The FTC needs a reminder that it’s a regulator, not a legislator

When Lina Khan took over as chair of the Federal Trade Commission last year, she described her vision for the agency as “shap[ing] the distribution of power and opportunity across our economy.” Based on the FTC’s most recent move to impose a national data privacy regime, it seems the agency doesn’t intend for its powers to be constrained by Congress or the Supreme Court.

The U.S. Chamber has advocated for years for a clear and truly national privacy framework that protects all Americans’ data equally and provides well-defined rules of the road to all companies and organizations. However, Congress, not unelected bureaucrats, must decide how new data privacy rules should be crafted.

For starters, Congress, which is currently debating a national data privacy bill, has never given the FTC the authority to broadly regulate how businesses collect, use, share, advertise, analyze or secure data. This is exactly why no prior FTC chair — Republican or Democratic — has tried to pursue such expansive regulations.

In fact, the chair wrote in her statement of support that “[i]f Congress passes strong federal privacy legislation … then the Commission would be able to reassess,” thus acknowledging that Congress has not authorized this kind of sweeping regulation. When the FTC has acted before in limited areas such as children’s online privacy and data security for financial institutions it was because Congress specifically authorized the FTC to do so.

Perhaps Khan thinks that the authority of the FTC to impose a national data privacy and security regulation is a gray area, subject to interpretation. Such a belief, however, flies in the face of a recent 6-3 Supreme Court decision in West Virginia v. EPA that made clear that absent a clear delegation of authority by Congress, regulatory agencies do not have the power on their own to write policy on “major questions” of vast economic and political significance. It is hard to think of a policy area with broader or greater economic impact than the regulation of personal data. 

What harm could come from the FTC attempting to regulate data privacy? One of the things we have learned from data privacy debates in Congress and now multiple state legislatures is that there are significant trade-offs involved and real risks of unintended consequences.

Most Americans today enjoy the benefits of customer loyalty programs, earning discounts or other rewards based on their shopping history. These programs rely on the use of consumer data. When California passed its original data privacy bill, the anti-discrimination provisions essentially outlawed loyalty programs. The legislature has had to revisit the issue, but legal uncertainty remains.

Regulations intended to hit big businesses often boomerang on small businesses. According to a new study by the U.S. Chamber, 80 percent of small businesses that use technology believe that limiting their access to data, as the FTC could potentially do, would harm their business operations. Nearly that same number said that technology platforms enable them to compete with larger companies. And these are the same small businesses that contribute almost $17 trillion to the U.S. economy each year.  

In the proposed privacy rulemaking, the FTC also considers whether it should limit the use of targeted advertising, a practice that three-quarters of Americans say they prefer. The commission even acknowledges that the shift away from targeted advertising would “have notable collateral consequences for companies that have come to rely on third-party advertising.” 

It isn’t just the complicated trade-offs the FTC is ill-equipped to resolve. Absent specific direction by Congress, any regulatory effort is certain to be challenged in court. Years of litigation will create more uncertainty for consumers and businesses alike. And of course, any regulation written by one administration can be rewritten by the next one.

FTC Commissioner Noah Phillips in a dissenting statement got it right when he noted that all this rulemaking would accomplish is to “recast the Commission as a legislature, with virtually limitless rulemaking authority where personal data are concerned.” 

The commission should think twice before attempting to remake the American economy without the approval of the people’s representatives in Congress. And if they don’t, the chamber will see them in court.