In January 2015, the Federal Trade Commission (“FTC” or “Commission” or “agency”) issued a series of best practices on a very novel phenomenon, the Internet of Things (“IoT”). For example, the Commission informed companies that they should implement “security by design” by building security into their products at the outset as companies design their products. (Federal Trade Commission, 2015). The Commission also pronounced that companies should delete data after the data served its purpose in order to mitigate the harm associate with a data breach. Similar best practices span across various industries and businesses that the FTC regulates. (Federal Trade Commission, 2015). The FTC is not the only government agency that has been engaging in this new approach to rulemaking. In fact, “regulation through best practices has increased sevenfold in the past ten years in the federal government alone, touching every aspect of administrative law” (Zaring, 2006).
As a new form of administrative action, best practices represent a recommended set of goals that an organization should seek to meet (Robbins, 2009). At first look, best practices seem like a benign form of interaction between the agencies and the entities at which best practices are aimed at. They appear to be a form of advice from the regulating agencies when compared to a set of rules and regulations that result into fines and penalties if not complied with (Zaring, 2006). However, a further inquiry reveals that best practices often fall short of the ideal, and carry a number of potential detriments to customers and businesses (Zaring, 2006).
This Article examines the underlying legal authority behind best practices as implemented by the FTC by discussing the Internet of Things Report, as a recent example of best-practice rulemaking by the FTC. This Article then demonstrates that the publication of the FTC’s best practices in the Internet of Things Workshop Report (“IoT Report” or “Report”) is an attempt to expand the Commission’s rulemaking authority by bypassing congressional authority (Federal Trade Commission, 2015). (Federal Trade Commission Act of 1914)
Established in 1914, and operating since 1916, the FTC was granted the authority to enhance the operations of the marketplace by policing unfair methods of competition (Federal Trade Commission Act of 1914). The rulemaking authority of the FTC falls under the broad categories of legislative rules and interpretative rules (Charles H. Koch, 1983). For most of its rulemaking history, the agency had relied on interpretive rules. However, in 1962 the agency began promulgating substantive rules, called the Trade Regulation Rules (“TRRs”), through its legislative rulemaking authority (Charles H. Koch, 1983). This newly exercised authority of the FTC was upheld by the District of Columbia Court of Appeals in National Petroleum Refiners Association v. FTC (National Petroleum Refiners Association v. FTC, 1974). Extensive lobbying by businesses to restrict the rulemaking authority of the FTC following the implementation of the TRRs has brought about a contrary effect in the years that follow (Charles H. Koch, 1983). In 1975, Congress enacted the Magnuson-Moss Warranty Act - Federal Trade Commission Improvement Act, which affirmed the legislative authority of the FTC (Pub. L. No. 93-637, 88 Stat. 2183, 1975). (Federal Trade Commission Act of 1914) The Magnuson-Moss rules specified that in order for the FTC to engage in rulemaking, it had to first engage in an industry-wide investigation, prepare draft staff reports, propose a rule, and engage in a series of public hearings, including cross-examination.
Throughout its history, the FTC has been criticized for its rulemaking activities, particularly by business (Charles H. Koch, 1983). Businesses have opposed the FTC’s power to sanction businesses that commit unfair or deceptive practices (Budnitz, 1997). Partly due to this opposition and sound criticism, and partly due to the burdensome process that the Magnuson-Moss Act required, the agency has generally halted a great deal of rulemaking (SellerBeware). Moreover, during Chairman Miller tenure, common law adjudication was favored over rulemaking, which also contributed to this inactivity in the area of rulemaking by the Commission (Budnitz, 1997).
However, in the recent years, the FTC has been given new rulemaking authority in specific subject matters. When Congress enacted the Children’s Online Privacy Protection Act (“COPPA”) in 1998, it explicitly provided the FTC with rulemaking authority. Similarly, the agency gained rulemaking authority in the areas granted by the Fair Credit Reporting Act and the Gramm-Leach Bliley Act. Nevertheless, the burdensome process of rulemaking created by the Magnuson-Moss Act causes the FTC to engage in very modest legislative rulemaking, and instead turn to other mechanism, mainly the industry guides, best practices, and recommendations (Solove, 2014).
