[BreachExchange] The Long Path to Protecting Consumer Data: FTC Rules Explained

[Inga Goddijn]

https://news.bloomberglaw.com/privacy-and-data-security/the-long-path-to-protecting-consumer-data-ftc-rules-explained

The Federal Trade Commission follows a longer, more complex rulemaking
process than other federal agencies, constraining its ability to hold tech
companies responsible for securing and protecting consumer data.

But with more breaches exposing consumer data, and no federal privacy law,
some commissioners are showing a willingness
<https://news.bloomberglaw.com/privacy-and-data-security/ftc-signals-willingness-to-write-privacy-rules-without-congress>
to use this approach—which could take years—to write new national data
protection rules.

Companies such as video-conferencing platform Zoom Video Communications
Inc. and period-tracking app Flo Health Inc. have come under FTC scrutiny
for misleading consumers about how secure or private their data is kept.
Others, including Twitter Inc. and Facebook Inc., could face
<https://news.bloomberglaw.com/tech-and-telecom-law/twitter-hack-may-bring-fine-for-possible-ftc-accord-violation-1>
fines after accounts were hacked and user data was leaked
<https://news.bloomberglaw.com/privacy-and-data-security/facebook-data-dump-likely-to-bring-regulatory-scrutiny-lawsuits>
.
1. How does the FTC write rules?

The commission must follow what’s known as a Magnuson-Moss process for
writing rules on data protection, unless Congress specifies otherwise. This
elaborate process was created by Congress in the 1975 Magnuson-Moss
Warranty-Federal Trade Commission Improvement Act, and made more complex in
1980 revisions. It came in response to criticism that the FTC had
overreached its authority by trying to restrict television ads promoting
sugary foods to children.

Instead of proposing a rule and giving interest groups and the public a
chance to weigh in—the standard procedure—Magnuson-Moss requires the FTC to
give Congress a heads up before a rulemaking, hold a hearing with experts
who speak to each side of an issue, and keep more detailed records of
meetings with outside groups.

Not all of the FTC’s work is subject to Magnuson-Moss. Some laws, such as
the Children’s Online Privacy Protection Act, grant the commission
authority to follow regular rulemaking steps. Armed with such examples, the
FTC has called
<https://www.ftc.gov/system/files/documents/reports/reports-response-senate-appropriations-committee-report-116-111-ftcs-use-its-authorities-resources/p065404reportprivacydatasecurity.pdf>
on Congress to also let it write data protection rules using a process with
fewer hurdles that would let it keep pace with changes in technology.


2. What has been the result?

Rules written under the more complicated process take longer to complete.
Before Magnuson-Moss, the FTC issued trade regulations in about three
years, on average, according to a 2015 academic paper
<https://www.gwlr.org/wp-content/uploads/2016/01/83-Geo-Wash-L-Rev-1979.pdf>.
After the procedures were established, it took six years, on average, to
issue a rule, the paper found.

Because the process is slow and cumbersome, the FTC has used it only seven
times, the paper found. That includes to give consumers the right to a free
copy of their eyeglasses prescription after an eye exam under the 1978 Eyeglass
Rule
<https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/eyeglass-rule>,
the first Magnuson-Moss rule.

No new rulemakings have been initiated under the process since 1980, though
the agency has finished work on rules that were already in progress and
amended others.
3. How does the FTC oversee data protection now?

The commission has been using its authority under Section 5 of the FTC Act
to protect consumers from unfair or deceptive business practices that
involve their data, chiefly through settlements with companies that, over
time, help set precedents for what constitutes sound data protection.

That approach has amounted to dozens of cases
<https://www.ftc.gov/enforcement/cases-proceedings/terms/245> involving
privacy and security enforcement over the past two decades.

In one prominent case, Equifax Inc., the consumer credit-rating company, agreed
<https://news.bloomberglaw.com/privacy-and-data-security/equifax-agrees-to-pay-700-million-to-settle-u-s-breach-probe>to
pay up to $700 million and improve its data security to resolve
investigations into a 2017 hack that compromised information on more than
140 million people.

Facebook, meanwhile, reached
<https://news.bloomberglaw.com/privacy-and-data-security/facebook-to-pay-record-5-billion-to-settle-ftc-privacy-claims>
a record $5 billion settlement with the FTC in 2019 after a data privacy
scandal involving political consultancy Cambridge Analytica. That
settlement also gave the social media giant’s board of directors greater
responsibility for protecting user data.


4. What’s wrong with the current approach?

Although the FTC could continue with case-by-case enforcement while
Congress considers giving the agency more authority for data protection
rulemaking, critics say its settlements lack teeth as the agency can’t
generally fine a company for a first misstep.

The FTC can only issue fines for violating an existing agreement with the
agency, as in Facebook’s case, or for issues such as children’s privacy,
where a law has given the agency penalty authority. FTC fines are further
limited by a U.S. Supreme Court ruling that slashed
<https://news.bloomberglaw.com/us-law-week/supreme-court-slashes-ftc-power-to-seek-monetary-awards>
the commission’s authority to seek monetary awards in court.

The FTC has also faced pushback for laying out what detractors say are
vague steps for improving a company’s data security or privacy practices.

One settlement involving LabMD Inc. was thrown out by a federal appeals
court that deemed it unenforceable for mandating a data security overhaul
without explaining what that would involve. In wake of that ruling, the
agency began directing companies to implement specific
<https://news.bloomberglaw.com/privacy-and-data-security/ftc-takes-tougher-data-security-stance-after-labmd-fight>
data security practices.
5. Would a new rule really protect consumer data?

A new FTC data protection rule, especially one written with industry input,
could ultimately better protect consumers by clearly laying out what’s
expected from data handlers, arguably easing their path to compliance.

New regulatory boundaries could also shift the burden for data protection
away from the courts if a stronger, more transparent FTC standard means
fewer class action lawsuits filed on behalf of consumers whose data has
been compromised.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210524/40794c77/attachment.html>