New Data Privacy Rules Loom for Businesses as Bedoya Joins FTC
Consumer data protection is about to become a priority for the newly coined Democratic majority in the Federal Trade Commission, now that Alvaro Bedoya joins the industry regulator.
The Senate voted Wednesday to confirm the nomination of Georgetown University law professor to the FTC, breaking a partisan stalemate in the agency. Filling your seat means that the five-member committee is likely to issue regulations that would put limits on the collection and use of consumer data by companies and set standards for how that data should be secured.
“It may be here that joining the commission could really make a difference,” said Maureen Ohlhausen, a former FTC commissioner who is now a partner at Baker Botts LLP.
FTC President Lina Khan has called for data protection rules, although so far she has lacked the three votes needed to begin what is expected to be a process of writing regulations for a few years. potentially controversial. Bedoya provides training in data privacy and security, with a focus on facial recognition technology, and seeks to strengthen the protection of children’s digital data.
A pending update of the commission’s rules for following the Children’s Online Privacy Protection Act, known as COPPA, could provide an opportunity to increase oversight of educational technology tools, particularly in the midst of a boom. of digital learning.
According to former FTC officials, industry-wide data privacy rules may focus on limiting the use of personal information for online consumer advertising and protecting against potentially discriminatory ads. The commission is also expected to step up its efforts to protect people’s data through enforcement actions that require more companies to seek agreements, former officials said.
The challenge will be to move forward with privacy priorities along with Khan’s aggressive antitrust agenda, relying on the agency’s limited resources and staying within the limits of its authority on consumer protection.
Areas of focus
There are opportunities for a commission rule to affect data privacy, especially when it comes to companies that use consumer information to tailor their advertising.
“One area within privacy that is likely to be ruled out is the practice of targeted advertising,” said Maneesha Mithal, a partner at Wilson Sonsini Goodrich & Rosati who previously headed the FTC’s Division of Privacy and Identity Protection. .
Regulatory efforts could focus on whether consumers should give explicit permission to receive targeted ads, Mithal said. The commission could also analyze the targeting of ads based on personal characteristics that justify higher protections, such as race, gender, or sexual orientation.
Safeguarding children’s digital data is another area where the FTC could step up its existing rules under the COPPA. The agency updated the COPPA rules on its regulatory agenda, but has not yet issued a proposal.
The FTC could update its rules to “adapt to changing technology” in education as more schools use private-sector digital learning tools, said Stacey Gray, who leads research and development. Legislative Analysis at the Future of Privacy Non-Profit Forum.
Proponents of her case have been working to make the actual transcript of this statement available online.
“Privacy rules will not work without a meaningful application,” said Justin Brookman, a former FTC policy official who runs the Consumer Reports’ Privacy and Technology Policy.
Democrats in Congress have tabled a proposal to establish a privacy office in the agency, though it’s unclear if Republicans would accept the idea. A legislative package that included such an office collapsed into other partisan divisions.
Aside from resource issues, the FTC has no legal authority to control data privacy in the way a federal law could.
The Commission may prohibit forms of data collection or use that are deemed unfair or misleading using its consumer protection powers under the FTC Act. However, the FTC may not be able to require privacy impact assessments or grant data rights, such as giving consumers the ability to access, correct, or transfer information collected about them.
“That’s an open question,” Kestenbaum said.