FTC Initiates Privacy and Data Security Rule-MakingCommission Asks for Comment on Link Between Consumer Surveillance and Lax Security
The U.S. Federal Trade Commission today initiated a potentially yearslong attempt to impose new data security and privacy regulations onto the American economy. Agency commissioners voted along party lines to initiate the rule-making process. Democratic Chair Lina Khan charged technology companies with running roughshod over consumer preferences, while the two Republican commissioners accused Democrats of going beyond the agency's authority.
"A significant majority of Americans today feel that they have scant control over the data collected on them and believe the risks of data collection by commercial entities outweigh the benefits," Khan said in a statement.
Today's advanced notice of proposed rule-making doesn't recommend specific regulations. It instead calls for comment on a range of practices that stem from what critics have termed "surveillance capitalism" - the practice of influencing consumers through analytics culled from vast troves of behavioral data collected through smartphone apps and other smart devices. The FTC says comments on the notice could guide future potential rule-making touching on topics ranging from algorithmic bias to data security.
The notice connects ubiquitous data collection practices with data security, saying the amounts of data held by tech companies increase risks of cyberattacks. Among the topics it solicits comment on is whether there exist commercial incentives causing lax data security measures.
"Our goal is to really begin building a rich public record to inform our assessment of whether rule-making is worthwhile," Khan said during an afternoon press conference. "We are very eager to hear from the public."
The notice is part of a revival of rule-making authority at the agency. The FTC abandoned its rule-making powers during the Reagan administration amid criticism of excessive regulation. The potential effect on the U.S. economy of FTC rule-making can be quite large, but the process requires even more public and congressional consultation that ordinary executive branch rule-making. Even after voting on party lines last year to streamline the rules process, approving a privacy regulation would still likely take longer than the remainder of President Joe Biden's term in office.
Today's notice also comes as at a rare moment of bipartisan momentum in Congress for a privacy law, the American Data Privacy and Protection Act. Intermittent legislative branch attempts to create a national privacy standard have floundered on partisan differences over topics including whether individuals should be able to sue companies for privacy violations and whether the national standard should overrule state data privacy laws. The ADPPA generally preempts state laws and creates a limited private right of action.
Democratic commissioners who spoke with reporters today said rule-making activity at the FTC complements legislative activity rather than supplanting it. "Until there's a law on the books, the commission has a duty to use all the tools we have under current law," said Rebecca Slaughter. Alvaro Bedoya said he would not vote to advance any rule-making that overlaps with the bill, should it become law.
The ADPPA faces potentially terminal opposition from Senate Democrats who have said the proposal is weak on enforcement.
In a statement, House Energy and Commerce Committee Chairman Frank Pallone said he appreciates "the FTC’s effort to use the tools it has to protect consumers, but Congress has a responsibility to pass comprehensive federal privacy legislation." Pallone, a New Jersey Democrat, is a major backer of the bill.
Alan Butler, head of the Electronic Privacy Information Center, told Information Security Media Group the notice "is long overdue."
"We're thrilled the FTC is launching this. We think it's really important for them to take action," he said.