The Federal Trade Commission will explore new rules to crack down on commercial surveillance practices that put Americans’ data at risk of falling into the hands of “hackers and data thieves,” the agency announced Thursday.
“The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent,” FTC Chair Lina M. Khan said in a statement. “Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.”
Other concerns about the commercial surveillance industry outlined in the agency’s notice include poor data security protecting information collected on consumers, the misleading ways companies collect consumer data, and how data can lead to discriminatory outcomes for automated systems.
The rulemaking process could also have significant implications for how company’s much protect their data from cyberattacks, exploring options such as rules that could require “businesses to implement administrative, technical, and physical data security measures” such as encryption.
The agency would also explore potential civil penalties for first-time offenses.
“We’ve brought scores of data security case and we are still almost on a weekly basis seeing devastating data breaches,” Sam Levine, director of the FTC Bureau of Consumer Protection, told reporters in a press call. “I think one of the things we want to hear from the public on is whether we need to deter these practices in the first instance and one key tool we have for achieving that deterrence is civil penalties.
The announcement comes nearly a year after Democratic members of Congress urged the agency to explore privacy rulemaking while Congress dithered to pass federal privacy legislation. Since then, a comprehensive federal privacy bill passed out of House committee to a floor vote, making it the first legislation of its kind to do so. But the future of the American Data Privacy Protection Act (ADPPA) is unclear since Senate Commerce chairwoman Maria Cantwell, D-Wash., has refused to bring the bill to a vote until changes to consumer rights to sue private companies are made.
The Commission voted 3-2 to publish the notice, with both Republican commissioners dissenting. The bill’s momentum played a significant role in the dissent of the commission’s two Republican commissioners in voting against the notice.
“The momentum of ADPPA plays a significant role in my “no” vote on the Advance Notice of Proposed Rulemaking (ANPRM) announced today,” Commissioner Christine Wilson wrote in her dissent. “I am gravely concerned that opponents of the bill will use the ANPRM as an excuse to derail the ADPPA.”
Some of ADPPA’s leading supporters in Congress shared similar concerns.
House Commerce Republican leader Cathy McMorris Rodgers, R-Wash., a leader on ADDPA, expressed disproval of the agency’s proposal.
“I strongly share the goal of enacting robust privacy protections for Americans,” she wrote in a statement. “That should be achieved by the American people speaking through their elected representatives and not through executive action.
Sen. Roger Wicker, R-Miss, who is championing ADPPA in the Senate, expressed that he hoped the agency’s move would “underscore the urgency for the House to bring the American Data Privacy and Protection Act to the floor and for the Senate Commerce Committee to advance it through committee.”
House Energy and Commerce Chairman Frank Pallone, D-N.J., didn’t go as far as to slam the FTC but did make it clear he believes both chambers should move forward with the ADPPA.
“I appreciate the FTC’s effort to use the tools it has to protect consumers, but Congress has a responsibility to pass comprehensive federal privacy legislation to better equip the agency, and others, to protect consumers to the greatest extent,” he wrote in a statement.
FTC staff disabused the notion that a rulemaking process would interfere with Congressional action.
“I think there’s a shared recognition of the condition and on the Hill that there are some serious problems we want to address,” Levine told reporters. “But I want to be very clear that Congress is in the best position to quickly and effectively protect privacy.”
Democratic Commissioner Alvaro Bedoya said he would not vote for a rule that overlaps with ADPPA but would support rulemaking that addresses concerns not addressed by the legislation.
“There are no grounds to point to this process as reason to delay passage of that legislation,” Bedoya said.
The agency found strong support from a number of consumer and privacy advocacy groups, including Consumer Reports and the Center for Democracy and Technology.
Sen. Richard Blumenthal, D-Conn, who encouraged the FTC to pursue privacy rules last fall and is the co-author of a piece of children’s privacy in the Senate, also praised the agency.
“This rule is a major step forward in helping give power back to consumers,” he wrote in a statement.
The public will have 60 days to submit comments on the rulemaking.