FTC Commissioner Noah Phillips recently spoke at the Internet Governance Forum in Washington, D.C. about potential negative consequences surrounding rapidly expanding national and international privacy regulations.  As his prepared remarks indicate his desire that proponents of new privacy regulations ask themselves if they are willing to allow a reduction in competition or innovation.

“I want today to register my concern that laws and regulations intended to promote privacy may build protective moats around large companies (some of which already possess significant amounts of data about people) by making it more difficult for smaller companies to grow, for new companies to enter the market and for innovation to occur—and insist that competition be part of our conversation about privacy,” Phillips stated.

Phillips also stated that “Joe Simons, Chairman of the FTC, put it this way in testimony last week—… ‘if you do privacy in the wrong way . . . , you might end up reducing competition. You might create a situation in which you entrench the large tech platforms . . . and make it very difficult for . . . new entrants and smaller firms to get the attention of the consumers that they’re trying to reach.’ ”

“If our concern is warranted, the questions for proponents of new privacy rules then must include: Are we willing to allow a reduction in competition or innovation? What competitive price are we willing to pay for greater privacy protection?  Are we willing, for instance, to allow the biggest technology companies—lately the focal points of discussion about both privacy and competition—to entrench further?”

The FTC has long been the federal agency with primary responsibility for and experience in privacy policy and enforcement.  The FTC has significant enforcement authorityacross a variety of commercial privacy areas.  In the U.S. there exists a risk-based approach that focuses privacy and security rules on the sectors of the economy where Congress has determined such rules are most needed.  Even within those sectors, according to Phillips, “our approach recognizes that all entities are not the same, and, in many cases, the law explicitly permits different types of protections based on the size of the entity, the data being protected, and the like.”

“The United States’ risk-based approach imposes the greatest costs on businesses at the points where our democratic process has determined the greatest privacy need exists, limiting such costs where the need is less.  So, while we may argue about whether the risks are being appropriately evaluated, whether ‘leveling the playing field’ among firms doing different things with different kinds of data makes sense, or whether the quantity and quality of data being collected today ought to change our approach, we should not be confused about whether the American approach to privacy is deliberate or sensible.”

The American approach stands in contrast to the privacy regime now in place in Europe, and the California Consumer Privacy Act set to become effective in California in 2020.  Fundamentally, these regimes require everybody to adhere to one set of standards (and one set of costs) that apply to all online entities—regardless of size, regardless of service, regardless of risk.

Phillips’ remarks addressed the cost of such an approach to privacy.

“By their nature, regulatory regimes create compliance costs that are durable and may become more onerous over time.  These are what economists call “economies of scale,” costs that large companies can bear more easily than their smaller competitors or new entrants … As Mark Zuckerberg told Congress, ‘I think, a lot of times, regulation, by definition, puts in place rules that a company that is larger, that has resources like ours, can easily comply with, but that might be more difficult for a smaller start-up to comply with.’  I should note that, in the same testimony, he signaled his openness to additional regulation. While we may want to protect privacy in new ways, we do not want the regulatory burden to be so onerous that it excludes potential market entrants or inhibits innovation; at the very least, we need an honest discussion about the costs and benefits.”

Phillips remarked that the General Data Protection Regulation represents an expression in law of their view that the protection of personal data is a fundamental right. His concern is that “early signs point to precisely the effects on competition that I fear.  According to the Wall Street Journal, when the European Union’s justice commissioner met with large technology companies prior to implementation, instead of hearing the complaints she reportedly expected, the companies told her that they would be compliant.  She explained: ‘They have the money, an army of lawyers, an army of technicians and so on.’  Facebook, for example, ‘mobilized hundreds of people in what it describes as the largest interdepartmental team it has ever assembled.’  Jedidiah Yueh wrote in Forbes: ‘[i]ronically, big tech companies such as Facebook, Amazon, Apple and Google benefit from a silver lining when it comes to being regulated—what hurts their competitors more only makes them stronger.’  That’s not ironic—it’s economic, exactly how economies of scale work. Resources devoted to compliance can be scaled, and could have been spent on innovation, wages, and so on.”

“The upshot is that, as we consider the potential benefits of new privacy protection, we must consider the costs, too: on competition and innovation.  The GDPR provides us with a great opportunity to see how a large-scale privacy regime works in practice, and for us in the United States to learn from Europe’s experience,” Phillips stated.  “We don’t yet know the answer.  About the American risk-based approach, however, we can say one thing for certain already: It has both targeted the areas of greatest privacy need and still permitted a tremendous amount of innovation.”

To read all of Phillips’ prepared remarks, click here.

Contact an FTC defense lawyer to discuss privacy and data security trends that impact the interactive advertising community.

Richard B. Newman is an advertising and privacy law compliance attorney at Hinch Newman LLP.  

ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.