FTC Seeks Greater Data Security, Privacy Authority

Financial Services Law

The Federal Trade Commission (FTC) is seeking more power to protect consumers and promote competition. In testimony before Congress, the FTC chair and the associate director for the Division of Privacy and Identity Protection discussed the agency’s enforcement efforts and assured lawmakers that data security and privacy remain top priorities for the agency.

What happened

With the FTC at full capacity for the first time in years, members of the commission recently appeared before Congress to chat about the agency’s dual mandate to protect consumers and promote competition.

Appearing before the Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, FTC Chair Joseph Simons emphasized the importance of data security and privacy protections. “Year after year, privacy and data security top the list of consumer protection priorities at the Federal Trade Commission,” Simons testified. “These concerns are critical to consumers and businesses alike.”

The chair highlighted several recent enforcement actions in the area of data security and consumer privacy, including the FTC’s March 2018 deal with an online payment system company, to resolve allegations against its payment and social networking peer-to-peer service, including that its privacy notices were not sufficiently clear, that it lacked the Gramm-Leach-Bliley Act’s (GLBA) required information security program until 2014 and that it misled consumers about their ability to control the privacy of their transactions.

The testimony also discussed the agency’s efforts to ensure that advertising is not misleading, citing as an example a complaint against LendingClub alleging the online lender used deceptive marketing by claiming its loans had “no hidden fees” when consumers learned after the fact they were charged hundreds, and even thousands, of dollars in origination fees.

Despite these successes, Simons said that the current statutes do not give the FTC all the power it needs.

“Section 5 … cannot address all privacy and data security concerns in the marketplace,” he testified. “For example, Section 5 does not provide for civil penalties, reducing the Commission’s deterrent capability. The Commission also lacks authority over nonprofits and over common carrier activity, even though these acts or practices often have serious implications for consumer privacy and data security. Finally, the FTC lacks broad [Administrative Procedure Act] rulemaking authority for privacy and data security generally. The Commission continues to reiterate its longstanding bipartisan call for comprehensive data security legislation.” Simons argued for data security legislation that would address his concerns.

Simons noted the upcoming hearings on the current state of the FTC, intended to help provide a “fresh perspective” on privacy and data security issues. “The Commission’s remedial authority with respect to privacy and data security will be a key topic in these hearings, and the comments and discussions on these issues will be one source to inform the FTC’s enforcement and policy priorities,” he said.

FTC Associate Director for Privacy and Identity Protection Maneesha Mithal also appeared before Congress, testifying before the Senate Committee on Banking, Housing and Urban Affairs on the Fair Credit Reporting Act (FCRA), credit reporting agencies and data security.

Noting that the FTC has brought more than 30 FCRA actions over the past decade, Mithal said “vigorous enforcement” of the FCRA continues to be “a top priority” for the Commission. She also detailed the “substantial efforts to promote data security” in the private sector through enforcement of Section 5 as well as the Commission’s Safeguards Rule, which implements the GLBA and its data security Safeguards Standards, which apply to nonbanks substantially engaged in offering consumer financial products or services. Mithal noted that the FTC has brought over 60 actions against companies subject to its jurisdiction that allegedly engaged in unreasonable data security practices, including an investigation of the security breaches at a number of consumer reporting agencies. 

To read the prepared statement with Simons’ remarks, click here.

To read the prepared statement with Mithal’s remarks, click here

Why it matters

While Simons shared the successful enforcement actions recently achieved by the FTC, he did not hesitate to ask lawmakers for new legislation to enhance the FTC’s ability to protect consumer privacy and data security. “In my view, we need more authority,” Simons said in separate oral remarks before the subcommittee. “I support data security legislation that would give us three things: (1) the ability to seek civil penalties to effectively deter unlawful conduct, (2) jurisdiction over non-profits and common carriers, and (3) the authority to issue implementing rules under the Administrative Procedure Act. And we should consider additional privacy authority as well.” Even without statutory changes, however, Simons vowed that “under my leadership, privacy and data security will continue to be an enforcement priority, and the FTC will use every tool in our arsenal to redress consumer harm to the extent we can.” While the FTC may be the closest thing the U.S. federal government has to a comprehensive data protection regulator, it is clear that much more congressional action is needed to expand on Section 5 of the FTC Act and its limited GLBA authority.