This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or Commission) under the Obama Administration was active in calling for, and advancing, greater privacy protection for consumers, as well as authority for itself, and late in its tenure went so far as to push its unfairness authority into the realm of privacy. We have been anxiously waiting for the newly reshaped Commission to articulate its worldview on consumer privacy and data security. Earlier this month, the FTC provided a detailed outline of its approach and strategy to data protection in a Comment responding to a Request for Comment made by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA). While the FTC remarked that due to data privacy concerns by consumers, the laws, tactics and enforcement by the FTC must constantly evolve, its forward-looking comments emphasized status quo principles, approaches, and a more balanced approach to weighing the interests of individual rights and the benefits to consumers collectively when completion and innovation are not unnecessarily fettered. Further, throughout its Comment, the FTC reiterated the value of a risk-based and cost-benefit approach to protect against actual harm and of not creating impediments to the advancement of prosperity and innovation. This theme is reflected also in the FTC’s warning that “[a]ny [new privacy or data protection] legislation should balance consumers’ legitimate concerns about the protections afforded to the collection, use and sharing of their data with businesses’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”
The FTC’s Comment illuminates the new Commission’s current thinking on how it can apply the traditional FTC approach to data protection to improve consumer protection as technology and data practices evolve.
Security. The FTC highlights its history of exercising both deception and unfairness authority to ensure companies maintain reasonable data security. The FTC cites its 2017 Privacy and Data Security Update, which references more than 60 litigation matters the Commission prosecuted for instances of alleged unreasonable data security or misleading disclosures. These matters ranged from data storage issues to imposing secure digital certificates. For the future, the FTC calls for comprehensive federal data security legislation in order to clarify the FTC’s data security authority, which has been increasingly challenged, and the rules that should be applied to data security and incident response.
Control. The FTC believes that finding the right balance of consumer choice and control in relation to the collection and use of consumer data is foundational for establishing appropriate privacy protections. In the Commission’s view, however, “[t]he proper approach to consumer control – one that balances costs and benefits – takes consumer preferences, context (including risk) and form into account.” The FTC illustrates this principle by warning that “if consumers were opted out of online advertisements by default (with the choice of opting in), the likely result would include the loss of advertiser-funded online content.… By contrast, choice is important when the risk of harm might significantly increase, such as where the data is sensitive (as in the case involving information about children, financial and health information, and Social Security numbers).” The FTC also reiterates its view that consumers should have a choice when their data is utilized materially differently from what was promised when it was first collected.
Enforcement. The FTC points out some limitations of the current enforcement framework. A weakness of the current model is that the FTC does not have authority to impose civil penalties. The FTC explains that the current sectorial approach to privacy to address particular privacy risks, such as through the Children’s Online Privacy Protection Act (COPPA), the GLBA, and the Health Insurance Portability and Accountability Act (HIPAA), create gaps and inconsistencies in consumer privacy protection overall. The FTC acknowledges that these discrepancies may in some circumstances leave consumers with uneven levels of protection and create uncertainty about legal compliance for businesses. However, it concludes that “[c]oncerns about the limitations of current law must be balanced against the need to preserve flexibility to address complex and evolving issues related to consumer privacy and data collection, and broader impacts on innovation and competition.
Looking to the future, the FTC clarifies its methods of enforcement and policy goals. The FTC will continue to utilize its enforcement powers via Section 5(a) (15 U.S.C. § 45) and specific statutes. As a warning to business entities, the FTC will hold entities accountable under its deception authority for failure to honor the voluntary codes of conduct and privacy commitments that businesses disclose, and it will continue to treat failure to reasonably secure personal information as an unfair practice. While there is not likely to be a radical departure by this FTC from the Commission’s approach to data privacy and security over the past decade, expect that approach to continue to evolve. The good news for industry is that this Commission seems committed to taking a harm- and risk-based approach to identifying issues and problems, and can be expected to do so in a manner that fosters competition and innovation while still protecting consumers.