Federal Trade Commission Chair Lina Khan said it is time that the agency, which is tasked with enforcing consumer privacy protections, "reassess" rules around what data companies can collect about consumers and how they secure that data.
Khan, who was speaking Monday at an event hosted by the International Association of Privacy Protections, called the current notice and consent framework "outdated and insufficient." She said it's time for a major paradigm shift in which the FTC as the federal regulator and Congress, which has long promised privacy legislation, do something to ensure that consumers don't have to give up their personal data in order to access online tools that have become essential to everyday life.
She also questioned whether companies should be allowed to collect data indiscriminately, noting that most consumers aren't even aware of what data is being collected and where their personal information ends up.
"I believe we should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements, while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place," she said.
Khan's comments come nearly a year after she was confirmed by the Senate for a seat on the FTC and then made chair by President Biden. Progressives cheered her pick as chair due to her work as an antitrust reformer, best known for advocating reigning in the power of Big Tech companies like Amazon, Apple, Facebook and Google.
Privacy experts have also been putting pressure on Khan to institute long-awaited federal rules that spell out what data companies can collect on consumers and how companies should protect that data. Khan acknowledged the need for such rules, referring to the commercial surveillance economy around consumer data, which monetizes personal information and creates a business model "that seems to incentivize endless tracking and vacuuming up of users' data."
She also talked about the FTC's need to take a multidisciplinary approach to enforcement, looking at both privacy and antitrust. She explained how large companies can use their market dominance to force consumers to hand over their personal data whether they want to or not.
"When faced with technologies that are increasingly critical for navigating modern life, users often lack a real set of alternatives and cannot reasonably forego using these tools," she said. Collectively, she said, we must "consider whether we want to live in a society where firms can condition access to critical technologies and opportunities on users having to surrender to commercial surveillance."
While Khan said she is considering new rules, the FTC has not yet kicked off an official rule-making proceeding because the commission is still split with two Democrats and two Republicans. Without a clear Democratic majority, Khan doesn't have the votes to move her agenda forward.
That could change soon as the Senate is expected to vote after the Easter break on the confirmation of Biden's nominee for the third Democratic seat on the FTC, Alvaro Bedoya, a Georgetown University law professor known for his work on privacy matters.
Congress' privacy bill
Meanwhile, efforts in Congress to pass comprehensive data privacy legislation have stalled as Democrats and Republicans disagree on the extent of federal preemption of state laws and the inclusion of a private right of action, which would allow consumers to sue if their data is mishandled.
Khan acknowledged the importance of federal legislation to make a significant shift, but she also said that the FTC is well positioned to handle enforcement within the authority Congress has already given the agency.
"Even without a federal privacy or security law, the FTC has for decades served as de facto enforcer in this domain," she said at the event.
To highlight the agency's accomplishments on these matters, Khan also ticked off some recent settlements involving alleged violations of the children's privacy law. In December, the agency announced it had settled with online advertising platform OpenX Technologies, which the FTC says collected geolocation data of children without parental consent, a violation of federal law.
In March, the agency settled with WW International over the app Kurbo, an online weight management program for kids, which allegedly illegally harvested personal data about kids, including birthdates, eating habits and daily activities. Khan said that in these instances, the FTC did more than just impose fines.
With regard to Kurbo, she said the "settlement required not only that the business pay a penalty for its law-breaking but also that it delete its ill-gotten gain and destroy any algorithms derived from that data."
She said the FTC has also taken prescriptive action, such as requiring the online merchandise platform CafePress, in a settlement reached in March, to adopt specific security measures after the agency alleged it failed to secure consumers' sensitive personal data and then covered up the breach.
But Khan said the agency can do more.
"No doubt we will continue using our current enforcement tools to take swift and bold action," Khan said. "The realities of how firms surveil, categorize and monetize user data in the modern economy, however, invites us to consider how we might need to update our approach further yet."