FTC seeks to expand authority on data breaches, commercial surveillance

The agency’s advance notice of proposed rulemaking, issued Thursday, explained new rules might be necessary “because recent commission actions, news reporting, and public research suggest that harmful commercial surveillance and lax data security practices may be prevalent and increasingly unavoidable.”

“These developments suggest that trade regulation rules reflecting these current realities may be needed to ensure Americans are protected from unfair or deceptive acts or practices,” the FTC said. “New rules could also foster a greater sense of predictability for companies and consumers and minimize the uncertainty that case-by-case enforcement may engender.”

The vote to seek public feedback passed 3-2, with FTC Chair Lina Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya voting yes and Commissioners Noah Joshua Phillips and Christine Wilson voting no. The comment period will last 60 days from when the advance notice is published in the Federal Register.

The FTC will ask whether companies should face a penalty for a first offense, which would be a shift in previous enforcement practice at the agency.

“[R]ules that establish clear privacy and data security requirements across the board and provide the commission the authority to seek financial penalties for first-time violations could incentivize all companies to invest more consistently in compliant practices,” the agency said in a press release.

The FTC said the biggest harm is from companies that collect personal data from their customers, which can include user geolocation or facial recognition images, date of birth, Social Security number, and buying patterns, and leave it vulnerable to be stolen by hackers.

Other concerns include surveillance-based services that “may be addictive to children”; algorithms used to analyze data that are “prone to errors, bias, and inaccuracy” that can lead to discrimination; companies that make it difficult for consumers to sign up for a service without sharing personal data; and companies that “increasingly employ dark patterns or marketing to influence or coerce consumers into sharing personal information.”

In a dissenting opinion, Wilson accused the FTC majority of regulatory overreach with the advance notice. She noted, “Recent Supreme Court decisions indicate FTC rulemaking overreach likely will not fare well when subjected to judicial review.” Both Wilson and Phillips said regulation of data privacy should be left to Congress, not the FTC.

Congress is currently considering a federal data privacy law in the American Data Privacy and Protection Act, which is set to be voted on by the full House after clearing committee.

Also Thursday, the Consumer Financial Protection Bureau (CFPB) issued guidance to financial institutions on how to shore up their cyber defenses. The CFPB asserted companies that fail to protect personal financial data might be in violation of federal consumer protection law.

“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said CFPB Director Rohit Chopra in a press release. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”

Chopra and Gary Gensler, chair of the Securities and Exchange Commission (SEC), could face blowback from Congress should Republicans take over the House after the midterm elections later this year. Republicans on the House Financial Services Committee are planning probes into whether the CFPB and SEC have overstepped their authority with recent rulemaking, according to a report from Reuters. The FTC under Khan could become another target of such inquiries.