Best practices, as well as recommendations, guidelines, workshops, and other informal, horizontal agency action are a new form of rulemaking. Horizontal agency actions refer to the phenomenon of multiple federal agencies interpreting and enforcing the same statute (Sharkey, 2013). For example, unfair and deceptive acts and practices are enforced by the Consumer Financial Protection Bureau, the FTC, the Officer of Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corporation (Sharkey, 2013). Although theoretically best practices are a voluntary way of coordinating horizontal administrative action for all agencies, in practice, agencies use this techniques to make rule that are not always voluntary, not always horizontal, and they do so without going through the formal rulemaking process (Zaring, 2006). When the FTC engages in best practice rulemaking, it often times does not follow the requirements established by the Magnuson-Moss Act.
One such instance of the FTC’s best practice rulemaking occurred when the agency published the IoT Report in 2015. The IoT refers to “the ability of everyday objects to connect to the Internet and to send and receive data” (Federal Trade Commission, 2015). Examples include home automation systems that can be programmed remotely such that it turns on the air conditioner fifteen minutes prior to the homeowner’s arrival, or Internet-connected cameras that allow a person to post their pictures online with a single click, among others. The IoT Report is a compilation of the FTC staff’s views and recommendations for best practices in the areas of security, notice and choice, data minimization, and legislation (Federal Trade Commission, 2015). Because the Commission’s staff did not believe that the privacy and security risks should be addressed through a specific legislation at that time, they published the IoT Report (Federal Trade Commission, 2015). In this Report, the FTC pledged to engage in the following initiatives (1) law enforcement, (2) consumer and business education, (3) participation in multi-stakeholder groups, and (4) advocacy. The Commission voted 4-1 to issue the IoT report, with Commissioner Wright dissenting (Federal Trade Commission, 2015). Commissioner Ohlhausen wrote a separate concurring statement, and Commissioner Wright issued a dissenting statement. Commissioner Ohlhausen did not concur with the par of the IoT Report that recommended that companies delete valuable data to avoid hypothetical future harms (Ohlhausen, 2015). She reasoned that such broad-based privacy legislation can be overly prescriptive (Ohlhausen, 2015). Commissioner Wright criticized the Report for lacking analytical support to establish the likelihood that industry best practices and recommendations were more likely to foster competition and improve consumer welfare (Wright, 2015). He further argued that the Commission failed to engage in a rigorous cost-benefit analysis of the Internet of Things phenomenon prior to disseminating best practice or legislative recommendation (Wright, 2015).
The nature of best practice rulemaking warrants adequate cost-benefit analysis.
Although the voluntary nature of best practices has been disputed by some critics, there is no basis in law for this argument. In interpreting the Administrative Procedure Act (“APA”), federal courts have found best practices to be “non-binding,” and thus voluntary (UAW v. Chao, 2004). A mere repetition of the practice by various market players “does not transform the practice into a measure that can be challenged [in courts]” (Naiki, 2004). The fact that best practices rulemaking is not subject to the APA-style rulemaking, such as notice, comment, and judicial review, further proves the voluntary nature of those measures (Zaring, 2006).
Despite being legally non-binding and non-enforceable, best practices are not always received this way by those whom they are aimed to effect. Often, entrepreneurs and businesses without the legal acumen to distinguish best practice from binding administrative rules, are not aware of the voluntary nature of best practices. This creates a problem because entrepreneurs frequently evaluate whether they would be able to comply with the law before embarking on a risky venture, such as designing a new software or developing an app. Furthermore, agencies develop best practices, recommendations, and guidelines informally, but they implement them more formally (Zaring, 2006). This process in itself is generally not regulated or subject to oversight by Congress or any other branch of the government (Zaring, 2006). Courts do not view failure to follow best practices as violations of substantive norms (UAW v. Chao, 2004). Nevertheless, this general lack of oversight is problematic because agencies that conduct rulemaking through the use of best practices “may do so without fear of reversal by the judicial branch” nor they do need to fear Congressional oversight. Best practices, recommendations, and guidelines can therefore be characterized as “soft law” because they secure widespread compliance without being mandatory (Zaring, 2006). Therefore, due to the lack of oversight, non-reviewable nature, and confusion about the enforceability of best practice rulemaking, it is important that there is sufficient level of cost-benefit analysis performed before an agency issues best practices.
A cost-benefit analysis will be of a sufficient level if it seeks a “full accounting,” meaning an assessment of all real-world costs and benefits (Sustein, 2001). The balancing needs to be done on the basis of complete and available evidence. This cost-benefit balancing requires an agency to recognize when a risk is “significant” and when it is “de minimis” (Sustein, 2001). Although the approach of cost-benefit analysis has been criticized by some scholars (Posner, 2000), it is appropriate in rulemaking because it helps agencies “resist demands for regulation that are rooted in misperception of facts” (Sustein, 2001). Moreover, cost-benefit balancing is a powerful tool in protecting democratic processes “by exposing an account of consequences to public view” (Sustein, 2001).
