require a company to increase security standards if they clearly are not working, as evidenced by recent massive breaches.
Protecting Student Data Online
Protecting the privacy of children’s personal information from use – inappropriate or otherwise – was raised on a bipartisan basis with regard to collection of student data. Senators Blumenthal and Daines expressed concern that school-age children, 13 years and older, were not covered by the Children’s Online Privacy Protection Act’s (COPPA’s) parental consent requirement when it comes to disclosure of sensitive data that could reveal a student’s known location, consumer preferences, or academic performance. Acknowledging the existence of legitimate uses for such data – for example personalized learning – they called for further clarification of what businesses can do with student data, which would be addressed by the Safeguarding American Families from Exposure by Keeping Information and Data Secure (SAFE KIDS) Act, a bill introduced by Senators Blumenthal and Daines. Chairwoman Ramirez agreed that regardless of the proposed use, personal information of children should be protected and only released with parental consent. Commissioner Ohlhausen cautioned, however, that older children have different needs and capabilities than younger children that are worth further consideration.
Internet of Things (IOT)
The complex and multiple challenges associated with the IOT were addressed mostly in prepared remarks and brief mentions throughout the hearing. Chairman Thune concluded his opening statement with a caution to the Commission to exercise “humility” so as to preserve “permission-less innovation” as it examines this evolving issue. Similarly, Commissioner Ohlhausen testified regarding the Commission’s recent workshop on the IOT and opined that IOT regulations were premature given the current pace of technological innovation in the field.
Senators Heller and Klobuchar each inquired about a specific issue, of possible individual interest, related to tourism. Senator Heller wanted to know whether 2012 FTC guidance on resort fees was benefiting consumers and challenged whether the number of complaints (ranging from 8-10 based on his data) justified recent FTC enforcement actions. Senator Klobuchar raised questions as to how search engine results function on third party travel sites. Chairwoman Ramirez acknowledged both concerns and indicated she would provide additional information post-hearing.
Senator Shatz raised concerns about the time it takes to correct errors on credit reports, which may prevent otherwise eligible applicants from obtaining loans and sometimes jobs. He also noted the disparate impact such errors can have on persons in underserved and low-income communities. The Commissioners unanimously agreed this was a priority issue, noting they take the Fair Credit Reporting Act very seriously and have brought a number of enforcement actions in this area. Commissioner McSweeny underscored that this issue was essential to dealing with problems like identity theft, and Chairwoman Ramirez stated that there was room for progress, including by more quickly correcting errors and eliminating time-consuming procedures. She also noted that the FTC was coordinating with the Consumer Financial Protection Bureau on this issue.
Members also raised issues in areas where FTC jurisdiction overlaps with the Federal Communications Commission (FCC). For example, Senator Blumenthal referenced a plethora of complaints about the ineffectiveness of Do-Not-Call lists. He identified robocalls as a root of the problem and noted he supports a ban of the technology. Chairwoman Ramirez shared the Senator’s frustration and acknowledged that technology has helped malefactors avoid and bypass the law. She indicated that the FTC, in discussions with the FCC, is looking at technology-based solutions, as well as other means to address the problem.
Additionally, in response to questions about FTC input on FCC regulations in areas of shared jurisdiction concerning the treatment of data, the Commissioners agreed that it was important for there to be a harmonized approach across federal agencies. That said, Chairwoman Ramirez cautioned that privacy and data security issues will continue to arise across different agencies with different authorities. In these situations, the FTC weighs in where permitted through agency notice and comment procedures, such as it did on the FCC’s privacy and set-top box rules.
Deceptive Claims and Safety Recalls
Senator Udall, who has introduced a bill to specifically prohibit deceptive claims related to the safety benefits of sports equipment, pressed the Commissioners to more carefully scrutinize anti-concussion marketing claims, such as Shock Doctor’s assertion that their product prevents head injuries, to determine if they are deceptive. He noted previous FTC action in the form of warning letters, and encouraged the FTC to remain engaged and active. Senator Blumenthal also welcomed examination of this issue, noting the issue is relevant to the National Hockey League as well. In addition, Senator Blumenthal raised concerns in connection with the FTC’s settlements with used car dealers and manufacturers, stating that his Used Car Safety Recall Repair Act would require car dealers to make recall repairs before selling used cars.
While the hearing was far too broad to delve into the specifics of every issue, it was a comprehensive issue-spotting exercise that highlighted numerous important matters of Congressional interest and concern pending before the FTC. Other issues mentioned, not covered here, include prescription drug prices, health care competition as a result of the Affordable Care Act, and the potential for fraud in the renewable identification number (RIN) market created under the Renewable Fuel Standard Program.
Chairman Thune suggested that the Committee would continue to examine these issues, perhaps in the upcoming lame duck session, through an industry panel before the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security. The Subcommittee intended to hold a counterpart hearing for industry and thought leaders to offer perspectives in addition to the Commission, but that hearing was cancelled due to conflicts. Chairman Thune indicated it would have to be rescheduled.
For any questions about this hearing or related issues contact: