The US Federal Trade Commission on Thursday announced efforts to formulate privacy rules to prevent unwanted online surveillance and shoddy data security.
The trade watchdog asked the public for comments on “commercial surveillance practices” ahead of a planned legislative push. And the agency’s decision to use the word “monitoring” instead of a euphemism like “data collection” or “personalization” suggests the FTC is already inclined to change the status quo.
“Companies are now collecting personal data about individuals on a massive scale and in an amazing variety of contexts,” said FTC Chair Lina Khan in a statement.
“The increasing digitization of our economy – coupled with business models that can encourage the endless sipping of sensitive user data and a vast expansion in the use of that data – means that potentially unlawful practices can be rife.”
The FTC said its concern stems from the difficulty of avoiding commercial surveillance. It should be noted that some companies require customers to consent to data collection as a term of service, and companies may subsequently change their terms of service to further extend data collection. The agency also pointed to the increasing use of deceptive marketing or “dark patterns” to manipulate consumers.
Watch out for the gap…
The US currently does not have comprehensive federal data protection law along the lines of the European Union’s General Data Protection Act or the UK Data Protection Act 2018. And in the absence of comprehensive data protection regulations, state regulators have filled the gap with laws such as the California Consumer Privacy Act (CCPA), the California Privacy, among others Rights Act of 2020 (CPRA) and the Illinois Biometric Information Privacy Act (BIPA).
The business community, eager to “suck up” consumer data, is pushing for a federal replacement law, ostensibly to avoid the complexities of complying with various state regulations, but also to reverse strict privacy requirements that states like California have put in place.
The current candidate legislation is the American Privacy Act (ADPPA) [PDF]the was endorsed passed by the House Energy and Commerce Committee last month and is now awaiting votes in both the House and Senate.
The Board of Directors of the California Privacy Protection Agency, formed to implement the CCPA, has said it opposes the ADPPA because it “attempts to significantly weaken the privacy of Californians by pre-empting the California Consumer Privacy Act and other state privacy laws”.
Businesses, on the other hand, would like to see the ADPPA changed. IBM has alleged lobbying remove the bill’s private right of action, which would allow individuals to sue companies for data breaches.
Federal lawmakers who support the ADPPA aren’t too thrilled that the FTC — an independent agency accountable to all three branches of the US government — is trying to make rules, although they believe they should enforce laws to which the legislature has not yet come passing.
Republican Chair of the House Energy and Trade Committee Cathy McMorris Rodgers (R-WA) was issued a statement to that end, arguing that the ADPPA is the best way forward rather than “executive action”.
“Contrary to an FTC rule [the ADPPA] contains a national data protection standard,” she said. “A standard – clearly mandated by Congress – is paramount to minimizing the amount of information companies are allowed to collect, process and transmit. “
U.S. Senator Roger Wicker (R-MS) exhibited a similar statement in response to the FTC rulemaking proposal.
“To achieve real consumer privacy protections, Congress must act,” he said. “The FTC commissioners have recognized that legislation, not regulation, is the preferred way to achieve this protection. I hope that today’s action by the FTC will help underscore the urgency for the House of Representatives to have a say on America’s privacy law and for the Senate Commerce Committee to move it forward through the committee. The time to move ADPPA forward is now.”
If the ADPPA is not passed in the next few months, it may not survive in its current form: November’s US midterm elections could shift the balance of power in Congress, prompting lawmakers to reassess their legislative priorities.
khan via twitter acknowledged the possibility that passage of the ADPPA could change things for the FTC.
“Because our rulemaking process is lengthy, we may review these efforts in light of new developments,” she said. “If Congress passes a strong federal privacy law – which I hope – then we would re-evaluate the value of this work and whether it remains a wise use of resources.”
The added value of the FTC to privacy enforcement is not obvious. Last September, Accountable Tech, a left-of-center advocacy group, requested the FTC ban surveillance advertising. The agency reviewed the petition and collected input by people who wanted to comment. And then nothing happened.
Undeterred by déjà vu, Accountable Tech cheered the FTC’s announcement as “a crucial first step in countering the egregious invaders and exploitation of the ever-expanding surveillance economy.” ®
https://www.theregister.com/2022/08/11/ftc_personal_data_rules/ FTC Considers Penalty for “Surveillance” of Commercial Data • The Register