By Jedidiah Bracy, CIPP/US, CIPP/E
On Capitol Hill on December 3, all four FTC commissioners testified before a House Energy and Commerce subcommittee—their first-ever joint appearance in Congress—to defend their regulatory role and ask for more authority in the rapidly developing digital economy. According to Politico, the commissioners faced tough questions from the Republican-dominated subcommittee on the FTC’s its current budget, resources and authority, but FTC Chairwoman Edith Ramirez said her agency is limited in its current authority and that baseline federal privacy legislation is needed.
The scope of the FTC’s authority, the privacy issues with which it’s grappled and the day-to-day work of its staff on consumer privacy issues were also the focus the next day during the IAPP Practical Privacy Series in Washington, DC.
Rep. Marsha Blackburn (R-TN), a member of the House Energy and Commerce subcommittee, kicked off Wednesday’s program by sharing her take on the government’s role in the data-driven economy. To highlight the economic impact of the digital market, Blackburn noted that, on Cyber Monday, Amazon sold 300 items per second.
“We’re living in a Golden Information Age,” she said, but warned that such economic opportunity will only last if the right policy decisions are made and that a “light-touch,” multi-stakeholder approach is needed.
She also discussed her work with a bipartisan privacy working group in the House Energy and Commerce Committee, something she co-chairs with Rep. Peter Welch (D-VT).
Specifically with the FTC, she said Section 5 of the FTC Act—which gives the FTC authority to bring cases against companies for “unfair or deceptive” business practices—“has served us well.” She also said, “We need a better inventory of what tools regulators need that they don’t already have,” and before new legislation is enacted, “we should have a proper accounting of what harms need to be addressed in today’s marketplace that can’t be dealt with using existing statute.”
Blackburn also said her privacy working group plans to look into the FTC’s role regarding data security—a contentious issue in recent cases against Wyndham Hotels and LabMD. Of the agency, she said, “They are positioned well,” adding, “We have to continue to appreciate the fact they are the agency-of-first-resort for these issues.”
FTC Bureau of Consumer Protection Director Jessica Rich also addressed concerns about the agency’s authority in data security cases. “The standard here is reasonable security,” she said, “and we only bring cases where we allege that companies fall below that line.”
More broadly, Rich applauded the work of the FTC over the past year, summarizing its actions in data security and consumer privacy cases as well as its work internationally, specifically, in developing cross-border rules with APEC. “Global frameworks like these are what businesses need,” she said.
And 2014 is sure to be another big year for the agency.
“We have no intention of slowing down,” Rich warned.
In line with an FTC release about its 2014 priorities, Rich outlined three major areas of focus for the agency: Big Data, mobile technology—including connected devices in the Internet of Things ecosystem—and protecting sensitive information.
With Big Data, the FTC will continue to look into the work of data brokers—a topic of conversation through the day—and the lack of transparency for consumers.
“Even when data brokers provide access, many consumers don’t know that right exists or know how to use it,” said Rich. “Ad networks, ISPs and social networks are all on the radar, too.” And she said to expect an FTC report on last year’s roundtable on comprehensive data collection in the coming months.
The rapidly developing mobile market and emergence of the Internet of Things have created novel privacy issues, said Rich. In all her years in the consumer privacy sphere, “I didn’t think the issues have been novel until the Internet of Things because of the difficulty of providing notice and choice" and that many players in the ecosystem have not been in the privacy space. She also said to expect a report on last month’s Internet of Things roundtable—one that may include a recommended set of best practices for privacy and security in this area.
“Privacy legislation seems like a very far off goal, but data security does not,” she said. “I urge everyone to think whether 2014 will get data security legislation.”
Rep. Blackburn, who earlier this year introduced the Secure IT Act, didn’t dismiss the idea of considering data security legislation, either—particularly grappling with the 48 separate state-level breach notification laws. “The patchwork quilt is something we do hear about,” she said.
Read more by Jedidiah Bracy:
White House’s Wong Makes the Case for Embedding Privacy Pros
Are Notice and Consent Possible with the Internet of Things?
Google: NSA Could Cause Splinternet
Establishing Trust with U.S. Privacy Regulators