On November 27, 2018, the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held a hearing titled “Oversight of the Federal Trade Commission,” which included testimony from Chairman Joseph Simons and Commissioners Rohit Chopra, Noah Phillips, Rebecca Slaughter, and Christine Wilson. The hearing examined a range of topics within the purview of the FTC, but of particular importance to privacy professionals was the discussion of whether the FTC should have expanded authority over privacy and data security.
The hearing followed two Subcommittee hearings on the creation of a federal privacy law, which Senator Moran (R-KS) noted was necessary in the wake of several large-scale data incidents and in light of the “implementation of the General Data Protection Regulation (“GDPR”) in Europe, and the recent passage of the California Consumer Privacy Act [(“CCPA”)].” Senator Blumenthal (D-CT), echoing the need for a federal privacy law, stated that “[the U.S.] need[s] to do it not only because Europe has done it, not only because California has done it, but [because] these rules are long overdue” and that congress must “[p]rovide the FTC with the resources[,] expertise and structure to enforce the rules [and] establish meaningful penalties on first offenses to pose a credible deterrent . . . .”
In working toward a bipartisan federal privacy law, the Subcommittee was specifically interested in input from the Commissioners on what should be included in the law as well as any additional tools the FTC would need to enforce it. Although little testimony was given on specific aspects of what should be included in the law, there appeared to be a consensus among the Commissioners that the FTC needs (1) direct authority to asses civil penalties, (2) authority over non-profits and common carriers for which there is currently an exemption, and (3) rulemaking authority under the Administrative Procedure Act.
In predicting what may be to come from the FTC in light of growing privacy concerns, Chairman Simons indicated that the FTC may use its Section 6(b) power under the FTC Act—which empowers the FTC to require an entity to file “annual or special . . . reports or answers in writing to specific questions”—to investigate big tech companies such as Amazon, Apple, Facebook, and Google regarding what consumer information is being collected and how that information used, shared, and sold.
Privacy professionals should continue to monitor the development of a federal U.S. privacy law and should keep an eye on potential FTC investigation efforts into big tech as the discussion develops and continues.