Members of the Senate Commerce, Science, and Transportation Committee at a September 29 hearing sketched out the latest chapter in a years-long debate about how to boost consumer data privacy protections – with the current options centering on a proposal from committee Chair Sen. Maria Cantwell, D-Wash., that would set up a new privacy bureau for that purpose at the Federal Trade Commission (FTC).
While the information age has ushered in products and services that have exposed and threatened privacy of consumer data, the Federal government in many ways has not modernized data privacy rules to keep up with that trend. For example, the FTC is already tasked with preventing consumer data abuses, but the agency lacks adequate resources and technological expertise to keep consumers from harm.
“The FTC does not have the tools to fend off data breaches, privacy attacks, internet scams, ransomware, and digital abuses that threaten consumers and our economy,” Sen. Cantwell said at the hearing. She is a prime backer of creating a privacy and data security bureau at the FTC, something she called for in legislation she introduced in 2019.
“The bill would have established a new privacy bureau at the FTC to serve as a consumer privacy watchdog,” Sen. Cantwell said.
The $3.5 trillion Build Back Better Act being considered by Congress includes a proposal to give $1 billion to the FTC over ten years to establish a new privacy bureau, and hire technologists and data scientists to run its operations, the senator said.
David Vladeck, former director of the FTC Bureau of Consumer Protection, testified at the hearing in support of further investments in the FTC’s capabilities, and said that “a new privacy bureau would be a game-changer.”
“Without more resources, especially more technologists and engineers, the FTC simply won’t be able to stem the growing tide of attacks on privacy and other digital harms,” Vladeck said. “The FTC is the only privacy cop on the beat. It’s time that Congress gave it the tools it needs to be in this fight.”
Ashkan Soltani, former chief technologist at the FTC, said he “has been sounding the alarm for years about the need to get the right resources like more technologists so the FTC can better protect consumers.”
Morgan Reed, president of the App Association, also testified at the hearing and said that Congress must enhance the FTC’s authority to police data privacy issues, including allowing the agency to issue fines for first-time violations and engage in focused rulemaking.
Sen. Cantwell also stressed the “growing urgency” for Federal privacy legislation to be passed by the current Congress, focusing on the need to ensure the FTC “is equipped with the authorities and resources to fight digital harms and hold bad actors accountable for increasing privacy violations.”
Sen. Roger Wicker, R-Miss., ranking member of the committee, agreed with his Democratic colleagues that the FTC needs more resources and authority to crack down on companies that mishandle consumers’ data. But the senator, along with other top Republicans on the committee, disputed a strategy pursued by Democratic members to tap into a seldom-used rulemaking authority to establish new privacy and data security rules, and bypass Congress in the process.
Wicker argued that the FTC’s use of authority under the Magnuson-Moss Warranty Act to create new regulations would be “a blatant overreach that would almost certainly invite legal challenges.”
“Congress, not the FTC, is responsible for developing a comprehensive national data privacy law,” Sen. Wicker said. “Only Congress can develop longstanding data protections for consumers that meaningfully safeguard their personal information. Anything short of congressional action would create significant regulatory uncertainty for businesses and confuse consumers about the scope and durability of their privacy rights.”
Maureen Ohlhausen, a former acting chair of the FTC, agreed with Sen. Wicker’s sentiments. She voiced concern that “a potential FTC privacy rulemaking may distract from focusing on achieving” the goals of a Federal privacy framework.
Ohlhausen added that several potential problems could arise, such as the FTC operating under limited authority, which would prevent the agency from giving consumers data access and correction rights as robust as Congress could achieve.
“An FTC rulemaking could produce a set of privacy requirements rather than a single nationwide framework. This would lead to even more consumer and business confusion and a fragmenting of consumer rights,” Ohlhausen said.
At the bottom line, all of the witnesses expressed agreement that the time is right for Congress to enact Federal privacy legislation that would set uniform rules for how companies use and share personal information. That has been a widely-stated sentiment for years across both sides of the aisle in Congress, but definitive action on that type of legislation has remained elusive.