American businesses have had things pretty easy when it comes to consumer privacy enforcement. American privacy laws are more flexible than in Europe, and the FTC is understaffed and underfunded, with only enough resources to go after particularly egregious privacy violators or those who cast a long shadow in the market.
All that may be about to change. At a recent hearing of the Senate Committee on Commerce, Science, and Transportation, tech and legal professionals, academics, and legislators from both sides of the aisle demanded better consumer privacy protection from the FTC. And recently, the House passed a bill providing $500 million in funding for a new privacy bureau of the FTC. It’s only a matter of time before the US government starts to take privacy violations much more seriously. And when that happens, you don’t want your company to serve as an object lesson.
Here’s how the FTC is changing, why now is the time to get ahead of FTC consumer data privacy protections — and how you can do it.
Why it’s time to get ready for a tougher FTC
The FTC has already started enforcing privacy laws against big tech companies
For example, in 2019, the FTC imposed a $5 billion penalty on Facebook for deceiving users about the company’s privacy practices. This is by far the largest fine any regulator has ever imposed for a privacy compliance violation — more than 18 times larger than the previous record holder: a $275 million CFPB penalty against Equifax.
The FTC also imposed a sweeping privacy order on Facebook, completely overhauling the company’s privacy practices. And while the Facebook penalty is an outlier, the social giant isn’t alone; the FTC has taken action against other tech giants like Google, Microsoft, Twitter, and Uber over data privacy and security practices.
The FTC chair has said she’s going after privacy violators in tech
FTC Chair Lina Khan has explicitly said she plans to focus on how big tech companies are using data. Khan plans to tackle a wide range of invasive and anti-competitive data practices, including:
- Adtech data collection
- Technology that makes ads more intrusive
- COPPA enforcement in tech that targets kids
- Anticompetitive data practices
- Health data misuse
- Discriminatory algorithms
- Manipulation of users
Khan also plans to issue new rules to protect privacy rights, and place limits on how companies can collect and use user data.
If the Build Back Better Act is able to pass the Senate, Khan’s efforts will receive a major boost. The bill, which has already passed the House, will provide $500 million in funding to create a dedicated FTC privacy bureau. That would give the chair considerable resources she’ll need to focus on digital privacy enforcement.
There’s some bipartisan support for stronger privacy protection
Both the top Democrat (Maria Cantwell) and top Republican (Roger Wicker) on the Senate Commerce Committee strongly believe the FTC needs to step in and protect digital privacy.
But there appears to be much stronger support for additional FTC funding and rulemaking among Democrats than Republicans. This leaves a lot of uncertainty about how much the FTC will be able to expand its privacy protections and enforcement, and what that enforcement will look like.
Obstacles to khan’s vision
Chair Khan is dedicated to increasing enforcement and has supporters on both sides of the aisle. But opposition among Republicans has been growing.
The FTC has also faced a number of recent setbacks in the last several years, which have made it harder to enforce consumer protections. In the first half of Trump’s term, the number of enforcements with at least $5,000 in penalties dropped by 31%, decreasing from 58 in Obama’s final two years to 40 in Trump’s first two years.
On top of that, a recent Supreme Court ruling further eroded some of the FTC’s enforcement powers. The 2021 AMG Capital Management vs FTC decision invalidated a powerful tool the FTC uses to seek restitution for consumers victimized by illegal financial practices, making enforcement much more difficult.
While it’s likely the FTC will toughen enforcement, it’s unclear how far the Commission will be able to push Khan’s vision. The outcome depends primarily on three factors.
Resolving the deadlock
Currently, the FTC has two Democrats and two Republicans, creating an effective deadlock. The Biden administration has chosen Alvaro Bedoya, a liberal former Senate staffer to fill the final spot.
But it’s unclear how long Bedoya’s confirmation will take. Lina Khan’s confirmation took 99 days, and her predecessor took 190 days to confirm. In Bedoya’s confirmation hearing, Republicans have already taken him to task over his past tweets criticizing the GOP, Trump administration and ICE, suggesting that his confirmation may face stiff opposition. The Senate adjourns for the year on December 10th, and will be out of session for most of January, so if they don’t confirm Bedoya soon, it could add months to the deadlock.