Because the IoT Report constitutes best practice rulemaking, it warrants a sufficient level of cost-benefit analysis.
The IoT Report lists some specific recommendations and best practices for companies (Federal Trade Commission, 2015). For example, in the data security area the Report instructs that companies should implement “security by design” by building security into their devices at the outset, and that companies “must ensure that their personnel practices promote good security.” These pronouncements use language that does not make a reasonable layperson believe that the practices and recommendations are really voluntary. Additionally, the Report directly addresses businesses in the relevant industry of the Internet of Things, which carries a significant probability that businesses will feel forced to comply with them. Therefore, best practices can be characterized as a form of rulemaking, and the IoT Report can be seen as a way that the FTC seeks change without the involvement of courts or legislature.
Because the FTC is representing the public at large, we need to make sure that its best practices and recommendations are actually serving the interest of the public at large. Therefore, this type of rulemaking warrants a substantive analysis of the costs and benefits of the practices the FTC set forth in the IoT Report. There are serious concerns, as expressed by Commissioner Wright, about lack of support for some of the best practices and recommendations found in the IoT Report (Wright, 2015). For example, Commissioner Wright pointed that the record that served as the basis for the IoT Report consisted of a one-day workshop, the corresponding public comments, and staff’s impressions of the workshop and comments (Wright, 2015). If the record does not have sufficient information to support legislative change, then it should not be sufficient to warrant a change through the use of best practice rulemaking. In fact, one of the main aspects that commentators fault best practices with is the lack of methodology or research (Robbins, 2009). In order for an agency to have a thorough understanding of the issue and various viewpoints, it needs to obtain “a representative sample of viewpoints” (Wright, 2015). While the FTC engaged in some soliciting of various viewpoints of interested parties, there is evidence that this was not sufficient in this case because of the complexity and wide-ranging nature of the Internet of Things. While informal rulemakers normally guarantee public participation in the rulemaking process, a beneficial characteristic of best practice rulemaking, the congregation of parties participating in the process is “decentralized, and ever changing” (Zaring, 2006). This decentralization is harmful to effective rulemaking, and requires a cautious approach from the agencies.
Not only did the FTC base the IoT Report on an insufficient record, but also, as Commissioner Wright argues, the Commission failed to engage in a rigorous cost-benefit analysis before it issued best practices (Wright, 2015). The cost-benefit analysis is a critical process for the agency to engage in before it disseminates best practices because otherwise the recommended practices may actually hinder other important competing interests (Robbins, 2009). Ensuring that all the relevant interests are weighed against each other, and identifying whether the trade-offs are worth taking is the key in designing best practices. Some competing interests include: business prosperity, innovation, new or additional employment opportunities, investment opportunities, and even scientific discovery. This requires the agency to apply objective standards because as critics recognize: “With the overwhelming amount of best practices out there, no one is creating an objective standard against which to measure the practices” (Robbins, 2009).
As the Dissenting Statement of Commissioner Wright correctly points out, there is too much at stake for consumers given the consequences of the “Digital Revolution” on consumers’ homes, vehicles, and other aspects of daily life for the Commission to issue best practices without conducting a sufficient cost-benefit analysis (Wright, 2015). The IoT Report highlights the danger of disseminating over-inclusive and poorly researched best practices. For example, requiring that businesses dispose of large stores of data could potentially curtail innovative uses of data (Wright, 2015). For example, the ability to store data has given birth to Slice, a free app that tracks users’ shipments based on the invoices from various e-tailers in users’ email inboxes in a consolidated manner. Slice uses the aggregated data to estimate shipments of various products. Recently, Slice reported that the pre-orders for Apple’s iWatch exceeded 950,000 units over the first weekend (Lewis). This resulted in an increase in stock price of of Apple by approximately 3%, thus benefitting the shareholders (Google Finance). As critics highlight, collecting data is “the model of innovation right now,” and prohibiting such practice ignores this reality (Newman). The magnitude of this cost to the businesses needs to be weighed against the data protection and security interests that the FTC purports to safeguard.
Although developing policy approaches to the Internet of Things is a meaningful endeavor, the increased privacy and security should be weighed against the impediment of legitimate business activity and innovation. In other words, the FTC is only justified in pronouncing best practices in the IoT Report if it concluded that the magnitude of data protection and security risks is a more pressing interest than the cost to the businesses. It does not appear that the Commission weighed the competing interests (Wright, 2015).
