FTC Commissioner Julie Brill urged Congress to pass new privacy laws while making a speech at Princeton’s Woodrow Wilson School on February 20, 2014. She specifically lobbied for Congress to pass three privacy laws related to data broker transparency, a comprehensive federal privacy law, and a federal data security law, reports The Hill.

The first privacy legislation she called for would require more transparency for information brokerage companies which track consumers and analyze their behavior to sell for marketing purposes. Data brokerage companies track what consumers do while browsing the web, while shopping in physical stores and 
even what kind of purchases they make. They do this to compile as much data as possible on a consumer and then use complex algorithms to make inferences about the consumer. Brill mentioned Target’s tracking practices in which the company would track female consumers’ purchases in such a way as to be able to determine whether they are pregnant and even what stage of pregnancy they were in at any given time.

The second piece of legislation Brill called for was a comprehensive “baseline privacy legislation for the commercial arena.” The U.S. privacy law framework is such that different laws apply to different types of data or people. This can make figuring out which law and requirements an organization needs to comply with complicated, but it can also leave holes where certain data does not have any specific privacy law dedicated to it. Brill wants a baseline privacy bill that would “close the gaps in consumer privacy protections and help level the playing field among businesses.”

Lastly, Brill insisted that the U.S. clearly needs data security legislation. This is a hot topic lately after very public data breaches (Target, Neiman Marcus) captured the attention of the U.S. bringing data security, privacy, and identity theft to the forefront of the general public’s mind. There are currently 46 state data breach notification laws (plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands), which can create a confusing maze for breached entities to navigate when determining what is a breach, who must be notified, when must they be notified, what the notification must include and more. There are several bills pending in Congress which seek to create a federal data breach notification law that could possibly preempt the state data breach notification laws. This is a touchy subject for many states because there is a risk that federal preemption of state data breach notification laws will water down many states’ individual laws. We will monitor legislation introduced in Congress to see if any of these FTC requests come to fruition.

“FTC Calling for Privacy Legislation” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.