Even with the FTC mulling a rewrite of data privacy rules, don’t expect change to come soon

By Chris Morris

Last week, with much of the world focused on the passing of Queen Elizabeth, the Federal Trade Commission held a public hearing to pick the brains of experts about privacy and data governance.

 
It was the start of a long, complicated process that could, potentially, see the rules about data privacy in America rewritten, limiting what businesses can collect and sell, and potentially shaking the core of many big technology firms, such as Facebook, Google, and Amazon.

The FTC is likely to borrow from the European Union’s legal framework, known as GDPR, or General Data Protection Regulation. Those guidelines have set a framework for what personal data can be collected by companies. It’s viewed as the toughest privacy law in the world. Meanwhile, more than 50 countries, ranging from South Africa to France, are looking at ways to control the digital information their citizens and corporations produce.

Not that any of this is going to happen overnight. If the government generally moves at a slow clip, the FTC can be downright glacial. Unlike Congress, it has limited power and new rules have to be tied to existing ones surrounding unfair or deceptive practices. And its leadership shifts with presidential administrations, which can stall or halt any progress on initiatives. But, for now, the FTC is exploring wide-ranging alterations to current privacy laws, using the model that has been popularized in many European nations as a guideline.

 
 

Duane Pozza, a former assistant director at the Federal Trade Commission and current partner at the Wiley Rein law firm, warns that such changes, though they could be years away from implementation, would have a huge effect on consumers, businesses, and investors.

“They’ve cast the net pretty broadly in terms of the questions they’re asking,” he tells Fast Company. “Reading between the lines of the questions, at least the majority of the FTC are thinking about putting rules in place that are closer to what you see in Europe. They’ll be looking at lessons learned from the way GDPR has been implemented.”

What would these changes mean for consumers and companies? It could go in a lot of different directions, but here’s what Pozza had to say.

 

The effect on consumers

The FTC is attempting to gather information on many different kinds of data gathering practices. And the final outcome will depend greatly on the timeline, given that the agency’s Democratic majority has very different views on privacy than Republican commissioners.

“One direction they’re considering is they’ve asked about what’s called notice and choice for privacy policies, which is the idea that you get a disclosure, then click on it, then that outlines what the business has to do,” says Pozza.

If those policies are in conflict with the FTC’s deceptive practices rules, it will be easier for the FTC to act, given its limited power. But it then could put new rules into place about how data is collected.

 

The effect on companies

Although the threat of federal intervention might seem dramatic, most companies are already adjusting their privacy policies, due to a growing number of states that have already picked up the issue.

“This is a reminder that companies need to pay close attention to their data governance practice and have a handle on what kind of data they’re gathering,” says Pozza. “They need to think through things like whether they need it and whether they can de-identify it, not so much because of the rules, but because of data hygiene.”

Bottom line: Any company that collects data should be watching the FTC’s progress in this rule rewriting, as it could result in rules that directly impact it. The big fear is the FTC rules won’t be consistent with existing state rules, which could prove to be very disruptive.

 

The effect on financiers and venture capitalists

Forget Bitcoin: personal data has for years been the real next-generation currency. But as startups that specialize in the information space look for funding, venture capitalists will have to consider potential long-term impacts of the new rules on those businesses. Substantial changes could affect a VC’s exit and the profitability of those companies.

“They should be aware of the kind of company and data gathering they’re investing in,” says Pozzo. “There could be a lot of regulations coming.”

That means it’s more important than ever for investors to perform their due diligence around how companies are managing their data and how their internal legal or privacy frameworks are set up. “They should really kick the tires on companies to see what they’re doing to come into compliance,” he says.

Fast Company , Read Full Story

(38)