The Federal Trade Commission wants to establish rules for business data collection and use, which has some experts on edge.
The FTC announced its intent to explore new rules cracking down on lax data security and commercial surveillance, which the agency defined as the "business of collecting, analyzing and profiting from information about people." The FTC claims this mass surveillance heightens the risk of data breaches and other data abuses. The commission voted last year to streamline its rulemaking ability, and is seeking public comment on whether such new rules are needed.
However, experts like Ashley Johnson, senior policy analyst at the Information Technology and Innovation Foundation, say the FTC isn't the right entity to make such rules. Instead, Johnson said a federal data privacy law passed by Congress would address much of the concerns about data privacy and provide businesses with more stable regulatory guidelines.
The main concern to businesses regarding the potential for FTC rulemaking on privacy is that the "FTC rules are typically more changeable than a law passed by Congress," she said.
But FTC Chair Lina Khan sees a need for agency action.
"Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts," Khan said in a statement last week. "The growing digitization of our economy -- coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how that data is used -- means that potentially unlawful practices may be prevalent."
Concerns about the FTC's proposed rulemaking
If Congress passed a federal data privacy law, Johnson said businesses could expect that it would remain relatively unchanged for a few decades, allowing businesses time to understand legal expectations.
FTC rules are more easily changed as new leadership enters the agency, leading to a potentially more complex regulatory structure for businesses, Johnson said.
Ashley JohnsonSenior policy analyst, ITIF
"Every time the rules change, businesses would potentially have to completely overhaul their compliance efforts, and that would be very expensive and very complicated," she said.
The FTC's rule-making process involves multiple steps, including seeking public input on whether the FTC should even consider the proposed rules, said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals. Zweifel-Keegan spoke during a LinkedIn live event hosted by the IAPP Monday.
Due to this lengthy process, the FTC is a long way from actual rules, said Jessica Rich, former director of the FTC's Bureau of Consumer Protection. Rich, an attorney at Kelley Drye & Warren LLP, spoke during the IAPP event.
Rich said the FTC rules proposal "doesn't look serious" and called the lack of focus "striking."
The FTC's rule-making proposal arrived just after the U.S. House Committee on Energy and Commerce passed the American Data Privacy and Protection Act (ADPPA), bipartisan federal data privacy legislation that would address concerns such as businesses' use and storage of personal data.
"I hope it won't derail the ADPPA, which is the most promising piece of legislation we've seen in a long time," Rich said. "But it could -- it's a worry."
Indeed, Maureen Ohlhausen, former FTC commissioner and acting chairman who also spoke during the IAPP event, said the ADPPA sponsors didn't react enthusiastically to the FTC stepping in. She noted that the agency's effort "clouds the field quite a bit."
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.