While Commissioner Wright concluded that the Report lacked a rigorous cost-benefit analysis, Commissioner Ohlhausen disagreed only with the scope of the recommendations (Ohlhausen, 2015). Specifically, Commissioner Ohlhausen did not dispute the process that the Commission implemented to reach its conclusions, but rather she criticized the actual recommendations and best practices that the Report endorsed based on the cost-benefit analysis performed (Ohlhausen, 2015). Worrying that the Report embodies the “precautionary principle,” Commissioner Ohlhausen criticized the Report’s best practices on data minimization as “overly prescriptive” (Ohlhausen, 2015). Both Commissioner Wright’s and Commissioner Ohlhausen’s statements highlight the problems with the Commission’s dissemination of best practices in the area of Internet of Things.
Examples of the risks of failure to conduct a proper cost-benefit analysis, and the risks of adopting overly prescriptive best practices abound. The disruptive and widely popular transportation service company, Uber, demonstrates this precise risk. The company has been facing legal challenges in many countries for, among other things, providing taxi services without the licenses required from other taxi operators (Heimler). It appears that in majority of foreign jurisdictions, the regulatory agencies or legal authorities did not engage in any cost-benefit analysis, but rather found Uber’s actions illegal simply because the company operated without the stringent prerequisites imposed on licensed taxi operators (Heimler). However, the services Uber provides are often more efficient and less costly alternatives to traditional taxi cabs (Techdirt). With less stringent regulation in the United States, the company has been able to operate and provide a low-cost, reliable alternative to customers of traditional taxi cabs (Heimler). Although additional competition may not be desired by traditional taxi operators, in cases where benefits seemingly outweigh costs, the government should allow for customers to have this choice.
Nevertheless, examples of under-regulated areas are also not difficult to find. In 2007, Samsung launched Internet connected Smart TV powered by Google’s Android operating system. These Smart TV’s allowed customers to control and regulate the TV using voice commands (Samsung). However, in February 2015 Daily Beast discovered buried in Samsung’s Privacy Policy that these TV’s were meant to ‘always listen’ and transmit data to a third party (Harris). The privacy policy stated, “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party” (Harris). More importantly this data transmission occurred through unsecured channels creating a possibility of uninvited intrusion by hackers (Harris). This example illustrates the risk of inadequate regulation, and highlights the need for government regulation of innovative, nascent concepts (Fink). Such computer-like features in many of the modern devices pose serious risks to users’ privacy and data security breaches. Although users may enjoy certain features and easy access to those devices, the need to minimize risk requires that an agency balances it against these benefits to the consumers.
By publishing best practices and recommendations, such as the IoT Report, the FTC may be seeking to exert more control in the areas of privacy and security than it currently holds.
In the absence of specific legislation on data privacy and security, the FTC relies on its broad authority under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practice in or affecting commerce” to address violations in the areas of data privacy and security (Federal Trade Commission Act of 1914). In the recent years, the agency has engaged in bold efforts to stretch the boundaries of its authority over data privacy and security (Dennis, 2012). With its 2012 victory in FTC v. Wyndham Worldwide Corporation which affirmed that targeted data-security legislation did not deprive the FTC of authority to assert an unfairness claim in the data-security context, the Commission has taken yet another step towards becoming the enforcer of data privacy and security (Dennis, 2012). Despite its relatively successful assertion of authority over these areas, its enforcement powers differ from its rulemaking powers. Because the FTC’s enforcement of data-security policies under the unfairness prong of the Federal Trade Commission Act was greatly criticized (Bender, 2013), the current rulemaking in the areas of data privacy and security is even more warrantless. Moreover, without any specifically defined authority over privacy, the FTC could be seen as attempting to exert as much broad authority over privacy as it has over advertising under Section 5 of the Federal Trade Commission Act. Therefore, without a specific legislation, the Commission should not engage in informal rulemaking in the areas of data privacy and security.
This is not the first attempt of the agency to overstep the boundaries of its rulemaking authority. For example, when the agency adopted the Telemarketing Sales Rule it was criticized for attempting to regulate the debt-relief-services industry using rulemaking authority purportedly granted by the Telemarketing and Consumer Fraud and the Abuse Prevention Act (Thurman, 2010). The criticism was followed by a series of lawsuits objecting to the agency’s expansionism (Thurman, 2010). As this example demonstrates, an agency’s overreaching can have detrimental effects. By using the ambiguity of Section 5 language, the agency could be seeking to exert more power than Congress sought fit for the FTC. In an emerging field, such as the Internet of Things, the detriment could be an even more serious consequence if the agency’s overreaching continues.
