FTC, the De Facto Privacy Regulator.

The Federal Trade “Commission has settled or litigated more than 60 law enforcement actions against businesses that allegedly failed to take reasonable precautions to protect consumers’ data,” said FTC Bureau of Consumer Protection Director Andrew Smith in testimony before a Senate Homeland Security and Government Affairs Subcommittee.

Cases included: manufacturers of consumer products like smartphones, computers, routers, and connected toys, as well as against companies that collect consumers’ sensitive personal information.

Other points discussed:

  • The FTC brings cases under provisions of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act.
  • It has used its authority under Section 5 of the FTC Act to stop companies who allegedly engage in unreasonable data security practices, or made misleading statements or omissions about data security.
  • FTC supports new data protection legislation that would give it the ability to seek civil penalties for effective deterrence; and jurisdiction over nonprofits and common carriers.

Details from the FTC.

Competition considerations in how big tech companies handle personal data – the U.S. version.

Bloomberg Law reports that following a number of actions by European Union competition authorities, U.S. antitrust regulators plan to ramp up their scrutiny of tech companies’ data practices, acknowledging rising concerns that consumer information can increase market power.

“The Federal Trade Commission’s new task force that will monitor tech industry competition… plans to incorporate data collection and privacy as main variables in its oversight of companies” said Bruce Hoffman, the head of the agency’s competition bureau.

 

Changes to the Safeguards Rule and the Privacy Rule applicable to financial institutions under the Gramm Leach Bliley Act are in the works.

The FTC is proposing changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the Rule. This will include:

  • encrypting all customer data
  • implementing access controls to prevent unauthorized users from accessing customer information
  • implementing multi-factor authentication to access customer data
  • submitting periodic reports to the boards of directors to ensure compliance

The FTC is also proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include so-called “finders,” those who charge a fee to connect consumers who are looking for a loan to a lender.

Details from the FTC.

“It is important that organizations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations” – says Adam Stevens, Head of Intelligence at the UK Information Commissioner’s Office. (ICO).

In a sweep conducted by the ICO, as part of the Global Privacy Enforcement Network’s (GPEN) annual intelligence gathering operation, 356 companies in 18 countries were contacted.

Findings include:

  • 25 percent of companies had no programs in place to conduct self-assessments and/or internal audits.
  • More than 50 percent of companies indicated that they have documented incident response procedures, and maintain up-to-date records of all data security incidents and breaches. However, some indicated that they have no processes in place to respond appropriately in the event of a data security incident.
  • Nearly 75 percent of companies appointed an individual or team to ensure compliance with relevant data protection rules and regulations.

Details from the ICO.

The Federal Trade Commission should be the primary enforcer of a federal privacy bill and to do so would need a larger budget. That is one point that seemed to be in consensus at the Senate Committee on Commerce, Science, and Transportation hearing held on February 27, 2019 in connection with a U.S. Federal privacy law.

Additional points discussed included:

  • The role of state AGs in enforcement
  • Whether the FTC should be able to fine for a first offense
  • Whether consumers should have the right to deletion and whether the collection of sensitive data should be an opt-in choice for consumers
  • Whether the U.S. should look to the EU and its passage of the General Data Protection Regulation as a model, or, perhaps, the California Consumer Privacy Act
  • How heavily consumer choice should factor into a federal law

Details from the International Association of Privacy Professionals

To U.S. Federal Privacy Law or To Not U.S. Federal Privacy Law, that is the question.

At a House Committee on Energy and Commerce hearing February 26, industry professionals and advocates made their pitches for what should be contained within a federal privacy bill. The discussion revolved around how prescriptive a federal law should be and its potential impact on small businesses and vulnerable populations.

Two points discussed:

  • A law as prescriptive as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) is expensive to comply with and may lead to a barrage of litigation. This may adversely effect small and medium businesses which may end up closing shop.
  • Individuals should be given rights to access and correct the data companies collect and store about them online. Often, those impacted by misinformation (inaccuracies on credit scores, debts owed, criminal records, etc.) are minorities or low-income individuals who may be unable to fight for their rights.

Details from the International Association of Privacy Professionals.

The U.S. Government Accountability Office recommends that Congress consider comprehensive federal internet privacy legislation.

Issues that should be considered include:

  1. Which agency or agencies should oversee Internet privacy.
  2. What authorities an agency or agencies should have to oversee Internet privacy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority.
  3. How to balance consumers’ need for Internet privacy with industry’s ability to provide services and innovate.

Click here to view the formal notice.

Will the California Consumer Privacy Act serve as a blueprint for a federal privacy law or for a patchwork quilt of state privacy laws?

As states have been commencing legislative proceedings and as proposals for a federal privacy law are being formulated, the following seem to be principles that most agree should be included in a privacy law in the U.S.:

  • Banning some practices, including using data to discriminate against users.
  • Giving people the right to sue over misuse.
  • Giving people ownership rights in their data including the right to delete it, change it or take it back.
  • Requiring companies to be more transparent about how they use data and collect consumers’ consent, with some exceptions.

A point of contention is whether or not a federal U.S. privacy law should completely preempt (invalidate) state privacy laws (or whether they should continue to be binding if stricter than the federal law).

Details from the San Francisco Chronicle.

New Jersey follows in California’s footsteps with legislative initiatives on privacy.

The main proposed law (bill A-4902), will require commercial websites and online service operators to give customers:

  • a description of the personal information collected
  • a way to prevent the disclosure of personal information to third parties
  • a description of the information
  • an email address or phone number for requesting information
  • upon request from an individual, information on all disclosures of his data within the past year
  • a “Do Not Sell My Personal Information” link to a page that would allow customers to opt out of the disclosure of their personal data

Here’s what the chairman of the state’s Assembly Science, Innovation and Technology Committee has to say about the legislation:

“Should this happen at the federal level? Absolutely. We would want to see these protections at the federal level, but we are not seeing that … Until they do, New Jersey is going to do everything we can to protect New Jersey residents,”  said Assemblyman Andrew Zwicker (D-Middlesex), who chairs the committee and is sponsoring four of the bills on the agenda. Additional bills cover GPS data, student data and cybersecurity.

Details from NJ Spotlight.

Data privacy bills are pending in at least eight states, reports Sara Merken at Bloomberg Law.

State lawmakers are aiming to give citizens more control over their personal data. Some of the bills largely follow the lead of California, whose Consumer Privacy Act takes effect Jan. 1, 2020. Others are more narrowly focused on specific business practices.

Some highlights:

  • In North Dakota – a bill would require companies to provide to consumers, upon request, information about the types of personal information the companies collect and possess
  • In New York – one bill addresses biometric privacy and another would govern businesses’ collection and disclosure of personal information
  • In Utah – a bill would require law enforcement to get a warrant from a judge to access electronic information
  • In Washington state – a bill would allow consumers to ask companies for a copy of their personal data and to delete or correct inaccurate data and would also regulate facial recognition technology

Details in Bloomberg Law.