FTC's 'Mag-Moss' rulemaking authority could break logjam on US privacy legislation

A regulatory process the US Federal Trade Commission hasn’t fully used since the early 1980s when a wave of deregulation took hold in Washington is increasingly likely to be resurrected by the agency in a bid to set baseline privacy and data security rules for the US.

For years, Republican and Democratic members of the FTC have been urging Congress to pass a federal privacy bill. But with little indication the dysfunctional US legislature will get there in the next few years, a bipartisan majority of current commissioners has concluded the agency could move forward with privacy rulemaking under the FTC’s Magnuson-Moss authority, a regulatory tool the FTC has largely abandoned for the past 40 years.

“It is not an optimal solution; it’s not even a second- or third-best solution, but in the absence of congressional action, and with continuing harm, maybe this is a path to consider,” Christine Wilson, a Republican member of the FTC who recently concluded she could back Mag-Moss, told MLex.

The two Democratic members of the FTC, acting Chair Rebecca Kelly Slaughter and Rohit Chopra, are on record as supporting an FTC launch of Mag-Moss rulemaking for consumer data privacy in the absence of legislation from Congress. Slaughter has been particularly vocal about her support of Mag-Moss rulemaking since 2019, a strategy that would fit with her vision of a more activist role for the FTC.

If Slaughter is selected by President Joe Biden to become the permanent chair, the odds of the FTC moving forward on Mag-Moss will increase significantly. But the support of Wilson, a conservative who believes strongly in the supremacy of the market over government regulation, is potentially as significant for potential Mag-Moss rulemaking on privacy. The FTC and Slaughter’s office declined to comment.

— Increasingly vocal —

During the Covid-19 pandemic, Wilson has become increasingly vocal about the threat she sees to American civil liberties as pressure has ramped up to exploit user data to fight the pandemic and for law enforcement. Meanwhile, the pervasive nature of commercial data collection about consumers, Wilson told MLex in an interview, has made it impossible for US consumers to make reasoned judgments about the degree to which they are willing to share their data in exchange for digital services.

“It is a significant issue, because consumers have no real idea of the volume of information collected from them, how that information is used and how it is sold and monetized," Wilson told MLex in an interview. "They have no transparency. It is an information asymmetry.”

That, Wilson has concluded, is a market failure that can’t be corrected without regulation. She is particularly concerned that the growing pressure to collect more data will undermine the expectation of privacy that is the foundation of protections in the US Constitution’s Fourth Amendment against unreasonable search and seizures.

“Our civil liberties are what used to set this country apart from all other countries,” Wilson said. But as she saw consumer data collection ramping up during the pandemic, she became increasingly concerned and more vocal about the need for privacy legislation. Very recently, in the absence of congressional action, “I began to think maybe Mag-Moss is a route we should explore,” Wilson said. “It is a significant undertaking, but maybe we should begin the process and begin collecting information from stakeholders.”

A fourth member of the FTC, Republican Noah Phillips, said the commission should stay out of Congress' way in legislating privacy rules. “The path forward on consumer privacy involves important value judgments and tradeoffs properly left to Congress,” Phillips told MLex. “The FTC is the world’s leading privacy enforcer today, and we will enforce whatever privacy law Congress adopts; but we are not a legislature.”

Wilson has, in testimony before Congress, been skeptical of the FTC beginning its own privacy rulemaking process on privacy. But as she focused increasingly on the privacy issue over the past year, her writings have marked her growing concern that the lack of privacy rules for the US could lead to Fourth Amendment protections being “eviscerated.” She first publicly discussed the possibility of supporting a Mag-Moss process for privacy last month.

“The reason I care so deeply about this is the ever-increasing infringement on our civil liberties,” she told MLex.

As more states enact privacy laws — Virginia followed California last week to enact baseline privacy legislation, and other states are considering legislation  — Congress is likely to feel increasing pressure from the tech industry and other companies to pass a privacy bill to avoid a patchwork of state privacy rules. FTC Magnuson-Moss rulemaking would open a second front that would likely ratchet up the pressure on Congress to act on privacy legislation, even if a Mag-Moss process is never completed.

— Forsaken process —

The FTC rulemaking process set out under the Magnuson-Moss Warranty-Federal Trade Commission Improvement Act of 1975, and under the Federal Trade Commission Improvements Act of 1980, is as numbingly bureaucratic as the names of those laws would suggest.

It sets out a quasi-adjudicative process in which the FTC acts as a kind of legislator in imposing trade practice rules that interpret its authority to prohibit “deceptive” or “unfair” acts. No one, including legal scholars who study Mag-Moss, knows how long it might take if the FTC decided to launch Mag-Moss rulemaking on privacy. But it would certainly play out over multiple years.

