New privacy bill would add 440 FTC employees

The new FTC employees would enforce new privacy and data security regulations in the bill, including a requirement that companies implement comprehensive data security programs.

Moran’s bill would also require that companies collecting personal data give notice and get consumer consent in many cases. It would allow consumers to see what data is collected, correct inaccuracies, and request that their data be deleted. The bill would preempt state privacy laws.

Violations of the regulations in the bill would be treated as unfair or deceptive acts under Section 5 of the FTC Act, which has a current penalty of $42,530 per violation. State attorneys general could also bring civil actions, but no private lawsuits are allowed under the bill.

“Americans need to be able to count on strong baseline responsibilities that businesses must uphold when collecting, processing, and protecting their personally identifiable information,” Moran said in a statement. “While our economy has benefited from the use of data, these advancements should not be traded for an individual’s right to have control over their personal information.”

The bill is intended to address bad actors who use security breaches and other unauthorized activities to process consumer data in “unfair and deceptive ways,” he added.

Several privacy advocates praised the bill, saying it represents a step forward.

An expansion of the FTC is a “great move,” said Will Ellis, the founder of Privacy Australia and an IT security consultant. “Not only does it show that more efforts are being put in place to improve privacy and data security, but it gives consumers a better voice when discussing their data, as the rules are expected to be better enforced,” he said. “Often, consumer data is handled carelessly and sold without consent of the consumer.”

While enforcing data privacy and security still has a long way to go, the “current movement is in the right direction,” he added.

Uniform, nationwide standards for privacy and data security would be a good step, added Stephen Newman, a partner with Stroock law firm in Los Angeles.

A federal law would be helpful to businesses already dealing with a patchwork of state privacy and data security laws, Newman said. The various state laws make it “difficult for businesses to know what their obligations are and difficult for consumers to know what their rights are,” he added.

While some privacy advocates have pushed for the ability of private citizens to file lawsuits, Newman praised Moran’s bill for limiting them. “By concentrating enforcement power with the FTC and state-elected attorneys general, the proposed legislation avoids encouraging abusive private litigation that might undermine rather than enhance the goals of robust, uniform, and predictable standards for business to follow,” he said.

This lack of a private right of action is one of the main differences from other privacy legislation introduced recently, said Braden Perry, a litigation, regulatory, and government investigations attorney with Kansas law firm Kennyhertz Perry.

“This bill is an interesting mix of business responsibility and consumer rights,” he said. “This legislation has privacy standards that are designed to educate consumers on what a company does with their information while not hindering a business with arduous burdens.”

Perry doesn’t believe Moran’s bill will pass, but “much stricter regulations in the United States are inevitable.”

The U.S. is trailing the European Union and other countries in protecting consumer privacy, he added. “Currently, data is being collected by U.S. companies without much oversight or control,” he said. “In the end, there will be sweeping legislation, and companies should prepare to address their privacy policies and ensure that customers understand how their data is being used and for what purposes.”