This form of agency rulemaking should be controlled within the agencies themselves.
In today’s world of technological dynamism and increased complexity, agencies must depend more on outsiders in how they implement policy changes (Kovacic, 2015). Seeking the view of outsiders to develop understanding of the various technologies and their effects on consumers is not only permissible, but is expected of regulators. The FTC’s initiative to gain a better understanding of the Internet of Things is therefore price-worthy. If the Commission simply reported on the discussions and various points of views expressed in the one-day workshop it conducted, this could have been constructive to facilitating proper rulemaking process, such as that done by Congress. However, the Commission did not stop there, but rather issued best practices and recommendations based on this very limited inquiry into the nascent topic of the Internet of Things.
The dissemination of best practices on the Internet of Things differs significantly from the agency’s prior informal rulemaking. For example, in the 2000s, the Commission engaged in deliberations on the topic of competition and health care (Muris, 2005). The deliberations consisted of 27 days of informal hearings, and featured over 250 panelists (Muris, 2005). Another influential study by the Commission took 15 years (Muris, 2005). Although the record does not need to consist of such elaborative and long-term research efforts (Kovacic, 2015), a report based on a one-day workshop, its accompanying public comments, and the staff’s impressions of those proceedings, falls short of a sufficient record. After all, development of a fuller, more representative perspective requires substantial investment, and “tends to press towards larger rather than small proceedings” (Kovacic, 2015). Therefore, as correctly noted by Commissioner Wright in his dissenting statement, the Commission did not collect sufficient evidence to issue best practices in its Internet of Things Report because it “merely relied upon its own assertions and various surveys that are not necessarily representative [...]” (Wright, 2015).
Best practices form of rulemaking should be controlled within the agencies themselves, especially because lack of congressional and judicial supervision over this informal rulemaking is likely to continue (Zaring, 2006). Sometimes this could mean that an agency should be willing to leave a field over which it has jurisdiction untouched by best practices or other form of rulemaking. In other instances, it could mean that the agency engages in elaborate and exhaustive deliberations that ensure representative prospective of those potentially affected by its new regulation. As agencies proceed down the best practices rulemaking path, they should aim for “a cautious but intelligent embrace of the phenomenon as a tool of administrative policy” (Zaring, 2006). This cautious approach is vital because “there is no reason to suspect that the substantive creations of these procedural innovations will necessarily be good ones” (Zaring, 2006).
By promulgating best practices and recommendations, the FTC may have exerted more authority than is provided by Congress. The non-reviewability and non-binding nature of best practices makes this form of rulemaking an area where it is easy for an agency to slip into a territory beyond its jurisdiction. Although issuance of best practice may seem to be a harmless action, the confusion that exists over an agency issuing mandatory rules as opposed to voluntary rules may lead to negative consequences, such as lesser innovation and lesser economic activity. Given the serious costs to the society, the Commission, through the IoT Report, might have stepped into a dangerous terrain in its misguided attempt to increase privacy and security, particularly because it failed to conduct a sufficient cost-benefit analysis. Given the risks of over-regulating nascent concepts, such as the Internet of Things, agencies should control their best practice rulemaking tendencies. Perhaps restraint from rulemaking in favor of free market forces could lead to best practices emerging on their own.
Bender, D. J. (2013). Annual Review of Administrative Law: Administrative Law Essay: Tipping the Scales: Judicial Encouragement of a Legislative Answer to FTC Authority over Corporate Data-Security Practices. . 81 Geo. Wash. L. Rev. 1665, 1675.
Budnitz, M. E. (1997). The FTC’s Consumer Protection Program During the Miller Years: Lessons for Administrative Agency Structure and Operation. 46 Cath. U.L. Rev. 371, 416.
Charles H. Koch, J. a. (1983). FTC Rulemaking Through Negotiation. 61 N.C.L. Rev., 278.
Dennis, C. (2012). FTC. v. Wyndham: How Far Can the FTC Go In Data Security?
Federal Trade Commission. (2015). Internet of Things. Privacy & Security in a Connected World. Washington: FTC.
Federal Trade Commission Act of 1914, 15 U.S.C. §41.
