FTC Commissioners Rebecca Kelly Slaughter and Christine S. Wilson recently sat down with Cameron Kerry at the Brookings Institution to discuss the FTC’s role in privacy. Although the Commissioners did not agree on everything, both identified the FTC as the best agency to enforce privacy wrongs. The Commissioners also shared their views on issues such as notice and consent, data ownership, privacy harms, and FTC authority.
Both Commissioners agreed that “notice and consent” is an ineffective model. Instead, Commissioner Slaughter suggested focusing on consumer expectations as to how companies will use their data. Commissioner Wilson agreed, but suggested that any new model provide predictability and certainty for businesses in light of laws such as the CCPA and GDPR. Neither Commissioner thought the data ownership model was a proper alternative to “notice and consent,” and Commissioner Slaughter further noted that paying consumers for their data may actually exacerbate data use issues.
The Commissioners also discussed what harms the agency looks for in bringing privacy cases, and what harms any privacy legislation should address. Commissioner Wilson pointed to the FTC’s past enforcement actions, including a recent settlement against app developers who created apps to surreptitiously stalk individuals’ phones. Commissioner Slaughter suggested broadening the legislature’s and agency’s definition of privacy harms to consider new issues, such as data use and targeting that lead to child suicide and self-harm. She noted that harms should not need to be quantifiable to be cognizable.
In terms of how the FTC should use its enforcement authority, the Commissioners agreed that the agency should consider competition in privacy enforcement actions, but they disagreed as to how far to push the limits of the FTC’s authority. For Commissioner Slaughter, the important question is, “What are consumers’ reasonable expectations?” In the Facebook case, for example, Commissioner Slaughter wanted to pursue litigation to push for more transparency and limits on the company’s data collection and use. She noted that litigation is a good tool with which to identify the limits on the agency’s authority. Commissioner Wilson, on the other hand, was concerned about attempting to legislate through a settlement, and viewed the consumer relief in the case as “real and meaningful,” as evidenced by the company having already made changes to its practices as a result of the settlement.
Both Commissioners Slaughter and Wilson agreed that the FTC needs rulemaking and civil penalty authority in the first instance of an enforcement action, although Commissioner Wilson clarified that she thinks rulemaking authority should be limited, similar to COPPA. Both Commissioners also agreed that the FTC needs more resources for enforcement.
The FTC Commissioners also expressed a variety of views on what privacy legislation should look like, but noted that creating the law is ultimately up to Congress. Whether the legislature will pass privacy legislation remains to be seen. In the meantime, businesses will need to stay vigilant monitoring FTC privacy enforcement trends and business guidance, as well as the enactment of new state privacy laws and related state enforcement, private litigation, and relevant industry self-regulatory frameworks, such as the recently proposed IAB CCPA Framework.