FTC renews call for single federal privacy law

The US Federal Trade Commission (FTC) is yet again beating the drum for the long-discussed, much-debated, when-in-the-world-will-this-happen national data privacy law, the lack of which keeps the country from parity with the EU and its General Data Protection Regulation (GDPR)…

…or, for that matter, with the state of California, with its California’s Consumer Privacy Act (CCPA).

FTC commissioners testified before the House Energy and Commerce subcommittee on Wednesday. As the New York Times reports, they addressed how a national privacy law could regulate how big tech companies like Facebook and Google collect and handle user data.

Besides consumer protection, the FTC is looking for more power. Commissioners asked Congress to strengthen the agency’s ability to police violations, asking for more resources and greater authority to impose penalties.

At this point, as lawmakers squabble over the details of various approaches to a national law, the US lags behind European and other nations that have acted to rein in the growing might of big tech.

In February, both the House and Senate held hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations.

A new, single federal law

Lawmakers tend to agree that we need a new, single federal privacy law. At this point, we’ve got a hodgepodge of state laws and a slew of proposed federal laws. Lawmakers are now considering one such: the Data Care Act.

Other bills: In September, Suzan DelBene introduced a privacy bill that would require information transparency and personal data control. In November, Senator Ron Wyden proposed a bill that would throw execs into jail for up to 20 years if they play loosey-goosey with consumer privacy. Senator Marco Rubio announced yet another bill in January, titled the American Data Dissemination Act.

In previous hearings, the squabbling has been over concerns such as existing privacy laws – the GDPR and CCPA – being cost-prohibitive for small businesses and startups, and that California shouldn’t get to dictate the nation’s approach to privacy.

Suitable punishments

This time around, concerns rose about the implications of making punishments fit the crime. As it is, the FTC is in settlement talks with Facebook following its 13-month investigation into privacy violations – a case that was opened following the Cambridge Analytica privacy debacle.

People familiar with those settlement talks told the Times that Facebook is expected to create several positions dedicated to privacy compliance and oversight. They also told the Times that the severity of punishments is a divisive topic, and one that’s split along party lines: three of the FTC commissioners are Republicans, and two are Democrats.

During Wednesday’s hearing, the two Democrats called for punishments that send a clear, strong message to tech companies about the necessity to change behavior after they’re found guilty of privacy rule violations. In other words, punishment a la Senator Wyden’s “throw-the-execs-in-jail” proposal.

The Times quoted Rohit Chopra, one of the Democratic commissioners:

For some firms fines are a parking ticket and the cost of doing business and cannot change behavior unless penalties are painful and finding out who at the top called the shots. [Strong enforcement should include] looking at the role of individuals who made the decision that it was worth violating the law in order to profit.

Should Zuck be held accountable?

Execs, as in, the top execs. The Times’ sources said that at one point, FTC officials mulled naming Facebook CEO Mark Zuckerberg as a responsible party, which would make him liable to financial and other penalties if Facebook got in more trouble over privacy in the future.

Holding Zuck personally culpable for privacy fumbling, however appealing that might sound to some, isn’t expected to happen – at least, not at this stage of the privacy game.

Given how long it’s taking the country to do anything at all, he probably shouldn’t have to hold his breath to find out how likely it is he’ll wind up behind bars. Give it another few decades, and maybe then he’ll face the now-remote possibility that somebody will ask him for his shoelaces.