Rulemaking and its Discontents: Moving From Principle to Practice in Federal Privacy Legislation

We are gratified to see intensified commitment to enacting privacy legislation at the federal and state levels. Of course, the most important questions surrounding privacy legislation involve the substantive rights actually granted to individuals. In addition, there are a number of procedural questions that will be critical to both the policy success and political viability of any piece of legislation put forward, including federal preemption, private rights of action, and the scope of rulemaking authority. When the two of us were framing the 2012 White House Consumer Privacy Bill of Rights, rulemaking authority for the Federal Trade Commission was not part of the proposal. In part, this was a function of the politically possible. The legacy of “kidvid”—1970s regulations limiting children’s TV advertising that led Congress to clip the agency’s rulemaking power—still casts a shadow decades later and even companies and conservative lawmakers that might have supported the bill of rights would have opposed it if it included rulemaking.

Leaving out rulemaking from the privacy bill of rights was also a substantive choice. The proposal aimed to provide meaningful privacy protection by articulating clear rights for individuals and obligations for businesses. At the same time, it sought to allow flexibility and innovation by articulating broad principles instead of technically prescriptive rules. The bill of rights also reflected our view that traditional notice-and-comment rulemaking is a cumbersome tool for an issue that shifts rapidly with changes in technology, uses of data, and the innumerable variations in the context in which that data is shared.