The FTC has fully completed just seven Mag-Moss rulemaking efforts since the 1975 law was passed, and the average time to complete those efforts was 2,035 days, or nearly six years, according to research by Jeffrey Lubbers, an administrative law professor at the American University law school.

“The history of the FTC’s rulemaking since Mag-Moss has been required shows that it’s been unworkable,” Lubbers said.

But new thinking within the FTC suggests Slaughter and other Mag-Moss proponents believe they could not only resurrect Mag-Moss but also streamline it, so it could be completed more quickly and cleanly. The FTC abandoned Mag-Moss rulemaking in the 1980s, their thinking goes, because of the deregulatory agenda of President Ronald Reagan, not because it was inherently unworkable.

Former FTC Chairman Jim Miller, who helmed the agency during Reagan’s first term between 1981 and 1985, wrote the transition memo as Reagan took office finding that FTC rulemaking at that time was “misguided,” “overly aggressive,” and “counterproductive,” according to research by Kurt Walters, a research fellow for Slaughter in 2019. Not surprisingly, the FTC did not launch any Mag-Moss rulemaking under Miller’s leadership or during the rest of the Reagan administration.

The early 1980s was a traumatic time for the FTC, which had its staff slashed under Reagan after it came under attack for its activist stance in the late 1970s, when it was labeled a “national nanny” by the press for trying to regulate issues such as children’s television ads.

Many inside and outside the agency believe the FTC has never fully recovered its regulatory mojo in the intervening decades. Walters, who said he was speaking independently and not on behalf of the FTC, believes Magnusson-Moss could be one way for the agency to take the initiative on privacy, and his research paper on the process has been making the rounds within the FTC.

Other federal agencies empowered by Congress to undertake rulemaking follow the Administrative Procedure Act, a shorter process. But Walters, who went on to work on the House antitrust subcommittee’s report on Big Tech companies after his work with the FTC, argues Congress in the 1970s intended Magnuson-Moss to bolster the regulatory activity of the FTC, not saddle the agency with an unworkable rulemaking process.

The Mag-Moss process “has a really wide scope in terms of what issues it could cover. [The FTC] could take several steps to streamline the process and make sure the process is efficient and effective.”

— Prognosis —

Other factors could short-circuit the process. Chopra will be leaving the FTC to lead the US Consumer Financial Protection Bureau. Chopra’s replacement, or a third Democrat who is slated to be appointed to the FTC to replace outgoing Chairman Joseph Simons, could be more sympathetic to industry concerns and less worried about privacy.

It could be summer, or even fall, before the Biden administration finalizes its nominations to decide whether Slaughter becomes the permanent chair, and to fill the other two  FTC seats. Evidence that Congress is gaining traction on privacy legislation would also likely torpedo a Mag-Moss rulemaking.

If the FTC were to launch a Mag-Moss process, however, there are a range of significant privacy options it might regulate.

On the less groundbreaking side, the FTC could use Mag-Moss to clarify a circuit split between federal appeals courts on data breaches. In that split, deepened in a recent decision by the US Court of Appeals for the Eleventh Circuit, some courts have found that the impending risk of a consumer having her identity stolen or other fraud confers standing to sue, while the Eleventh Circuit and other courts say the risk of future harm is insufficient to confer Article III standing.

The FTC also has a data security problem over another Eleventh Circuit decision: the court’s 2018 ruling in the FTC’s case against LabMD over the agency’s order to implement a "reasonable" data security program — a requirement the appeals court said is too vague to be enforceable.

If it wanted to be more ambitious, the FTC might seek to put limits on cross-device tracking, or to place restrictions on third-party sharing of data. The FTC might use Mag-Moss to prohibit currently legal but potentially harmful practices, such as the sharing of personal data that allows data brokers to sell lists of people who suffer from Alzheimer’s Disease or have other health problems.

At its most ambitious, the F TC could use Mag-Moss rulemaking to prohibit specific problematic practices in areas of emerging technology, such as facial recognition, biometric data and virtual reality.

Launching such a process would require the FTC to issue a formal advance notice of proposed rulemaking, followed by a notice of proposed rulemaking; to hold a mandatory oral hearing; to designate issues of material fact with opportunities for cross-examination by groups affected by the proposed rule; and to write a staff report and recommendation to the commission on the rulemaking record — all followed by publication in the Federal Register and a comment period of at least 60 days.

The FTC would also have to produce a detailed regulatory analysis of the final rule, including a description of alternatives and its projected benefits. The process also includes special judicial review for groups to go to court to pursue claims that the FTC didn’t fully consider disputed issues of material fact around the proposed rule.

But as Slaughter, and more recently Wilson, have noted, the US has been waiting for a long time for Congress to pass federal privacy legislation.

“The worst-case scenario here is not that a Mag-Moss rulemaking takes years to complete,” Slaughter said last year. “The worst-case scenario is that years from now, Congress has still not acted and the FTC has still not begun.”