Despite years of tech companies tracking users, gathering data on their online activities and selling it for profit, few government entities have done anything tangible to halt the hoarding of people’s online information. But it looks like the Federal Trade Commission is putting on its bright orange vest, thinking it could become the lone crossing guard on the 80 MPH highway that is big tech’s data gathering operations.
In a Thursday release, the FTC said it was creating an “advance notice of proposed rulemaking” to explore whether it will crack down on companies’ data gathering practices. This would include gathering comments from stakeholders like the big tech companies and trade groups, but also digital privacy experts and former regulators.
The agency referred to data brokering as “commercial surveillance,” which includes data collecting and the sale of people’s personal information. The FTC also mentioned it would be analyzing companies’ data security, noting that such mass collection of user data has made hacks and data breaches that much worse.
The agency said it will host an online public forum September 8 from 2 p.m. to 7:30 p.m. ET to build “a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.”
In a Thursday press conference, Democratic FTC commissioners told reporters they weren’t looking to supplant or replace congressional legislation, but Commissioner Rebecca Slaughter said the legislative process is “full of uncertainties.”
Still, even new agency regulations may not be nearly enough to stop all companies’ use of user data, and the FTC admitted they are limited by their inability to seek financial penalties for initial violations thanks to a 2021 Supreme Court ruling. Commissioners told reporters that this latest move is to explore whether the agency needs a new policy under its consumer protection directive that would subject companies to civil penalties if they violate any new rules. Sam Levine, the FTC director of consumer protection, said that in order to making a new ruling, they need to demonstrate there is deceptive or unfair trade happening in the marketplace.
“Rulemaking can move us away from case-by-case enforcement,” FTC Chair Lina Khan told reporters, further saying they want to “nip harms in the bud.”
Khan is an out and out critic of big tech. Before being appointed by President Joe Biden in 2021, she first came to prominence thanks to papers she wrote about the need to constrain the likes of Amazon. She has been a big advocate against big tech buyouts, however she’s struggled to get the momentum going to actually curb the industry’s many multi-million dollar mergers. The agency claimed it has already used its authority to bring hundreds of enforcement actions against companies for data use violations.
“The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent,” Khan said in the release.
The agency also said it was concerned about the way companies essentially make it impossible for users to avoid handing over their data. Regulators are also considering ways to make companies’ data collecting practices much more transparent since these often-inaccurate algorithms can cause real harm to people, depending on who gets their hands on it.
And personal data is also a stated priority for Biden as well. He said during his last state of the union address that “It’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children.”
Though it’s only the agency’s first step toward honest-to-God regulation, this announcement puts it in contention with congressional legislation. After five years of negotiations and countless bills that went nowhere, the House Committee on Energy and Commerce advanced comprehensive privacy legislation last month. The American Data Privacy and Protection Act focused heavily on minimizing the amount of data companies are allowed to collect and carefully navigates two areas of contention that have long negated the possibility of a bipartisan bill: state preemption and private right of action.
While the ADPPA does preempt state privacy laws, a necessity for most pro-business Republicans, it adopts a “covered” scheme which would allow states to pass laws on topics not specifically addressed in the bill. It also includes a range of exemptions that would apply to any medical, banking, or surveillance related laws, among others. Most importantly for Khan’s latest proposal, however, the ADPPA would also create its own Bureau of Privacy under the direction of the FTC.
Privacy advocates say the lack of punitive damages is one of the weakest points in the bill, while acknowledging that the Supreme Court has effectively kneecapped the ability to sue over privacy violations anyway. Two recent rulings around the tort doctrine of standing (what you need to get a federal court to even hear a case) have limited civil action to claimants capable of alleging an “injury in fact,” which is to say, harms that are “actual” and “concrete” and not merely “hypothetical.”
In other words, your information may be stolen or exposed, but unless someone actually uses it to rob you or totally demolish your reputation, you’re shit out of luck.
Tech companies both big and small gather data on their users, sometimes without their explicit knowledge or permission. And as proved by the Cambridge Analytica scandal, it’s hard to determine who is accessing this info, and for what purposes. That data gets sold around the web, mostly for the purposes of direct advertising. At the same time, that data can be handed over to law enforcement. This week, Meta has come under a new blistering wave of critique for handing over data of a young woman accused of performing an alleged illegal abortion.
The agency’s announcement comes on the heels of the FTC saying they are investigating the crypto exchange BitMart over a 2021 hack that stole $150 million off the platform. It’s the first time the FTC has decided to get involved with crypto.