Ira Rubinstein is panelist at Federal Trade Commission roundtable on regulatory approaches to consumer privacy

On December 7, Ira Rubinstein, a Senior Fellow at the Information Law Institute, appeared at a day-long roundtable organized by the Federal Trade Commission (FTC) as an invited expert on regulatory approaches to consumer privacy.

In the face of unprecedented challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data, the FTC is examining new approaches to protecting consumer privacy. The December 7th  event, the first of three roundtables over the next six months dedicated to “Exploring Privacy,” featured five panel discussions, as well as remarks by FTC Chairman Jon Leibowitz '84, FTC Commissioner Pamela Jones Harbour, and David C. Vladeck, Director of the FTC’s Bureau of Consumer Protection. Earlier in the semester, Harbour and Vladeck visited the Law School to speak at a Workshop on Federal Privacy Legislation, organized by the Information Law Institute. 

The U.S. takes a sectoral approach to privacy law and the FTC is the principle federal agency charged with protecting financial and children’s privacy, investigating breaches of data security and identity theft, and implementing laws and regulations for the credit reporting industry. For the past decade, the agency has required online companies to follow certain Fair Information Practices (primarily notice and choice about data collection) and used its enforcement powers to go after firms that fail to abide by the promises embedded in their privacy statements. The FTC also focuses on protecting consumers against specific harms such as online stalking, identity theft, and spam. Chairman Leibowitz conceded that these approaches "haven't worked quite as well as we would have liked," and hence that the agency needs to consider new ways to enforce privacy standards that are "better for consumers and fair to businesses as well." For the first time in many years, Congress is also contemplating comprehensive privacy legislation.

Rubinstein’s panel focused on the adequacy of existing legal and self-regulatory frameworks. While panelists representing consumer groups called for new federal legislation that would reflect not only notice and choice principles but the full range of Fair Information Practices, including data quality, purpose specification, use limitation and consumer access to collected data, industry representatives defended the self-regulatory approach, especially as to emerging practices such as online behavioral advertising.

Rather than attacking or defending self-regulation, Rubinstein pointed out that there are various models of self-regulation, which mainly differ as to the role of government in setting requirements, approving guidelines, and imposing sanctions for non-compliance. He briefly discussed three case studies of voluntary privacy codes that he conducted from which he concluded that the most effective approach was based on “co-regulation.” In this approach, industry enjoys considerable scope in shaping self-regulatory guidelines, but the government retains general oversight authority to approve and enforce these guidelines. Rubinstein supported comprehensive federal privacy legislation but strongly recommended that Congress follow the co-regulatory model. He also proposed that Congress take advantage of innovations derived from environmental policy instruments such as the covenanting approach, in which a multi-stakeholder group attempts to hammer out an agreement that all parties—government, industry, and advocates—view as superior to agency rulemaking; and a performance-based approach to regulatory benefits and burdens, in which top-performing firms are treated more favorably than average performers. Rubinstein specifically recommended that new privacy legislation allow civil actions and liquidated damages awards against firms that violated Fair Information Practices and did not participate in an approved self-regulatory program, whereas firms that complied with FTC-approved self-regulatory guidelines would not only enjoy a safe harbor in any enforcement action but exempt program participants from civil law suits and monetary penalties.

A webcast of the panel is available here (for Rubinstein’s remarks, fast forward to 43:00).

Posted December 22, 2009