The Federal Trade Commission (FTC) is under pressure after recent privacy scandals as critics question if the agency has the regulatory teeth to oversee the tech industry’s customer data policies.
The new scrutiny also comes with Congress mulling federal privacy legislation. Many privacy and consumer watchdogs say beefing up the agency’s powers and resources to handle data privacy should be a top priority.
“I think they do a decent job with the limited authority they have, but they have nowhere near the legal authority nor the staff to really meaningfully police the tech industry,” said Justin Brookman, a former policy director in the FTC’s Office of Technology Research and Investigation.
The agency’s mandate under the Federal Trade Commission Act is to police companies for “unfair and deceptive” practices. But many tech experts say that definition doesn’t help the agency deal with the new problems with online privacy. They believe the definition should be broadened to help the FTC better police tech giants and other data collectors.
“ ‘Unfair and deceptive’ usually means that a company hasn’t told you that they’re going to engage in a certain practice or they’ve lied to you,” said Gigi Sohn, a former Federal Communications Commission (FCC) official who helped craft broadband privacy rules.
“If their terms of service says ‘We’re going to collect everything we know about you and sell it to the highest bidder,’ I’m not sure the FTC can do anything about that,” she said. “It’s kind of easy for the companies to cover their behinds.”
The privacy rules that Sohn helped draft at the FCC were scrapped by Congress. The FCC under GOP Chairman Ajit Pai also relinquished its privacy enforcement authority over broadband providers to the FTC.
But that has proved to be a tougher challenge for the FTC, whose limits have been highlighted by a string of recent data scandals involving some of the industry’s biggest names, including Facebook and Google.
The chief problem critics point to is that the FTC doesn’t have the authority to fine a company when it discovers privacy violations. That means the agency will often enter into settlements with businesses over deceptive privacy practices with a promise of hefty penalties if they violate those agreements going forward. The companies in a large sense police themselves, critics say, hiring outside auditors to sign off on their privacy practices for the agency.
Both Facebook and Google were operating under such consent agreements during recent incidents involving user data.
The FTC is currently investigating whether Facebook violated the terms of a 2011 settlement in its handling of the Cambridge Analytica scandal, in which a right-wing political consulting firm improperly obtained millions of Facebook users’ data without their knowledge or permission.
Facebook’s settlement with the FTC required it to submit to regular third-party audits of its privacy program to ensure compliance. But the audits that Facebook submitted to the FTC did not discover the Cambridge Analytica incident.
Google, which recently disclosed that about half a million Google Plus users had their data exposed through a software vulnerability, didn’t tell regulators about the incident until months after it was first discovered, reportedly because it was concerned about drawing unwanted attention from officials during the firestorm surrounding Facebook and Cambridge Analytica at the time.
Earlier this month, The Hill reported that Google’s most recent privacy audit, though heavily redacted, appeared to make no mention of the incident.
For privacy advocates, those two incidents in the last year were all the evidence needed that the FTC’s approach is lacking and that it needs more tools to address data security and consumer privacy.
“I can’t think of an example where an audit actually uncovered anything,” said Brookman, who now directs privacy and consumer protection at Consumers Union. “I don’t think the Googles and the Facebooks of the world take them seriously, I think they consider them a slight cost of compliance.”
“When a report comes out, because Google is paying for it, it’s not going to say ‘We’ve uncovered serious violations,’ ” he added.
Advocates for tougher regulation of tech companies over privacy are calling for Congress to give the FTC greater authority to oversee industry data collection practices and to set privacy standards for regulators to enforce.
“The fact that we’ve had so many privacy violations and we’ve had so many recurring issues where people’s privacy expectations aren’t met even with companies that have consent agreements makes me think that we need to go beyond these agreements and set a baseline law that’s going to control how companies act,” Chris Calabrese, the vice president of policy at the Center for Democracy and Technology, told The Hill.
“If you don’t have a comprehensive law, you’re perpetually playing whack-a-mole to try to find these bad actors.”
Those calls seem to have a receptive audience at the agency as well.
Joseph Simons, the Republican chairman of the FTC who was sworn in in May, has asked Congress to expand his agency’s authority. He is seeking the ability to set rules and fine companies over their first privacy violations.
Americans’ concerns about privacy have been growing in the wake of numerous hacks, breaches and security bugs.
For many, the push to expand the FTC’s powers won’t get the agency off the hook. They say the FTC could start taking a more vigorous enforcement approach with the powers it currently has.
Rohit Chopra, a Democratic FTC commissioner who was also sworn in this year, wrote a policy memo in May calling for tougher enforcement of agency consent agreements.
“The Commission should carefully consider ways to build on its existing enforcement regime to make clear to market participants that our orders are to be taken seriously,” Chopra wrote.
“FTC orders are not suggestions.”