FTC's (Potential) New Wave of Privacy Regulation

Things are shifting in a major direction in the United States with regard to privacy and data protection laws. An increasing number of states are not waiting for federal legislation and are passing their own laws designed to provide more protection to consumers and personal information in the hands of corporations. Currently, only California, Colorado, and Virginia have signed comprehensive consumer privacy laws whereas over 20 other states have privacy legislation at some stage of the legislative process.

The good news, from a privacy advocate standpoint, is that it’s not only state laws that are currently being drafted, legislated and voted on. Substantive actions coming from different directions on the federal level are taking place. The U.S. federal regulator responsible for antitrust and consumer protection enforcement, including data protection, the Federal Trade Commission (FTC), is getting an internal makeover. Potential funding boost, enhanced privacy rulemaking, appointing the founding director of Georgetown University Center on Privacy and Technology as commissioner, and other substantive changes increasing FTC’s enforcement capabilities are just some of the recent developments.

One of the most transformative upgrades to the FTC would undoubtedly be the budget increase of $1 billion spread over 10 years and with that, the creation of the new privacy and data security division. The new resources would flow in the already-understaffed FTC to higher new technologists, subject-matter experts, and lawyers in order to increase existing efforts on case-by-case enforcement, production of reports and studies that help target the commission’s action and guidance. As a result of this increase in funding, the FTC would become more capable of its rulemaking function, as suggested and encouraged by an nine Senate Democrats in a letter they wrote in September to the commission.

During her keynote speech at the IAPP’s Privacy. Security. Risk. 2021 conference, Rebecca Slaughter, one of the four FTC commissioners, sent a clear message that times are changing as people have fundamentally changed the way they view, prioritize and conceptualize their data. Her goal is to go deeper into the fabric of data privacy enforcement and FTC’s reasoning behind the processes they employ to regulate abusive practices. She said that in many cases, the strategies they use and the reasoning behind them need a dramatic rethink.

As with the European model of privacy regulation and enforcement, the new priority of the FTC is to target the data-driven markets, where abusive practices are deeply rooted in the method of indiscriminate data collection. By taking a deeper look into the critical issues consumers face beyond privacy, Slaughter identified issues such as the algorithmic biases and dark patterns major market players use as key target areas that need to be addressed. Slaughter’s aim is to target specific business practices leading to abuses where the go-to solution of ‘notice and choice’ does not provide adequate level of protection anymore. Notably, the notice-and-choice approach is not sufficient to provide a consumer-friendly remedy and prevent the vast data collections, which ultimately create these abusive practices.

The solution Slaughter referred to, ingrained into the European principle of data minimization and specifically, the purpose and use limitations (Article 5 of the GDPR), will “deprive the surveillance economy engine the fuel it needs to work” as she put it. Companies should not be asking for information they do not need for the services they provide, but only to create a consumer profile. Additionally, Slaughter emphasized that there must be controls on what type of data transfers are permitted and for how long the personal information could be stored – issues that the GDPR already addresses in Chapter 5 on data transfers and Article 5(1)(e) on data storage.

The bottom line is that the focus on data privacy is presently undergoing serious reconsideration as state and federal agencies are working towards more regulation in the United States and around the world. Data-centric approach to consumer protection is taking center stage as more cybersecurity concerns are coming out as a result of new data breaches in both, the public and private sectors. The new wave of privacy laws is sweeping through countries around the globe as personal data becomes one of the most sought-after commodity of the 21st century.