U.S. lawmakers should pre-empt state privacy laws that largely have been unworkable for businesses, Republican Federal Trade Commissioner Christine Wilson said.
The FTC is the de facto U.S. privacy and data security regulator but lacks broad powers to hold companies accountable for misusing user data. All five commissioners have supported some new rulemaking and enforcement authority as Congress considers drafting a federal online privacy law.
California’s new privacy law, and growing efforts in Washington, New York, and other states show the need to limit the trend of states all passing individual privacy laws, she said.
A state law patchwork is very “unworkable for industry,” Wilson said at an American Enterprise Institute event in Washington.
Wilson and FTC Chairman Joe Simons want Congress to give the agency more power to make rules and impose fines for first offenses in a federal privacy law. Companies and tech groups favor giving the FTC more authority in a bill that also pre-empts state laws.
Privacy advocates argue against federal pre-emption without leaving some privacy enforcement powers to the states. Sen. Richard Blumenthal (D-Conn.), who is working on a bipartisan privacy bill, doesn’t want to weaken state privacy laws at the expense of a national standard.
Simons, said in a letter to House Energy and Commerce Chairman Frank Pallone (D-N.J.) that the agency needs “additional tools and resources to better protect consumers’ privacy.”
Simons told Pallone, in response to Pallone’s earlier inquiry about additional needed resources, that he would like the agency to be able to “obtain civil penalties for violations, conduct rulemaking under Administrative Procedure Act (“APA”), and exercise jurisdictions over common carriers and non-profits.”
Simons noted in the letter that the FTC has limited rulemaking authority under existing federal privacy laws such as the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act.
Federal agencies are important users of consumer information, Peter Winn, acting chief privacy and civil liberties office at the Justice Department, said at the AEI event. A federal privacy law must recognize or preserve access to data for legitimate law enforcement or national security activities, he said.
Companies should have access to consumer information as long as they can appropriately secure and protect data, Winn said. Lawmakers should balance “reasonable” consumer privacy preferences with “other legitimate uses of information,” he said.
Winn echoed concerns from small business and some lawmakers that broad privacy laws are too costly to comply.
“We need to focus on what it will cost to achieve high levels of compliance,” which is the only sustainable way to promote public trust, Winn said.