The Federal Trade Commission has staked out a more aggressive position as a consumer privacy regulator in the US. These remarks, delivered at a conference in September, clearly state that the FTC will use its authority to “ensure substantive protections” for US citizens, calling into question the long-term viability of the surveillance economy.
On September 21st, at the 2023 Consumer Data Industry Association Law & Industry Conference, U.S. Federal Trade Commission Bureau of Consumer Protection Director Samuel Levine delivered prepared remarks on consumer surveillance and the amount of information companies collect on American consumers, which “endangers our privacy, our financial welfare, and our liberty.”
He cited the FTC’s decision to allow industry to self-regulate on these privacy matters, resulting in a status quo which is “grounded entirely in the fiction of notice and choice.” As privacy professionals understand, consumers do not have the time or ability to make sense of complex privacy notices and policies, “nor do consumers have real choice when so much of our lives depends on participating in the digital economy.”
Many have observed this failure of “notice and choice,” but now the FTC is stating so directly and clearly—and taking action to better safeguard Americans’ data. In addition to the actions it has taken to enforce privacy regulations, the FTC has initiated rulemaking proceedings to address privacy, commercial surveillance, and lax data security issues.
A special target is the data aggregation industry, which profits off the constant stream of data fed to them through smartphones’ ability to track their movements, purchases, internet searches, and more. This data fuels a $240 billion a year industry in which data is collected, aggregated, built into profiles, and resold with consumers holding little to no control over their data. In Levine’s words, it puts sensitive data at risk, can limit citizens’ economic opportunities, and threatens our constitutional liberties.
His call to action for companies to use citizens’ data responsibly, including:
- Evaluating what data they collect, how they collect it, and its accuracy
- Protecting sensitive data and implementing “robust” data security
- Eliminating “dark patterns” and design techniques to trick consumers into consent
- Holding third parties to higher standards before sharing data
- Embracing transparency with consumers
- Complying with regulators
As the Director pointed out, companies can no longer rely on the fiction of notice and choice. These however are important elements in returning control of consumers’ data to them, and meaningful notice and choice are still important; that is to say, effective dashboards that allow individuals to not only make choices about what information they share, but really to operationalize increasing consumer rights over access, correction, and deletion. This also requires that notice not be written in a fashion that requires a law degree to interpret, but clearly and in plain language to allow understanding of what processing activities are being undertaken.
To the heart of the FTC actions to reduce unlawful commercial surveillance, one of the most important areas most companies can address is to actually understand the information they collect and use; often the left hand is collecting (and commercializing) data the right hand is unaware of, and likely has not been able to evaluate properly in risk assessments and ethical assessments.
Legislation will ultimately become a reality. If organizations operate internationally, particularly under GDPR, they are going to be held to a higher standard sooner or later. It is important to note that the proposed American Data Privacy and Protection Act (ADPPA) speaks in terms of making companies fiduciaries of personal information. To get ready for a new, more respectful world of privacy, organizations need to start with understanding their collection of personal, and most importantly, their sharing of data, particularly with aggregators, and make better, more thoughtful decisions as the stewards of consumers’ information.
Organizations must recognize that cookie banners and older forms of acquiring and managing consumer consent will no longer suffice, especially for complicated requirements like those put forth under COPPA. They must deploy enterprise consent management solutions. Find out what it takes to make sure you’re compliant in our recent infographic.
Download the PDF version of this Data Privacy Alert here.