By Ginny Kozemczak
The Senate Commerce Committee recently held a series of hearings looking at the future of the Federal Trade Commission and the budget proposal to give the FTC $1 billion over 10 years to hire technologists and data scientists that are needed to address threats to consumers online.
Throughout the hearings, Senators and panelists acknowledged that, due to the rapid pace of evolving technology, the FTC has fallen short of its mission to protect consumers, especially when it comes to their activities on the Internet.
It is critical for Congress to include this $1 billion funding in the Build Back Better Act to ensure the FTC has the resources it needs to address the vast and complex nature of protecting consumers online. The FTC needs ample resources to enforce the law.
Our investigations have shown that technologists, attorneys, and policy specialists must work hand-in-hand to identify, investigate, and communicate the complex nature of privacy and security violations and how they harm consumers.
When Money Isn’t Enough
However, funding alone is not enough. Any additional funding must be complemented with greater statutory authority to enable the FTC to better protect against privacy and security violations.
The FTC currently brings cases concerning privacy and security under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices affecting commerce.” The FTC has defined deceptive practices as those that involve a material representation, omission or practice that is likely to mislead consumers, while unfair practices are those that “cause or are likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
But, as was pointed out in the recent hearings, this current authority is not enough in today’s complex digital ecosystem.
As former FTC Chief Technologist Ashkan Soltani pointed out in his testimony, “Many of the digital harms from the surveillance economy are monitored through the FTC’s enforcement of deceptive practices under Section 5 of the FTC Act. But this framework does not effectively protect consumers. For example, consumers often don’t directly interact with the hundreds of data brokers that surreptitiously collect their data as they move about their digital lives.”
This confirms an issue IDAC has seen time and again in its investigations, including evidence of software development kits (SDKs) which track users across platforms and even devices.
As such, the FTC can often only take action in those instances when a company has made a specific privacy- or security-related promise and then did not comply with that promise.
This is why it is so important for Congress to pass new federal privacy legislation that expands the FTC’s authority. Federal privacy legislation should set out (1) entities’ affirmative duties to engage in ethical practices, (2) entities’ obligations to refrain from harmful practices, and (3) the protection of individual digital rights — all of which would be enforced by the FTC’s new technology-focused bureau.
Beyond Congressional Action
Beyond action from Congress, the President and the FTC are also looking at ways to strengthen the agency independent of Congressional action.
Earlier this year, President Biden ordered the FTC to look at writing competition rules in a number of areas, including “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.”
Over the course of the next year, the Commerce Secretary, in consultation with the Attorney General and FTC Chair, will “conduct a study of the mobile application ecosystem” and submit recommendations including those that “maximiz[e] user benefit with respect to the ecosystem.” This Executive Order has created a significant opportunity to educate stakeholders about the pervasive surveillance of consumers online.
In addition, the FTC can utilize its notice-and-comment rulemaking authority to issue industry-wide regulations, or “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce.” By giving clarity as to what “unfair or deceptive” exactly means in the commercial data privacy context, the FTC would then be able to enforce these clearer rules.
Earlier this year, the FTC created a new rulemaking group within the FTC’s Office of the General Counsel, and the Wall Street Journal reported that the Commission is specifically considering strengthening online privacy protections “in an effort to bypass legislative logjams in Congress.” However, these rules could take years to finalize and would ultimately fall under existing enforcement authority. We nevertheless encourage rulemaking based on a consumer privacy bill of rights in the absence of Congressional action.
While Executive Orders and proposed rulemaking could be helpful steps, they ultimately fail to give the FTC the resources and legal teeth it needs to deter bad actors.
Beyond FTC Enforcement
While it is crucial that the FTC be given adequate funding and enforcement authority, it is also important to acknowledge that the FTC alone cannot make the digital ecosystem fully trustworthy and accountable.
One of the major challenges is that the FTC predominantly focuses on addressing privacy harms after they have occurred, directing its efforts on those problems that have already crystallized and neatly fit under law enforcement’s scope. This overlooks the vast majority of issues online of lesser severity and leaves the door open to percolating privacy harms. Congress must see civil law enforcement as one tool in its toolbox to protect users. IDAC’s President, Quentin Palfrey, has written extensively about why law enforcement needs nimble, technically savvy partners such as nonprofit watchdogs for cases that do not fall under traditional law enforcement or regulatory structures and meet a critical gap in digital accountability.
The Senate Commerce Committee’s recent hearings were an important step in exploring the future role of the FTC in protecting consumers and in stressing the need for a federal privacy law. We applaud the Committee’s attention to this issue.
IDAC supports expanded funding for the FTC and under a federal privacy law, expanded statutory authority for its enforcement efforts. We hope that this expanded statutory authority will enable the FTC to enforce meaningful protections for digital rights.
Lastly, we believe that a stronger FTC can also work in conjunction with independent watchdogs like IDAC to ensure a safer, more accountable digital ecosystem.