In April 2018, Facebook said that up to 87 million users' personal data may have been improperly disclosed. This was one of many recent Internet privacy incidents.
We found that there is no comprehensive U.S. Internet privacy law governing private companies’ collection, use, or sale of users’ data. Consumer advocates and others told us greater regulatory powers are needed. Most industry representatives we interviewed favored the current enforcement approach and warned that regulations could hinder innovation.
We recommended that Congress consider developing comprehensive Internet privacy legislation to better protect consumers.
Photo of website source code.
What GAO Found
The United States does not have a comprehensive Internet privacy law governing the collection, use, and sale or other disclosure of consumers' personal information. At the federal level, the Federal Trade Commission (FTC) currently has the lead in overseeing Internet privacy, using its statutory authority under the FTC Act to protect consumers from unfair and deceptive trade practices. However, to date FTC has not issued regulations for Internet privacy other than those protecting financial privacy and the Internet privacy of children, which were required by law. For FTC Act violations, FTC may promulgate regulations but is required to use procedures that differ from traditional notice-and-comment processes and that FTC staff said add time and complexity.
In the last decade, FTC has filed 101 enforcement actions regarding Internet privacy; nearly all actions resulted in settlement agreements requiring action by the companies. In most of these cases, FTC did not levy civil penalties because it lacked such authority for those particular violations. The Federal Communications Commission (FCC) has had a limited role in overseeing Internet privacy. From 2015 to 2017, FCC asserted jurisdiction over the privacy practices of Internet service providers. In 2016, FCC promulgated privacy rules for Internet service providers that Congress later repealed. FTC resumed privacy oversight of Internet service providers in June 2018.
Stakeholders GAO interviewed had varied views on the current Internet privacy enforcement approach and how it could be enhanced. Most Internet industry stakeholders said they favored FTC's current approach—direct enforcement of its unfair and deceptive practices statutory authority, rather than promulgating and enforcing regulations implementing that authority. These stakeholders said that the current approach allows for flexibility and that regulations could hinder innovation. Other stakeholders, including consumer advocates and most former FTC and FCC commissioners GAO interviewed, favored having FTC issue and enforce regulations. Some stakeholders said a new data-protection agency was needed to oversee consumer privacy. Stakeholders identified three main areas in which Internet privacy oversight could be enhanced:
- Statute. Some stakeholders told GAO that an overarching Internet privacy statute could enhance consumer protection by clearly articulating to consumers, industry, and agencies what behaviors are prohibited.
- Rulemaking . Some stakeholders said that regulations can provide clarity, enforcement fairness, and flexibility. Officials from two other consumer protection agencies said their rulemaking authority assists in their oversight efforts and works together with enforcement actions.
- Civil penalty authority. Some stakeholders said FTC's Internet privacy enforcement could be more effective with authority to levy civil penalties for first-time violations of the FTC Act.
Comprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government's ability to protect consumer privacy.
Why GAO Did This Study
In April 2018, Facebook disclosed that a Cambridge University researcher may have improperly shared the data of up to 87 million of its users with a political consulting firm. This disclosure followed other recent incidents involving the misuse of consumers' personal information from the Internet, which is used by about three-quarters of Americans. GAO was asked to review federal oversight of Internet privacy. This report addresses, among other objectives: (1) how FTC and FCC have overseen consumers' Internet privacy and (2) selected stakeholders' views on the strengths and limitations of how Internet privacy currently is overseen and how, if it all, this approach could be enhanced.
GAO evaluated FTC and FCC Internet privacy enforcement actions and authorities and interviewed representatives from industry, consumer advocacy groups, and academia; FTC and FCC staff; former FTC and FCC commissioners; and officials from other federal oversight agencies. Industry stakeholders were selected to represent different sectors, and academics were selected because of their expertise in privacy, consumer protection, and regulatory issues.
Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment. Issues that should be considered include what authorities agencies should have in order to oversee Internet privacy, including appropriate rulemaking authority.
Recommendations for Executive Action
|Congress||Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment. Issues that should be considered include: (1) which agency or agencies should oversee Internet privacy; (2) what authorities an agency or agencies should have to oversee Internet privacy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority; and (3) how to balance consumers' need for Internet privacy with industry's ability to provide services and innovate.||