Although some of Khan’s plans for consumer privacy protection may move forward without a Democratic majority, her privacy initiatives aren’t likely to make much progress in an evenly divided FTC.
Funding
Building a new privacy bureau won’t come cheap. The FTC budget request for 2022 asks for $389.8 million — a $38.8 million increase over 2021 — and the Build Back Better Act would provide another half a billion to create the privacy bureau. At this point, it’s uncertain what the final budget will look like, and whether the FTC will receive the funding increases it needs.
FTC rulemaking
Chair Khan plans to use the FTC’s rulemaking power to support her digital privacy priorities. Under Section 5 of the FTC Act, the FTC can generally only go after companies over privacy or data security practices if they constitute “unfair or deceptive acts or practices.” While the FTC can make rules, Congress limited the Commission’s rulemaking powers in 1975, making the process for promulgating regulations more complex and cumbersome than it is for most agencies.
Since then, the FTC has generally shied away from spelling out what constitutes “unfair and deceptive,” and simply let their enforcement actions speak for themselves, creating significant regulatory uncertainty for businesses.
But there’s growing recognition that this legacy approach isn’t working well. In fact, Khan has already started work to resurrect FTC rulemaking regarding what privacy lapses constitute an unfair or deceptive practice. In July, the Commission voted to update the FTC rulemaking process to limit delays and obstacles to new rules, helping to resolve some of the aforementioned uncertainty.
How successful this strategy is remains to be seen. The FTC’s new rules and enforcement actions are likely to face legal challenges, along with partisan pressure.
How to get ahead of FTC consumer privacy scrutiny
Reduce your data risks with TerraTrue’s automation.
Focus on what the FTC is most likely to do
While many members of the GOP oppose parts of Khan’s agenda, there are a few things everyone seems to agree on. Privacy protection, consumer data security, and COPPA enforcement enjoy strong bipartisan support. It seems a good bet that the FTC will get tougher on these issues, though how tough will depend on funding.
Businesses should get ready by prioritizing consumer protections. Work on securing your data, being transparent about your data practices, and eliminating practices that might be construed to manipulate users.
If your company serves children, you should also make sure you’re complying with COPPA. Post clear policies on how you collect and use childrens’ data, obtain parental consent, and give parents granular control over how their childrens’ data is used, including the ability to have that data deleted or kept from third parties.
Keep an eye on the FTC
A few things to look for:
- The outcome of budget deliberations: If the FTC receives a big funding bump to build their data privacy bureau, you can expect to see enforcements accelerate.
- Confirmation hearings: The sooner the Biden administration can add another Democrat to the FTC, the sooner Khan will have a more reliable majority.
- FTC rulemaking: The FTC recently made changes to its practices to mitigate the effects of the AMG Capital ruling. Expect the Commission to make new rules to protect privacy and penalize organizations that manipulate users, breach data, or violate consumer rights.
Consider how privacy policies can help your business
Strengthening your consumer privacy protection can be an incredible opportunity. Right now, most Americans feel disempowered by the way companies collect data, and want more privacy protections. A 2019 Pew Research study found:
- 81% of American adults “think the potential risks of data collection by companies about them outweigh the benefits.”
- 72% believe they receive very little or no benefit from companies collecting their data.
- 79% of adults assert they are concerned about how companies use their personal data.
Instead of doing the minimum for compliance, consider making an investment in privacy as a way to boost your business. By standing up for data privacy now, you can show leadership and let your customers know that you value them and respect their concerns. And that can make a real difference in PR, customer acquisition, and brand loyalty.
Become a privacy leader with TerraTrue
TerraTrue integrates data privacy and security into everything you do, without slowing you down. The platform fits seamlessly into your product workflow, highlighting data practices that pose risk, and guiding you through the review and approval processes. It also doubles as a single source of truth for your privacy and compliance practices, making it easy to show auditors and compliance organizations how seriously you take customer privacy.
Contact us or request a demo today to stop playing catch up and become a proactive privacy leader.