This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or Commission) under the Obama Administration was active in calling for, and advancing, greater privacy protection for consumers, as well as authority for itself, and late in its tenure went so far as to push its unfairness authority into the realm of privacy. We have been anxiously waiting for the newly reshaped Commission to articulate its worldview on consumer privacy and data security. Earlier this month, the FTC provided a detailed outline of its approach and strategy to data protection in a Comment responding to a Request for Comment made by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA). While the FTC remarked that due to data privacy concerns by consumers, the laws, tactics and enforcement by the FTC must constantly evolve, its forward-looking comments emphasized status quo principles, approaches, and a more balanced approach to weighing the interests of individual rights and the benefits to consumers collectively when completion and innovation are not unnecessarily fettered. Further, throughout its Comment, the FTC reiterated the value of a risk-based and cost-benefit approach to protect against actual harm and of not creating impediments to the advancement of prosperity and innovation. This theme is reflected also in the FTC’s warning that “[a]ny [new privacy or data protection] legislation should balance consumers’ legitimate concerns about the protections afforded to the collection, use and sharing of their data with businesses’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”

The FTC’s Comment illuminates the new Commission’s current thinking on how it can apply the traditional FTC approach to data protection to improve consumer protection as technology and data practices evolve.

Security. The FTC highlights its history of exercising both deception and unfairness authority to ensure companies maintain reasonable data security. The FTC cites its 2017 Privacy and Data Security Update, which references more than 60 litigation matters the Commission prosecuted for instances of alleged unreasonable data security or misleading disclosures. These matters ranged from data storage issues to imposing secure digital certificates. For the future, the FTC calls for comprehensive federal data security legislation in order to clarify the FTC’s data security authority, which has been increasingly challenged, and the rules that should be applied to data security and incident response.

Transparency. Transparency in consumer data collection and use is a paramount characteristic of data privacy principles long advanced by the FTC. While the FTC agrees with NTIA’s concern that privacy policies are filled with technical detail and legalese and may not be efficient at providing clear and effective notice to consumers, it concludes that “despite these weaknesses, privacy policies and other disclosures do provide accountability. Within an organization, drafting privacy policies helps companies understand their information practices. Outside of the organization, the disclosures give interested consumers [the press, advocacy groups and regulators] more information.” Rather than abandon the privacy policy approach to transparency, the FTC counsels that disclosures also be given in consumer-oriented ways relevant to consumer demand for information at the appropriate time and place. The FTC pointed to its historic advocacy of context-specific disclosures at the point of collection or consumer decision-making, such as through notices given via setup wizards, dashboards or other in-line notices. Additionally, the FTC pointed to its Model Privacy Form under the Gramm-Leach-Bliley Act (GLBA) as an example of a way to convey notices in a clear, conspicuous and succinct manner. The FTC’s comments state that it can use its deception authority to promote an improved disclosure regime by challenging the lack of effectiveness of privacy notices. The takeaway: Don’t rely solely on a comprehensive privacy policy. Provide just-in-time and short-form notices and explanations as the first line of transparency.

Control. The FTC believes that finding the right balance of consumer choice and control in relation to the collection and use of consumer data is foundational for establishing appropriate privacy protections. In the Commission’s view, however, “[t]he proper approach to consumer control – one that balances costs and benefits – takes consumer preferences, context (including risk) and form into account.” The FTC illustrates this principle by warning that “if consumers were opted out of online advertisements by default (with the choice of opting in), the likely result would include the loss of advertiser-funded online content.… By contrast, choice is important when the risk of harm might significantly increase, such as where the data is sensitive (as in the case involving information about children, financial and health information, and Social Security numbers).” The FTC also reiterates its view that consumers should have a choice when their data is utilized materially differently from what was promised when it was first collected.

Enforcement. The FTC points out some limitations of the current enforcement framework. A weakness of the current model is that the FTC does not have authority to impose civil penalties. The FTC explains that the current sectorial approach to privacy to address particular privacy risks, such as through the Children’s Online Privacy Protection Act (COPPA), the GLBA, and the Health Insurance Portability and Accountability Act (HIPAA), create gaps and inconsistencies in consumer privacy protection overall. The FTC acknowledges that these discrepancies may in some circumstances leave consumers with uneven levels of protection and create uncertainty about legal compliance for businesses. However, it concludes that “[c]oncerns about the limitations of current law must be balanced against the need to preserve flexibility to address complex and evolving issues related to consumer privacy and data collection, and broader impacts on innovation and competition.

Looking to the future, the FTC clarifies its methods of enforcement and policy goals. The FTC will continue to utilize its enforcement powers via Section 5(a) (15 U.S.C. § 45) and specific statutes. As a warning to business entities, the FTC will hold entities accountable under its deception authority for failure to honor the voluntary codes of conduct and privacy commitments that businesses disclose, and it will continue to treat failure to reasonably secure personal information as an unfair practice. While there is not likely to be a radical departure by this FTC from the Commission’s approach to data privacy and security over the past decade, expect that approach to continue to evolve. The good news for industry is that this Commission seems committed to taking a harm- and risk-based approach to identifying issues and problems, and can be expected to do so in a manner that fosters competition and innovation while still protecting consumers.