FTC

FTC’s Khan Looks To Up Privacy Protection With New Regs

Federal Trade Commission (FTC) Chair Lina Khan said on Monday (April 11) that it is time for the agency to “reassess” rules around what data companies can collect from consumers. She called for a new approach to consumer data protection to replace the companies’ privacy policies on collection and use of consumer data.

In an event organized by the International Association of Privacy Protections, Khan said that the current notice and consent framework was “outdated and insufficient.” Khan suggested that the agency and Congress should act to ensure that consumers don’t have to give up their personal data to have access to online tools that are essential to everyday life.
Related: Lina Khan Looks To New Antitrust Laws For Gig Workers

“I believe we should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements, while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place,” she said.

Khan didn’t provide many details of how the new rules could look. She pushed for “market-wide rules” governing consumer data protection. These rules could provide guidance to businesses about how to keep people’s data private.

While the U.S. doesn’t have federal privacy laws, the FTC has been filling this gap with enforcement actions against companies that violate other laws.

The FTC has initiated proceedings against companies looking at both privacy and antitrust, and while this multidisciplinary approach can provide the agency with valuable information on data collection practices, it also has limitations on the scale and scope of the regulatory oversight across sectors.

“Even without a federal privacy or security law, the FTC has for decades served as de facto enforcer in this domain,” Khan said.

The FTC has broad enforcement authority under Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The agency has brought 20 different cases related to privacy in the last two years. One of the latest was on March 15, when the FTC reached a $500,000 settlement with CafePress over allegations that the company had failed to secure consumers’ sensitive personal data and covered up a major breach.

The FTC has also shown that it can use all the tools in the enforcement toolbox to force companies to stop their practices. For instance, on March 3, the FTC ordered WW International and Kurbo to destroy all personal information collected from children under 13, as well as any algorithm derived from the data, and pay a $1.5 million penalty. This new remedy, to destroy the algorithm, was evidence of how far the regulator can go to protect consumers’ privacy.

Want more news? Subscribe to CPI’s free daily newsletter for more headlines and updates on antitrust developments around the world.