The Federal Trade Commission has focused some of its recent public statements on technology issues and related enforcement challenges. In this blog post, I provide a recap of those statements, including one before the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection.
Safeguarding consumer trust and security in the evolving world of IoT
Commissioner Rebecca Kelly Slaughter stressed the need for collaborative action to safeguard consumer trust and security in the evolving world of IoT, in remarks before the Open Technology Institute and New America Foundation . Commissioner Slaughter described a number of beneficial uses of connected devices as transformative, but also noted the legitimate risks associated with the hacking of connected devices.
Commissioner Slaughter believes we are at a critical point in the IoT era in terms of getting privacy and security right and noted a few basic trouble spots the FTC has observed in the marketplace. For example, she noted that the FTC is continuing to see basic failures in product design and pre-release testing and encouraged companies to consider security at the outset. At the same time, she noted that pre-release testing will not catch all problems so it is important to make sure there is a process in place to address vulnerabilities as they arise. Further, she noted that deploying patches and other solutions is often challenging so she encourages companies to consider from the beginning how to maintain security over the lifespan of the device.
Finally, Commissioner Slaughter noted that the upcoming FTC hearings will provide an opportunity to learn more about the challenges and opportunities in the IoT space. In addition, she noted her support of former Commissioner McSweeny’s idea to elevate the FTC’s technological expertise into a formal Bureau of Technology that would spot issues across both the competition and consumer protection missions.
FTC needs more resources, authority to enforce privacy and data security
Consumer privacy and data security will continue to be an enforcement priority at the FTC and it is critical that the Commission have sufficient resources to support its investigative and litigation needs, according to testimony delivered by the full Commission before the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection on July 18. However, the Commission identified three impediments that impact its investigative and enforcement efforts with respect to privacy and data security and renewed its bipartisan call for comprehensive data security legislation.
First, the FTC has used Section 5 of the FTC, which prohibits unfair or deceptive acts or practices, to bring over 60 data security and 50 privacy enforcement actions. But, unless the action is paired with a statute or rule that provides for civil penalties, such as the Children’s Online Privacy Protection Act Rule, the Commission is prohibited from obtaining monetary relief for Section 5 violations. The Commission believes that the inability to obtain monetary relief impedes its deterrent capability.
Second, the FTC has no jurisdiction over nonprofits or common carrier activity even though those entities may engage in practices that have serious implications for consumer privacy and data security.
Third, the FTC lacks broad rulemaking authority which prevents it from setting standards with respect to privacy and data security. As a result, Congress has granted the Commission specific authority to engage in rulemaking with respect to children’s privacy and some financial data security, and credit reporting.
While the Commission renewed its call for comprehensive data security legislation, it did not elaborate on what such legislation would look like or whether there are existing regulatory regimes that should be duplicated at the federal level, such as the New York Department of Financial Services Cyber Regulations. Instead, the testimony highlighted the upcoming Hearings on Competition and Consumer Protection in the 21st Century as an opportunity for the Commission to examine its remedial authority with respect to privacy and data security.
Press reports indicate that the subcommittee members were supportive of providing the FTC with more tools and resources.