Privacy laws remain in the headlines, with a call from the Government Accountability Office for a federal bill and states proposing measures that echo the California Consumer Privacy Act (CCPA).
The GAO was asked to review the scope of federal oversight of Internet privacy in light of incidents involving the misuse of consumers’ personal information. In response, in a new report, the GAO explained that the Federal Trade Commission currently leads oversight of Internet privacy, using statutory authority found in the FTC Act to take action against unfair and deceptive trade practices.
Over the past decade, the FTC has filed 101 enforcement actions regarding Internet privacy, with “nearly all” resulting in settlement agreements requiring action by the companies, the GAO said. However, because it lacks the authority, the commission has yet to levy civil penalties in such actions.
The Federal Communications Commission has had a limited role in overseeing Internet privacy, the GAO noted, although the FTC resumed privacy oversight of Internet service providers in June 2018.
Stakeholders presented differing views on the current privacy enforcement approach and how it could be enhanced, according to the report. While those in the Internet industry favored the current situation and advocated that the FTC not be granted additional authority, consumer advocates and former FTC and FCC commissioners favored having the agency issue and enforce new, privacy-specific regulations.
Three possible areas of oversight could be increased with regard to Internet privacy, stakeholders told the GAO: statutory passage of an overarching privacy measure, rulemaking that would provide clarity and greater flexibility than a new statute, and civil penalty authority that would give the FTC power by permitting the agency to levy civil penalties.
After conducting its review, the GAO concluded that a federal law would best serve the purpose of protecting consumer privacy. “Comprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government’s ability to protect consumer privacy,” according to the report.
While it remains to be seen whether federal lawmakers will answer the call for legislation, states are taking their own actions. With the enforcement deadline for the CCPA just over one year away, similar measures are popping up in other jurisdictions.
In Massachusetts, the legislature is considering SD.341, a bill that would require businesses that meet one of two revenue-related thresholds to provide notice “at or before the point of collection” of any personal information that will be collected and disclosed and provide the purpose for the collection or disclosure. Consumers would be given the right to request a copy of personal information collected about them and the right to request deletion of their data.
Importantly, the proposed law also allows a private right of action without proof of actual damages, stating that “a violation of this chapter shall constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter.” A prevailing plaintiff would be entitled to actual damages or $750 “per consumer incident,” whichever is greater.
A comparable bill was recently introduced in Washington. The Washington Privacy Act, Senate Bill (SB) 5376, would give consumers the right to know what data has been collected and opt out of having their information used for direct marketing.
Companies that control or process data from fewer than 100,000 customers would be exempt from the measure, unless they sell personal information. Companies that sell personal information can avoid coverage only if they control or process data from fewer than 25,000 customers and derive less than 50 percent of their revenue from the sale of personal information.
To read the GAO report, click here.
To read SD.341, click here.
To read SB 5376, click here.
Why it matters: The GAO report and the CCPA follow-on laws reflect a trend toward increasing oversight of consumer privacy. With the CCPA set to take effect in July 2020, other states considering similar measures, and no federal legislation close to being passed, businesses are facing an increasing patchwork of varying privacy regulations.