The Federal Trade Commission follows a longer, more complex rulemaking process than other federal agencies, constraining its ability to hold tech companies responsible for securing and protecting consumer data.
But with more breaches exposing consumer data, and no federal privacy law, some commissioners are showing a willingness to use this approach—which could take years—to write new national data protection rules.
Companies such as video-conferencing platform Zoom Video Communications Inc. and period-tracking app Flo Health Inc. have come under FTC scrutiny for misleading consumers about how secure or private their data is kept. Others, including
1. How does the FTC write rules?
The commission must follow what’s known as a Magnuson-Moss process for writing rules on data protection, unless Congress specifies otherwise. This elaborate process was created by Congress in the 1975 Magnuson-Moss Warranty-Federal Trade Commission Improvement Act, and made more complex in 1980 revisions. It came in response to criticism that the FTC had overreached its authority by trying to restrict television ads promoting sugary foods to children.
Instead of proposing a rule and giving interest groups and the public a chance to weigh in—the standard procedure—Magnuson-Moss requires the FTC to give Congress a heads up before a rulemaking, hold a hearing with experts who speak to each side of an issue, and keep more detailed records of meetings with outside groups.
Not all of the FTC’s work is subject to Magnuson-Moss. Some laws, such as the Children’s Online Privacy Protection Act, grant the commission authority to follow regular rulemaking steps. Armed with such examples, the FTC has called on Congress to also let it write data protection rules using a process with fewer hurdles that would let it keep pace with changes in technology.
2. What has been the result?
Rules written under the more complicated process take longer to complete. Before Magnuson-Moss, the FTC issued trade regulations in about three years, on average, according to a 2015 academic paper. After the procedures were established, it took six years, on average, to issue a rule, the paper found.
Because the process is slow and cumbersome, the FTC has used it only seven times, the paper found. That includes to give consumers the right to a free copy of their eyeglasses prescription after an eye exam under the 1978 Eyeglass Rule, the first Magnuson-Moss rule.
No new rulemakings have been initiated under the process since 1980, though the agency has finished work on rules that were already in progress and amended others.
3. How does the FTC oversee data protection now?
The commission has been using its authority under Section 5 of the FTC Act to protect consumers from unfair or deceptive business practices that involve their data, chiefly through settlements with companies that, over time, help set precedents for what constitutes sound data protection.
That approach has amounted to dozens of cases involving privacy and security enforcement over the past two decades.
In one prominent case,
Facebook, meanwhile, reached a record $5 billion settlement with the FTC in 2019 after a data privacy scandal involving political consultancy Cambridge Analytica. That settlement also gave the social media giant’s board of directors greater responsibility for protecting user data.
4. What’s wrong with the current approach?
Although the FTC could continue with case-by-case enforcement while Congress considers giving the agency more authority for data protection rulemaking, critics say its settlements lack teeth as the agency can’t generally fine a company for a first misstep.
The FTC can only issue fines for violating an existing agreement with the agency, as in Facebook’s case, or for issues such as children’s privacy, where a law has given the agency penalty authority. FTC fines are further limited by a U.S. Supreme Court ruling that slashed the commission’s authority to seek monetary awards in court.
The FTC has also faced pushback for laying out what detractors say are vague steps for improving a company’s data security or privacy practices.
One settlement involving LabMD Inc. was thrown out by a federal appeals court that deemed it unenforceable for mandating a data security overhaul without explaining what that would involve. In wake of that ruling, the agency began directing companies to implement specific data security practices.
5. Would a new rule really protect consumer data?
A new FTC data protection rule, especially one written with industry input, could ultimately better protect consumers by clearly laying out what’s expected from data handlers, arguably easing their path to compliance.
New regulatory boundaries could also shift the burden for data protection away from the courts if a stronger, more transparent FTC standard means fewer class action lawsuits filed on behalf of consumers whose data has been compromised.
To Learn More:
—From Bloomberg Law
—From Bloomberg News