FTC data requests could pave way to federal privacy law, experts say

The nine companies receiving Monday’s request—Amazon.com, ByteDance (which owns TikTok), Discord, Facebook, Reddit, Snap, Twitter, WhatsApp, and YouTube—have been given 45 days to comply.

The business models of these nine digital companies have shifted over time “from supporting users’ activities to monetizing them,” wrote FTC Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Christine Wilson in a statement supporting the requests.

“I think this inquiry is long overdue. And I doubt it will be the last one.”

Mary Hildebrand, Partner, Lowenstein Sandler

“Never before has there been an industry capable of surveilling and monetizing so much of our personal lives. Social media and video streaming companies now follow users everywhere through apps on their always-present mobile devices. This constant access allows these firms to monitor where users go, the people with whom they interact, and what they are doing,” the statement said. But what the nine companies do with the data they collect, the commissioners said, “remains dangerously opaque.”

The lone FTC commissioner who voted no, Noah Joshua Phillips, criticized the request in his dissenting statement as “an undisciplined foray into a wide variety of topics, some only tangentially related to the stated focus of this investigation.”

The requests cover too many topics and target companies that are too dissimilar, he said. Once the companies each separately negotiate the terms of what they must disclose, the FTC will be unable to make apples-to-apples comparisons of the business practices and policies of the companies under scrutiny, he said.

“We will be able to say we are asking about privacy, or business plans, or content curation, etc.; but the public may not learn much,” he said.

Experts said the request may be an attempt to provide evidence and rationale for a national data privacy law that would reach far beyond these nine companies.

“I think this inquiry is long overdue,” said Mary Hildebrand, partner at the firm Lowenstein Sandler and chair of its privacy and cyber-security practice. “And I doubt it will be the last one. I’m hoping the information they collect might inform a national data privacy law.”

Ari Lightman, professor of digital media and marketing at Carnegie Mellon University in Pittsburgh, agreed.

“I think we’re seeing a push towards comprehensive privacy legislation,” he said. American lawmakers, he said, are increasingly wanting to know what personal data companies are collecting on their customers and how they use it, with an eye toward preventing the misuse of that personal data.

Hildebrand said the ripple effects of the request may spread beyond the nine digital companies named.

“If you’re a company that deals directly with the named organizations, or companies that may share data with these companies, you should take note,” she said.

With its General Data Protection Regulation (GDPR), the European Union is far ahead of the United States in terms of requiring companies be more transparent in how they use the data they collect. California was the first state to pass a data privacy law, the California Consumer Privacy Act (CCPA), that penalizes businesses for misusing consumer data and provides consumers with data protection rights, including the right to sue if a company lost their data in a breach. California voters last month passed a strengthened CCPA, called the California Privacy Rights Act (CPRA), which takes effect in January 2023.

Some regulated industries already have laws that govern some areas of data privacy, like the Gramm-Leach-Bliley Act for banks and other financial institutions and the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry. But U.S.-based digital companies are essentially unregulated in terms of what they do with the data they collect, subject only to the varying laws enforced by individual state attorneys general. Another law, the Children’s Online Privacy Protection Act (COPPA), places limits on the use of data collected on children.

At least two dozen data privacy bills have been floated in Congress over the past several years, but none have seemed to gain much traction or support. Dozens more data privacy bills were considered in state legislatures in 2020, but no significant bills were approved.

Brent Martindale, associate counsel and director of research and operations at integrated information management vendor Access, said the FTC’s request should at least encourage companies of all industries to re-examine their data privacy policies.

“My advice is that companies should make sure their privacy policies do disclose what data they collect and what they do with it,” he said.

Another takeaway for companies is to reassess whether all the data being collected is necessary, Lightman said.

“In some cases, these companies really don’t need all this data, but they collect it because they think it will give them some competitive advantage in the future,” he said. Companies should be weighing the collection of personal information from their customers with the risk associated with storing it safely, he said.