WASHINGTON — The Senate wants to pass a federal data privacy law, but Federal Trade Commission officials and business representatives underscored that the agency lacks the resources to enforce it.
While data has vast economic and social benefits, the need for strong data privacy rules has become increasingly urgent. Since the start of the COVID-19 pandemic, millions of Americans have shifted their activities online, becoming prey to increased rates of identity theft, data breaches and cyber attacks.
The Senate Committee on Commerce, Science and Transportation hopes to address this by creating a privacy bureau and giving $1 billion to the FTC for privacy and data security. If passed, the United States would join more than 100 countries, including China, that have baseline data privacy laws.
Chairwoman Maria Cantwell, D-Wash., said during Wednesday’s hearing she believes that ensuring compliance among businesses is paramount for any future federal privacy law.
“The fact is that companies collecting this information are not doing enough,” Cantwell said. “We need compliance. Compliance with existing laws, or compliance with new rule making or compliance with the new Privacy Law, will be insufficient if the FTC is not well resourced.”
Morgan Reed, president of the App Association, a trade group that represents thousands of app makers and connected device companies, said he worries that, for small companies, compliance means expensive lawsuits.
“Ultimately the economic health, education, and, frankly, opportunities for growing new businesses created in our country depend on a robust and appropriately funded FTC,” Reed said. Its underfunding “hurts American citizens and American competitiveness, globally.”
Reed said he sees a deficiency in education as an important consideration in devising a national privacy law.
“Part of the problem is we’re taking it from a compliance perspective,” Reed said. “Merely adding another page to a terms of service or a click through doesn’t actually achieve knowledge and doesn’t actually allow the user to understand what’s going on.”
Reed said that small companies rely on consumer trust and that trust is based in privacy. He said 63% of consumers report they’ve deleted an app due to privacy concerns.
“We actually need our consumers to trust us,” Reed said. “The ability to regain trust is true, regardless of size, but it is more profoundly felt by small businesses.”
Maureen Ohlhausen, former acting chair of the Federal Trade Commission, said she believes that financial resources alone are insufficient to assure a federal data privacy law’s success.
“I think you really need both: You need more resources financially, and you need stronger, statutory guidance and clarity for the FTC to enforce,” Ohlhausen said.
Ohlhausen said companies should be subject to fines if they don’t protect consumer data. Consumers, by the same vein, should get actual damages.
“Some [bills] require companies to have processes in place to ensure that the data is protected” Ohlhausen said. “You want to be able to have the right incentives in place for companies to take those protections.”
A national data privacy law is inevitable, according to David Vladeck, former director of the Federal Trade Commission Bureau of Consumer Protection.
“There is really no transparency to consumers,” Vladesk said. “At some point Congress is going to need to pass a comprehensive privacy statute. I worry that carve-outs for small businesses without some subtlety to it would allow companies that can be incredibly disruptive on the Internet — tiny companies — to evade regulation.”