Federal Trade Commission (FTC) Chair Lina Khan said on Monday (April 11) that it is time for the agency to “reassess” rules around what data companies can collect from consumers. She called for a new approach to consumer data protection to replace the companies’ privacy policies on collection and use of consumer data.
In an event organized by the International Association of Privacy Protections, Khan said that the current notice and consent framework was “outdated and insufficient.” Khan suggested that the agency and Congress should act to ensure that consumers don’t have to give up their personal data to have access to online tools that are essential to everyday life.
“I believe we should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements, while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place,” she said.
Khan didn’t provide many details of how the new rules could look. She pushed for “market-wide rules” governing consumer data protection. These rules could provide guidance to businesses about how to keep people’s data private.
While the U.S. doesn’t have federal privacy laws, the FTC has been filling this gap with enforcement actions against companies that violate other laws.
The FTC has initiated proceedings against companies looking at both privacy and antitrust, and while this multidisciplinary approach can provide the agency with valuable information on data collection practices, it also has limitations on the scale and scope of the regulatory oversight across sectors.
“Even without a federal privacy or security law, the FTC has for decades served as de facto enforcer in this domain,” Khan said.
The FTC has broad enforcement authority under Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The agency has brought 20 different cases related to privacy in the last two years. One of the latest was on March 15, when the FTC reached a $500,000 settlement with CafePress over allegations that the company had failed to secure consumers’ sensitive personal data and covered up a major breach.
The FTC has also shown that it can use all the tools in the enforcement toolbox to force companies to stop their practices. For instance, on March 3, the FTC ordered WW International and Kurbo to destroy all personal information collected from children under 13, as well as any algorithm derived from the data, and pay a $1.5 million penalty. This new remedy, to destroy the algorithm, was evidence of how far the regulator can go to protect consumers’ privacy.
But if Khan wants a proposed rulemaking to move forward, she needs first a Democratic majority at the FTC, which she doesn’t have yet. The FTC is split with two Democrats and two Republicans. However, the Senate may soon vote on the President Biden’s nominee, Alvaro Bedoya, for the third democratic seat at the FTC. Bedoya has experience in privacy matters.
Khan acknowledged that even with the FTC’s enforcement efforts, new federal legislation will be key to make a significant paradigm shift. However, discussions in Congress to pass data privacy legislation have stalled as lawmakers disagree on various issues. Other initiatives to protect consumer privacy may face less opposition. In February, Sen. Richard Blumenthal introduced a new bill — the Kids Online Safety Act — that seeks to protect children’s privacy and data and may have more bipartisan support.
Read more: FTC Rules by Enforcement in Privacy, but for How Long?