BEFORE THE FEDERAL TRADE COMMISSION.

Petition for Rulemaking on

Privacy Policies and Safeguards
For Social Media and Internet Interaction Sites (SMIIS).

Date: April 5, 2011

The petitioner, Charles Lee Thomason is an “interested person” who, pursuant to

5 U.S.C. §553(e), petitions the Federal Trade Commission to institute rulemaking, and to
develop an administrative record supporting “issuance” of rules respecting the privacy
policies applicable to operators of social media and internet interaction sites (SMIIS).
This petition is made pursuant to 16 C.F.R. §1.9, et seq., and the agency protocols that
pertain to the rulemaking mandate of the FTC.
This year, the FTC has issued orders in two matters, imposing “comprehensive”
privacy protocols, with audits and extensive monitoring, on SMIIS.1 15 U.S.C.A. § 57a.2
In those matters, practically identical measures are mandated in Part II of the Twitter
order and in Part III of the Google Buzz order (one does use the shorthand term “covered
information” while the consonant term “nonpublic consumer information” is used in the
latter). The record from those two matters should provide a starting point to develop the
administrative record for the requested rulemaking.
Petitioner requests that the rulemaking (A) assess the linkage, if any, between the
privacy policies commonly offered by SMIIS, and (i) the imposition of privacy, audit,
and related safeguards that were developed for the financial services industry, and/or (ii)
the imposition of more and more definite disclosures in privacy policies offered to SMIIS
users; and, (B) develop an administrative record, after notice and public comment, to
determine what substantial evidence exists to articulate clear and uniform trade regulation
standards for privacy policies and protocols for SMISS users and operators.
Interest of the Petitioner.
The petitioner is interested in the promulgation of clear and appropriate trade
regulation rules, based on a rulemaking record, after notice and comment. Petitioner is a
practicing, registered patent attorney who deals with technology law and with client
business models that operate in the SMIIS sector of commerce. Also, petitioner is an
adjunct professor of law, who endeavors to keep apprised of changes in internet privacy
practices and norms that provoke changes in the application of existing laws. Further, the
petitioner is a user of Twitter (twitter[dot]com/SPATLAW), as well as a user of the
Google Gmail service (c.leethomason[at]gmail[dot]com), and was offered the Google

1
In the Matter of Twitter, FTC File No. 092 3093, 2011 WL 914034, and In the Matter of Google,
FTC File No. 102 3136,
2
15 U.S.C.A. § 57a (b)(3)(A), the agency shall institute a rulemaking regarding unfair or deceptive
practices that are “prevalent,” and one measure of that is the agency's issuance of orders “regarding such
practices or acts.”
Buzz service when it was launched. Twitter and Google Buzz are the SMIIS services
subject to the two recent orders, and a substantial cause for this rulemaking petition.
Development of an Administrative Record, Leading to Issuance of Rules is Proper.
Rulemaking should be commenced before the FTC continues to mandate
standards, protocols, and audits for SMIIS operators, which are co-extensive with the
data protection standards that the agency legally may impose on financial institutions and
those companies handling financial transactions and payment card transactions. The
requested rulemaking would address the appropriateness of the mandates, and do so in
the broader context of SMIIS privacy concerns, and too, rulemaking would air out the
doubts as to the agency imposing such stringent mandates on an ad hoc basis.
The mandates ordered in the Twitter matter, as well as the Google Buzz matter,
are the same as, or are coequal to those in FTC decrees with companies that plainly are
subject to the Gramm-Leach-Bliley requirements, e.g., 16 C.F.R. Part 313. FTC clearly
has authority, for example, over the “acts or practices by banks, savings and loan
institutions,” per 15 U.S.C. §57a(f). However, whether the FTC should impose the
equivalent mandates on SMIIS and non-financial operations is not free from doubts.
For FTC to engraft these administrative, technical, and physical safeguard
requirements, appropriate to highly-regulated financial services companies, onto the
operators of SMIIS may amount to de facto rulemaking done outside the bounds of the
APA. An agency cannot “create de facto a new regulation.” Christensen v. Harris
County, 529 U.S. 576, 588 (2000). Before the same data protection mandates can be
imposed on SMIIS and their operators, the FTC should institute rulemaking and “give
interested persons an opportunity to participate in the rule making through submission of
written data, views, or arguments.” 5 U.S.C. § 553(c).
The announcement of the mandates in the Google Buzz order noted that it was the
“first time” that the FTC “has required a company to implement a comprehensive privacy
program to protect the privacy of consumers’ information.” That may or may not give
due regard to the similarities between the Twitter decree and the Google Buzz decrees3
and too, the Google Buzz order may takes steps beyond what the Twitter order required.4
Certainly the remarks about both orders underscore the appropriateness of rulemaking to
establish, on a full administrative record, rules and agency guidances, which may be
appropriate to published privacy policies and to advertised measures respecting the
technical safeguards and business practices for privacy in the SMIIS industry sector.
The FTC Improvements Act authorizes the Commission to issue trade regulation
rules which define unfair or deceptive acts or practices in or affecting commerce, but
within statutory constraints. 15 U.S.C. § 57a(1)(B). The statutory mission of the FTC
and its general jurisdiction has limits, and the agency “is constrained by its congressional
mandate.” F.C.C. v. Fox Television Stations, Inc. 556 U.S. ___ , 129 S.Ct. 1800, 1826
(2009) J. Stevens, dissenting.

