FTC Commissioners Give Key Insights on Privacy Views
In remarks on Monday at the Brookings Institution, FTC Commissioners Rebecca Slaughter and Christine Wilson spoke extensively about the Commission’s privacy outlook and their personal views on the national privacy debate. While from different parties, they were largely in agreement on a number of key points – reflecting how the current Commission has continued to move towards more aggressive enforcement on privacy and data governance. The willingness of these Commissioners to be so direct on a wide range of topics helps point to where the Commission is headed on future enforcement, and in making recommendations to follow up on its Hearings on Competition and Consumer Protection in the 21st Century. Some key questions and answers are summarized here:
Should our privacy laws focus primarily on “notice and choice” – giving consumers the opportunity to understand how data is collected and used, typically through privacy policies? The Commissioners’ answers were basically no. Commissioner Slaughter said she was “really over” a notice and consent framework, arguing that neither the notice or choice was meaningful for consumers. Commissioner Wilson emphasized that her views have evolved over time, suggested that notice and choice has a limited role to play, and argued that clear and transparent rules about data use would benefit both business and consumers. The FTC has long brought cases under its deception authority – policing the “notice” portion of “notice and choice” by arguing that companies violated their privacy representations to consumers – but it seems the Commission is increasingly looking to examine a broader set of practices.
Will the FTC focus only on specific, demonstrable injuries that flow from privacy violations? Again, the answer appears to be no. In the context of private rights of actions, the need to show demonstrable injury is an issue that could soon reach the Supreme Court. In her remarks, Commissioner Wilson largely stuck to existing cases the FTC has brought, which have used an elevated risk of harm (including non-financial harm) to justify action. Commissioner Slaughter was clear that the Commission should not need to allege a specific concrete harm based on unwanted disclosure of private information – pointing for example to identity theft, where the use of stolen data for harm can be delayed and difficult to track down.
Are there other harms from data use the FTC should address? Possibly. Commissioner Slaughter identified targeted advertising based on collected information as a potential “harm” to be addressed in certain circumstances. And overall, she framed the “privacy” discussion as a broader one about what she termed “data abuses,” focusing on harmful uses of data. When asked about whether algorithmic biases should be concerning, Commissioner Wilson pointed to the Commission’s 2016 Big Data report, which outlines ways in which algorithmic biases could give rise under existing laws like the Fair Credit Reporting Act or Equal Credit Opportunity Act. Commissioner Slaughter went further, referring to certain kinds of bias from algorithmic decisionmaking as a “data abuse” that warranted action.
Should there be monetary penalties in privacy cases? The Commission now supports Congress granting civil penalties for first-time privacy violations. And the Commission supports closing the common carrier and non-profit exemptions, meaning that a greater swath of companies (for example, non-profit hospitals) would be subject to the FTC’s privacy enforcement.
As much of the FTC’s work and its deliberations are confidential, it can sometimes be difficult to tell what policy and enforcement actions are being considered. But these and other recent remarks by Commissioners point strongly toward a heightened emphasis on enforcement in the areas of privacy and companies’ data practices more generally.