Fink, E. (n.d.). Your TV might be watching you. Retrieved 04 23, 2015, from CNN Money: http://money.cnn.com/2013/08/01/technology/security/tv-hack/index.html
Google Finance. (n.d.). Retrieved 04 24, 2015, from Apple Inc.: https://www.google.com/finance?q=aapl&ei=Nb85VYD3AsSGsgfL5oCgCg
Harris, S. (n.d.). Your Samsung SmartTV Is Spying on You, Basically. Retrieved 04 23, 2015, from The Daily Beast: http://www.thedailybeast.com/articles/2015/02/05/your-samsung-smarttv-is-spying-on-you-basically.html
Heimler, A. (n.d.). Huffington Post . Retrieved 04 23, 2015, from What’s Behind Europe’s Taxi Revolt Against Uber?: http://www.huffingtonpost.com/alberto-heimler/europe-tax-revolt-uber_b_7097600.html
Kovacic, W. E. (2015). The Federal Trade Commission as Convenor: Developing Regulatory Policy Norms Without Legislation or Rulemaking. 13 J. on Telecomm. & High Tech. L. 17, 26.
Lewis, T. (n.d.). Tanya Lewis, 1 Million Orders and Counting: Why So Many Covet the Apple Watch-Live Science. Retrieved 04 25, 2015, from i-Style Newss: http://www.istylenews.com/1-million-orders-and-counting-why-so-many-covet-the-apple-watch-live-science.
Muris, T. J. (2005). More Than Law Enforcement: The FTC’s Many Tools - A Conversation with Tim Muris and Bob Pitofsky. 72 Antitrust L.J. 773, 774-75.
Naiki, Y. (2004). The Mandatory/Discretionary Doctrine in WTO Law-The US-Section 301 Case and Its Aftermath. JIEL 2004.7(23) .
National Petroleum Refiners Association v. FTC, 482 F.2d 672 (D.C. Cir. 1971) (D.C. Cir. 1971 1974).
Newman, L. H. (n.d.). The Internet of Things Is Getting a Rule Book, Slate, Slate Blogs. Retrieved 04 20, 2015, from http://www.slate.com/blogs/future_tense/2015/01/28/ftc_releases_new_report_about_privacy_and_internet_of_things.html
Ohlhausen, M. K. (2015). Internet of Things Workshop Report, Separate Statement of Commissioner Maureen K. Ohlhausen .
Posner, M. D. (2000). Cost-Benefit Analysis: Legal, Economic, and Philosophical Perspectives. 29 J. Legal Stud. 837 .
Pub. L. No. 93-637, 88 Stat. 2183 (1975).
Robbins, I. P. (2009). Best Practices on “Best Practices”: Legal Education and Beyond. 16 Clinical L. Rev. , 282.
Samsung. (n.d.). Retrieved 04 23, 2015, from http://techlife.samsung.com
SellerBeware. (n.d.). Retrieved 2015, from Consumer Protection Insights for Industry: http://www.consumeradvertisinglawblog.com/2010/04/is-congress-putting-the-ftc-on-steroids.html
Sharkey, C. M. (2013). Agency Coordination in Consumer Protection. U. Chi. Legal F. 329 .
Solove, D. J. (2014). The FTC and the New Common Law of Privacy, . 144 Colum. L. Rev. 583, 602.
Sustein, C. R. (2001). Cost-Benefit Default Principles. 99 Mich. L. Rev. 1651, 1662.
Techdirt. (n.d.). Retrieved 03 28, 2015, from Uber Having a Tough Week Overseas: France and South Korea Crack Down: https://www.techdirt.com/articles/20150318/07213230354/uber-having-tough-week-overseas-france-south-korea-crack-down.shtml
Thurman, M. (2010). “Hiding Elephants in Mouseholes”: * the FTC’s Unwarranted Attempt to Regulate the Debt-Relief-Services Industry Using Rulemaking Authority Purportedly Granted by the Telemarketing and Consumer Fraud and Abuse Prevention Act, * Am. Bar Ass’n v. Fed. Trade Comm’n, 430 F.3d 457, 467 (D.C. Cir. 2005). 14 Tex. Rev. Law & Pol. 301, 342-42.
UAW v. Chao, 361 F.3d 249 (3d Cir 2004).
Wright, J. D. (2015). Dissenting Statement of Commissioner Joshua D. Wright, Issuance of the Internet of Things: Privacy and Security in a Connected World Staff Report.
Zaring, D. (2006). Best Practices. 81 N.Y.U.L. Rev. , 295.