In a series of recent statements and releases, Lina Khan, the Chair of the FTC, made clear the Commission’s intention to revamp its oversight of consumer data privacy and establish more substantive limits on commercial data collection and processing activities. This plan is motivated in part by the increased adoption of workplace surveillance technologies as well as the “growing recognition that the ‘notice-and-consent’ framework” traditionally used by U.S. businesses may not be sufficient to protect consumer and employee rights. Chairperson Khan hopes to obtain additional funding to help recruit the talent required to develop this new framework, which is designed to bring the FTC “in line with similar agencies internationally.” However, the FTC plans to update its approach to “keep pace with new learning and technological shifts” regardless of whether funding is ultimately obtained.
Although the details of the program have yet to be established, businesses should expect an increased focus on the collection of online data as well as the grounds that businesses rely on for collecting and processing personal information. Chairperson Khan stated that “a significant majority of Americans today feel that they have scant control over the data collected on them and believe the risks of data collection by commercial entities outweigh the benefits.” Further, “the current configuration of commercial data practices do not actually reveal how much users value privacy or security.” Reasons for this include “the fact that users often lack a real set of alternatives and cannot reasonably forego using technologies” and “the use of dark patterns and other conduct that seeks to manipulate user” decisions. As a result, Khan identified a “growing recognition that the “notice-and-consent” framework has serious shortcomings” that may require dedicated legislation from Congress.
Similarly, businesses should expect the FTC to increase its focus on workplace surveillance, including the use of biometric information. Chairperson Khan emphasized that these tools may invade the privacy of employees and create new risks for discrimination.
The shift in tone from the FTC may be an early portent of a shift in the US’s approach to privacy. Moving forward, it is Khan’s intent for the FTC to establish “substantive limits rather just procedural protections” and use the FTC’s rulemaking authority to establish a market-wide framework for data privacy and security. Although these statements do not create any new obligations, businesses should expect heightened scrutiny of their data management practices.