FTC Chair Signals End to “Notice and Consent”
On April 11, Federal Trade Commission (FTC) Chair Lina Khan spoke about data privacy and security at the International Association of Privacy Professionals (IAPP) Global Privacy Summit 2022 in Washington, D.C.
Khan began by acknowledging the expansive role that digitalization has played throughout the United States economy and society in recent years, and the implications of this rapid shift—such as the exclusion of some Americans from modern digital operations due to economic circumstances, an increase in security vulnerabilities that’s led to many economic disruptions and delays, the impact of privacy breaches on victims, and how expansive data collection tools and practices have led to an increase in theft and discrimination.
Khan further explained that Americans are “aware of the stakes and the potential hazards” that accompany the digital world, as evidenced by Pew survey results that two-thirds of Americans believe that it is no longer possible to go through daily life without companies collecting data about them, while over 80 percent feel that they have “meager” control over having their data collected, and believe that the risks of data collection by commercial entities outweigh the benefits.
In consideration of these concerns and economic observations, Khan highlighted the FTC’s current and planned approach to mitigating and limiting the impacts of “how Americans’ data is tracked, gathered, and used.”
Data Practices
Khan pointed out that as digital technologies utilized by consumers proliferate, so do data tracking capabilities. While some firms track data for the benefit of the consumer, others collect this data for the purpose of marketing or selling the data to third parties for economic gain without the benefit or knowledge of consumers.
In fact, she noted, businesses are incentivized by economic gain and a “general lack of legal limits” on the permissibility of monetizing consumer data. In particular, targeted advertisement in key sectors such as “health, credit, housing, and the workplace based on consumers’ race, gender, or age, engaging in unlawful discrimination[,]” places consumers in dangerous or vulnerable situations, and expose them to security threats.
Existing FTC Approach
In response to this paradigm, the FTC has already employed the following efforts to “address and rectify” “unlawful data practices.”
Dominant Firms
The FTC is focusing its efforts on “tackling conduct by dominant firms” and on intermediate firms who “facilitate unlawful conduct on a massive scale.” This narrowed approach is, according to Khan , a result of the agency’s “scarce resources” which must be allocated to “maximize impact.”
Interdisciplinary Approach
The FTC is employing an “interdisciplinary approach” that focuses on consumer protection laws and furthering competition by use of antitrust laws when assessing a business’s data collection, retention, and transmission practices and strategies.
Khan did not expand on the role of antitrust laws in data privacy, but FTC Commissioner Noah Phillips appears to have contrasting views to the validity of addressing privacy concerns through competition laws, as he stated this approach is “wrong, wrong, wrong.” Phillips stated privacy harms and violations can come from any entity and that taking “our focus off the little guys would be putting a lot of privacy harms aside.”
Khan clarified that the FTC’s current approach will require enhanced reliance on its team of “skilled lawyers, economists, and investigators who lead our enforcement work.” In fact, the FTC recently hired more technologists who provide a “diverse set of skillsets, including data scientists and engineers, user design experts, and AI researchers[.]”
Proposed FTC Approach
Khan noted that The FTC is focused on establishing and “pursuing remedies that fully cure the underlying harm and, where necessary, deprive lawbreakers of the fruits of their misconduct.” An example of this type of remedy is requiring a violating business to pay a penalty for breach of data protection laws, as well as requiring the business to delete the illegally collected or retained data and destroy its algorithms used to do said collection or retention.
Where appropriate, Khan said the FTC would pursue executive accountability for an organization’s violations of data privacy laws by, for example, preventing them from continuing to engage in that industry sector.
Finally, the FTC will employ remedies that “evolve to reflect the latest best practices in security and privacy[,]” such as requiring a business to employ multi-factor authentication to better protect their collected and retained consumer data from any breaches occurring in the future.
According to Khan, there are several approaches that the FTC is considering for executing its goals:
New Rulemakings
The FTC is considering new rules that “address commercial surveillance and lax data security practices[,]” and will continue to monitor the evolving nature of digitalization and data privacy practices to ensure that their regulatory efforts change with the environment.
Notice and Consent
Under the current framework, companies are required to notify users of their data collection and retention practices and receive consent from the consumer in order to continue to do so. However, Khan indicated that the current “market realities” may render this approach “outdated and insufficient[,]” due to the “overwhelming nature of privacy policies” and the lack of alternatives presented to consumers who view these digital services as “critical.”
Instead, Khan suggested, the FTC should consider employing “substantive limits rather than just procedural protections,” as these protections do not afford sufficient consideration as to whether the data collected was appropriate in the first place. Additionally, Khan advocated for privacy litigation from Congress to outline a new paradigm in which consumers’ access to digital tools will not have to be traded for “commercial surveillance.”
This sentiment was echoed by Phillips, who pushed for national privacy legislation that would simplify the regulatory approach to privacy policies and businesses’ ability to comply with said regulations—even if doing so comes at the expense of competition.
Considerations for Businesses
Organizations that engage in data collection or monitoring should consider the parameters outlined in Khan’s speech as potential “next steps” for the FTC. If your organization relies on notice and consent policies, it may be time to start thinking about a new approach.
* * * * * * *
To read our coverage on California Attorney General Rob Bonta recent “investigative sweep” of businesses that offer loyalty programs to their consumers and what your organization needs to do to comply with this required notice under the CCPA, click here.
For ADCG’s Breach Report and more news updates discussing: Governor Glenn Young of Virginia’s approval of three amendments to the Virginia Consumer Data Protection Act.; Tim Cook, CEO of Apple Inc., presentation at the IAPP’s Global Privacy Summit applauding the EU’s GDPR, and calling for a federal data privacy law in the U.S; the U.S. DOJ announcement on April 12 that it has seized the domains belonging to RaidForum, one of the largest hacker forums in the world; and SC Media’s recently published guide for empowering employees to take ownership of enterprise security, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.