WASHINGTON D.C. — Today, the FTC released a report recommending “best practices” around privacy and data security for the “Internet of Things” — connected smart home devices, smart cars and the like. The report echoes so-called “recommendations” made by the FTC in other reports since 2010. Commissioner Josh Wright dissented, lamenting that “‘security by design’ and other privacy-related catchphrases … do not appear to contain any meaningful analytical content.” Commissioner Ohlhausen concurred but objected to the report’s call for baseline privacy legislation and embrace of data minimization, which she called a “precautionary principle.”

“At best, this is just another exercise in Workshop Theater; at worst, the FTC is trying to regulate the Internet of Things by stealth,” said TechFreedom President Berin Szoka. “We’ve been down this road before: In 1980, a heavily Democratic Congress twice tried to rein in the FTC’s Naderite regulatory spree. Now, the FTC is effectively circumventing those constraints, using workshop reports as de facto regulations.”

“This report pays only lip service to meaningful cost-benefit analysis,” said Geoffrey Manne, Executive Director of the International Center for Law & Economics. “The Internet of Things is a nascent and fast-evolving area. To make specific recommendations on the basis of little more than staff impressions of cherry-picked comments about theoretical harms from a one-day workshop — without undertaking any real analysis of any meaningful data — amounts to regulatory malpractice. The FTC has a wealth of economics expertise in-house, which the Bureau of Consumer Protection willfully ignores. Before recommending anything, the FTC needs to consider not only the enormous benefits of the Internet of Things, but, more importantly, whether the consumer benefits of any ‘recommendation’ outweigh its costs on the margin. That’s regulatory economics 101.”

“Since 2010, we’ve seen a radical change: The purpose of FTC workshop reports is no longer to produce a better understanding of complex consumer protection issues,” concluded Szoka. “Instead, the Chairman and a small number of FTC staffers now seek to use workshop reports to put the agency’s institutional weight behind their own agenda, which is driven more by a neo-Naderite ideology than rigorous analysis.”


  • In the 1970s, the FTC ran amuck, trying to ban advertising to kids and micromanage everything from funeral homes to labor practices.
  • In 1980, a heavily Democratic Congress required the FTC to build a rigorous record before regulating, and to constrain its vast ‘unfairness’ authority through cost-benefit analysis.
  • Since 2010, the FTC has increasingly tried to convert its ‘recommendations’ into regulations in two ways:
    • Baking them into the consent decrees the FTC extracts from companies that don’t want to undergo the ordeal of fighting the agency.
    • Claiming that violations of recommendations made in a workshop report can trigger liability under Section 5 of the FTC Act: most notably, its complaint against LabMD rests in part on the FTC’s 2005 staff report about peer-to-peer file sharing.
  • Until 2010, FTC reports attempted to synthesize a complex record, which helped inform everyone’s understanding of evolving technologies and business practices, their benefits, and the consumer protection concerns they raise. Occasionally, an FTC report would recommend legislation — but never the kinds of sweeping ‘recommendations’ to private companies that have become commonplace since the FTC’s 2010 staff privacy report.
    • For example, a 2005 staff report on peer-to-peer file-sharing made only short, high-level suggestions to industry.
    • In May 2014, in a series of footnotes, Commissioner Wright objected to the FTC’s Data Broker Report making a series of legislative recommendations without adequate basis.

Szoka and Manne are available for comment at media@techfreedom.org, and see our other work on Big Data and FTC reform, especially: