Julie Brill, FTC Commissioner, at PL&B’s 28th Annual International Conference, Cambridge, on the FTC’s Privacy Leadership Role in the US
Julie Brill, Commissioner, Federal Trade Commission, has now published (see link below) her presentation on the FTC’s Privacy Leadership Role in the US which she gave at on 7th July in Cambridge at PL&B’s 28th Annual International Conference, Privacy in a Connected World. Conference summaries will be published in Privacy Laws & Business UK and International Reports Next year’s conference will take place 4-6th July 2016 at St. John’s College, Cambridge.
She explained that the FTC overcomes the lack of a US comprehensive privacy law by deploying Section 5 which “gives the FTC broad authority to provide remedies for consumers harmed by deceptive or unfair practices in the market place. It is a flexible statute that grants the FTC consumer protection authority that changes as technologies and business practices change …… but serves equally well in the era of connected devices, mobile payments and facial recognition.” She gave many example of where “The FTC Act can protect consumers when data collection from the Internet of Things crosses the line into deception or unfairness.”
“Consumers want to know what information they are feeding to online services and what happens to the information once a company has it. This is the purpose that privacy policies serve – or should serve. So it is essential that privacy policies provide information that is true and not misleading. The same goes for disclosures outside of privacy policies, such as in user interfaces. The FTC’s deception authority is a vital enforcement tool as consumers move to mobile platforms, connected devices, and beyond.”
“Using our deception and unfairness authority under Section 5, we have brought cases and entered into privacy and data security settlements with some of the largest companies in the world, including Google, Facebook, Twitter, and Snapchat….The settlements in these cases – more than 40 of them dealing with privacy, and nearly 60 dealing with data security – have brought greater protections for consumers in the United States, in Europe, and around the world.”
The FTC has taken action against mobile apps, social networks, advertising networks, purveyors of malware and spyware, and retailers.
Commissioner Brill said “… connected cars, pills, and cities – and the data that they collect – bring risks, too, especially to consumer privacy. They will collect information about our health conditions and other sensitive traits. They will make available a huge amount of data that can be used to infer what cannot be observed directly. And as sensors become ubiquitous and user interfaces disappear, ensuring that this data collection will take place with consumers’ knowledge and consent becomes much more challenging. The FTC Act can protect consumers when data collection from the Internet of Things crosses the line into deception or unfairness……. Together these cases show that the FTC Act’s prohibitions apply to a wide range of privacy harms, and that the Act gives the FTC the flexibility to enforce some privacy rights of consumers who may not even be aware that data is being collected from them.” She continued: “Privacy protections will also play an integral role in building consumer trust in the Internet of Things. Our report emphasizes that companies should ask not whether Fair Information Practice Principles like notice, choice, and data minimization apply to the Internet of Things, but how they apply.”
A baseline privacy law in the US?
“Should rights and obligations based on the Fair Information Practice Principles be incorporated into a baseline privacy law in the U.S.? My answer is “yes.” An appropriate baseline privacy law would accomplish two useful goals: it would create strong, specific, and enforceable protections for consumers, and it would set out clearer rules of the road for businesses, especially when dealing with sensitive information.”
“I don’t believe baseline privacy legislation is enough. I would like to see both data broker legislation and data security legislation also enacted in the U.S. With respect to data security, legislation that supplements the FTC’s current “reasonable security” standard with FTC rulemaking and civil penalty authority would put the FTC in a stronger position to hold accountable those companies that fail to take the necessary steps to protect the data that consumers have entrusted to them.”