While Congress is moving slowly on legislation aimed at protecting the privacy of consumers’ data, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) are stepping up their efforts to crack down on what they call “commercial surveillance”.
Last week, the FTC and the CFPB, both charged with protecting consumers, announced a number of actions aimed at ensuring that businesses that collect and monetise consumer data do so in a way that does not harms consumers.
On Thursday (August 11), the FTC issued an advance notice of proposed rulemaking, the first step in a rulemaking process, seeking public comment on the harms stemming from “commercial surveillance”, the practice of businesses collecting a vast amount of data about people, analysing it and profiting from it.
“Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC chair Lina Khan.
“The growing digitisation of our economy — coupled with business models that can incentivise endless hoovering up of sensitive user data and a vast expansion of how this data is used — means that potentially unlawful practices may be prevalent.”
The agency now raises concerns that businesses collect much more consumer information than what consumers proactively share and that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms.
“Companies reportedly surveil consumers while they are connected to the internet — every aspect of their online activity, their family and friend networks, browsing and purchase histories, location and physical movements, and a wide range of other personal details,” the FTC warned.
The agency is also worried that algorithms that analyse consumer data “are prone to errors, bias, and inaccuracy” and companies increasingly use dark patterns to influence or coerce consumers into sharing personal information.
The FTC is asking the public whether it should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.
“Data privacy has been a priority of the FTC since last year, with recent enforcement actions concerning data privacy and security underscoring it is a top of mind issue,” according to Kristin Bryan, partner at Squire Patton Boggs with expertise in data privacy.
The FTC’s notice is “remarkable in light of the failure of Congress to pass comprehensive privacy legislation”, she added.
Earlier in May, the FTC cautioned that regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.
Meanwhile, additional legislation is also being considered in Congress that would broaden the FTC’s oversight of cybersecurity-related issues, Bryan said.
The RANSOMWARE Act would require the FTC to report on cross-border complaints that involve ransomware or other cyber-attacks committed by actors with ties to Russia, China, North Korea or Iran.
Should the FTC move ahead with the proposed rulemaking, the process will likely take at least two years and may be affected by the results of the mid-term elections in the autumn, Bryan noted.
However, companies across industries “are keeping a close eye on this going forward, given the breadth of the anticipated impact of this development”, she added.
Meanwhile, the CFPB, which is led by former FTC commissioner Rohit Chopra, is also increasing its focus on the potential misuse and abuse of personal financial data.
The day before the FTC announcement, the CFPB issued guidance laying out that digital marketers that sell their services to financial firms must comply with federal consumer financial protection law.
The guidance clarifies that bigtech firms and other digital marketers that use machine learning and algorithms to process personal data and deliver highly targeted ads for financial products can be held liable by the CFPB.
“Many tech firms are on the hunt for data about what we spend our money on and where we make our purchases,” said director Chopra.
“When bigtech firms use sophisticated behavioural targeting techniques to market financial products, they must adhere to federal consumer financial protection laws,” he added.
The following day, the CFPB released a circular stating that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data.
Although not established as an outright requirement, the CFPB urges businesses to implement multi-factor authentication (MFA).
“If a covered person or service provider does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent, it is unlikely that the entity could demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability,” the circular says.
No more waiting for Congress
Despite the significant interest from the public in previous years to legislate their data privacy rights, Congress has shown little movement on any proposals that would create GDPR-like protections for Americans.
But with the growing concerns around the vast amount of data handled by companies, Khan and Chopra are now speeding up their efforts to ensure consumers are protected against “unfair, deceptive, or abusive acts and practices”, a core mandate of the two agencies.
The FTC advance notice was approved by a 3-2 vote, with Trump-nominated commissioners Noah Joshua Phillips and Christine Wilson voting against it.
“National consumer privacy laws pose consequential questions, which is why I have said, repeatedly, that Congress — not the Federal Trade Commission — is where national privacy law should be enacted,” Phillips said in a statement.
Wilson added “Congressional action is the best course” and voted “no” to give better prospects to a federal bill that was moving ahead in Congress. At the end of July, the House Committee on Energy and Commerce passed the American Data Privacy and Protection Act (ADPPA) with a sweeping 53-2 bipartisan support.
The vote is the beginning of the lengthy legislative process and it means that the bill could be sent to the House floor for debate and then discussed in the Senate.
Wilson said she is “gravely concerned that opponents of the bill will use the ANPRM as an excuse to derail the ADPPA”.
However, Senator Roger Wicker (R-MS), ranking member of the Senate Committee on Commerce, Science and Transportation, and an advocate of consumer data privacy rights, is more optimistic.
“I hope today’s action by the FTC helps underscore the urgency for the House to bring the American Data Privacy and Protection Act to the floor and for the Senate Commerce Committee to advance it through committee.”
He emphasised that “legislation, not regulation, is the preferred way to achieve these protections” and the “time to move on ADPPA is now”.