FTC ponders proper punishment for commercial data 'surveillance' and shoddy security

The US Federal Trade Commission on Thursday announced an effort to formulate privacy rules to deter unwelcome online monitoring and shoddy data security.

The trade watchdog invited comments from the public about "commercial surveillance practices" in advance of a planned rule-making push. And the agency's decision to use the word "surveillance" rather than a euphemism like "data gathering" or "personalization" suggests the FTC is already inclined to change the status quo.

"Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts," said FTC Chair Lina Khan in a statement.

"The growing digitization of our economy – coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used – means that potentially unlawful practices may be prevalent."

The FTC said its concern arises from the difficulty of avoiding commercial surveillance. It notes that some companies require customers to agree to data collection as a condition of service and that companies may subsequently change their terms of service to further expand data gathering. The agency also pointed to the increasing use of deceptive marketing or "dark patterns" to manipulate consumers.

Mind the gap...

The US presently has no comprehensive federal privacy law along the lines of the European Union's General Data Protection Act or the UK's 2018 Data Protection Act. And in the absence of broad privacy rules, state regulators have filled the void with laws like the California Consumer Privacy Act (CCPA), California Privacy Rights Act of 2020 (CPRA), and the Illinois Biometric Information Privacy Act (BIPA), among others.

The business community, fond of "hoovering up" consumer data, has been pushing for a superseding federal law, ostensibly to avoid the complexity of complying with different state regimes but also to undo strong privacy requirements states like California have put in place.

The current candidate legislation is the American Data Privacy and Protection Act (ADPPA) [PDF], which was endorsed by the House Energy and Commerce Committee last month and now awaits votes in both the House of Representatives and the Senate.

The California Privacy Protection Agency Board, formed to implement the CCPA, has said it opposes the ADPPA because it "seeks to significantly weaken Californians’ privacy protections by pre-empting the California Consumer Privacy Act and other state privacy laws."

Companies, meanwhile, would like to see the ADPPA modified. IBM has reportedly lobbied to nix the bill's private right to action, which would enable individuals to sue businesses for privacy violations.

The federal legislators backing the ADPPA are none too thrilled about the FTC – an independent agency accountable to all three branches of the US government – trying to make rules when they believe it should be enforcing laws that the legislative branch hasn't yet gotten around to passing.

• Ex-CISA chief Krebs calls for US to get serious on security
• Facebook hands over chats to cops in post-Roe abortion case
• Data brokers amass profiles of pregnant women – and, of course, it's all up for sale
• National data privacy law for the US clears first hurdle

House Energy and Commerce Committee Republican Leader Cathy McMorris Rodgers (R-WA) issued a statement to that effect, arguing that the ADPPA represents the best path forward rather than "executive action."

"Unlike an FTC rule, [the ADPPA] includes a national privacy standard," she said. "One standard – clearly directed by Congress – is paramount to minimizing the amount of peoples’ information companies are allowed to collect, process, and transfer. "

US Senator Roger Wicker (R-MS) issued a similar statement in response to the FTC rulemaking proposal.

"To get real consumer data privacy protections, Congress must act," he said. "FTC commissioners have acknowledged that legislation, not regulation, is the preferred way to achieve these protections. I hope today’s action by the FTC helps underscore the urgency for the House to bring the American Data Privacy and Protection Act to the floor and for the Senate Commerce Committee to advance it through committee. The time to move on ADPPA is now."

All change?

If the ADPPA does not pass in the next few months, it may not survive in its current form: The US midterm elections in November could shift the balance of power in Congress, prompting lawmakers to revise their legislative priorities.

Khan via Twitter acknowledged the possibility that the passage of the ADPPA may change things for the FTC.

"Because our rulemaking process is lengthy, we'll be able to review this effort in light of any new developments," she said. "If Congress passes a strong federal privacy law – as I hope it does – then we'd reassess the value-add of this work and whether it remains a sound use of resources."

The FTC's value-add to privacy enforcement isn't obvious. Last September, Accountable Tech, a left-of-center advocacy group, petitioned the FTC to ban surveillance advertising. The agency considered the petition and gathered input from people who wished to comment. And then nothing happened.

Unfazed by the sense of déjà vu, Accountable Tech cheered the FTC's announcement as "a critical first step toward cracking down on the egregious intrusions and exploitation of the ever-expanding surveillance economy." ®