3
As stated in the FTC’s summary, “Part II of the proposed order requires Twitter to establish and
maintain a comprehensive information security program in writing that is reasonably designed to protect
the security, privacy, confidentiality, and integrity of nonpublic consumer information.”
4
The agency denominated the Twitter order as a “milestone” of the FTC, calling it the “First data
security case involving social media.”

2
 The FTC orders mandating that Google and Twitter, which are not financial
institutions, implement the equivalent operational safeguards, audits, and data protection
requirements appropriate to regulated companies that handle payment card information
and financial data, hereafter should be based on FTC rulemaking instead of enforcement
discretion.5 In the normal course, for an agency to impose “comprehensive” privacy
requirements, broadly on all sorts of non-financial and non-healthcare businesses, would
require a rulemaking process. The results and rules as to SMIIS would be grounded on
an administrative record, which together would be reviewable as agency action.
The administrative, technical and physical safeguard requirements that implement
Gramm-Leach-Bliley requirements in 16 C.F.R. Part 313 were duly promulgated, based
on an administrative record that supports the rationale for imposing those requirements
on financial institutions. 65 Fed. Reg. 33646 (May 24, 2000. No rulemaking and no
administrative record support the imposition of coequal privacy requirements on SMIIS.
Rulemaking provides the platform for an objective, open forum that collects the
varying viewpoints of stakeholders, the public, and the agency. That method of setting
the standards and the rules for privacy policies and protocols in the SMIIS sector is to be
preferred over single-case, enforcement and settlement driven, consent orders.
Utility of a Comprehensive Rule on Privacy Policies and Proctocols.
Certainty in privacy policies, and clear direction about protection of personally
identifying data that SMIIS collect and maintain, is highly desirable. Regularly, counsel
is sought about whether privacy policy language is compliant ‘with law.’ An informed
opinion will take recent FTC orders into account. Also, typical contracts for SMIIS
marketing include a provision that allocates risk and obligations for compliance with
privacy ‘laws’ generally. An established rule, instead of settlement-induced consent
decrees, would be useful to counsel and those tasked with enterprise risk management.
An informed reader of past FTC orders pertaining to SMIIS privacy policies and
procedures, as well as enterprise risk and privacy professionals, would conclude that the
mandates there define ‘best practices’ or at least the agency’s current viewpoints. Based
on those orders, wrought from enforcement activity rather than rulemaking, counsel’s
advices about privacy policies and security protocols for SMIIS business would be to
implement procedures that practically are as stringent. In the alternative, some may
counsel that making privacy policies more vague or less binding might limit the sort of
liability and transactional costs that were faced by Twitter and Google Buzz.6
The fair and worthwhile approach for establishing trade regulation rules and
agency guidances is rulemaking. The SMIIS sector is ever-expanding, and the need for
effective disclosure of appropriate privacy standards is what was a provoking cause of the
two recent orders, and also, a compelling rationale to institute the process of rulemaking.

5
In place of applying rules, based on a rulemaking procedure, the “FTC’s harm-based approach
...has limitations ...it focuses on a narrow set of privacy-related harms – those that cause physical or
economic injury or unwarranted intrusion into consumers’ daily lives.” "PROTECTING CONSUMER PRIVACY
IN AN ERA OF RAPID CHANGE," Preliminary FTC Staff Report, Dec. 2010, pg. 20.
6
Ibid. “Privacy policies have become longer, more complex, and, in too many instances,
incomprehensible to consumers.” Pg. 19.

3
 In the event that the “petition is not deemed by the Commission sufficient to
warrant commencement of a rulemaking proceeding,” then pursuant to16 C.F.R. §1.9 ,
the petitioner requests being "given an opportunity to submit additional data.”

This petition to institute rulemaking regarding the privacy policies and safeguards
that are appropriate to users and operators of SMIIS is respectfully submitted. The
undersigned petitioner is willing to assist with the process, and may be contacted at (502)
349-7227, for more information.

Respectfully submitted,

~S ~
Lee Thomason