• by Wendy Davis , Staff Writer @wendyndavis, September 21, 2023

For the second time this week, the Federal Trade Commission's consumer protection chief has criticized the long-standing self-regulatory approach to privacy.

“With no legislation in place, what has emerged over the last two decades is a regime grounded entirely in the fiction of notice and choice,” Samuel Levine told the data-broker trade group Consumer Data Industry Association Thursday, according to a written version of his prepared speech. “Consumers do not have the time to read hundreds of pages of dense privacy policies, and it should not be their burden to do so. Nor do consumers have real choice when so much of our lives depends on participating in the digital economy.”

The remarks come two days after Levine told the National Advertising Division of the BBB National Programs that the industry's self-regulatory effort on privacy had failed. The ad industry's self-regulatory framework broadly involves notifying consumers about data collection and allowing them to reject some uses of their information.

Levine on Thursday condemned what he called “unchecked commercial surveillance,” which he said “endangers our privacy, our financial welfare, and our liberty.”

He added that the unregulated nature of data has led to “vast, unfettered tracking” of people's behavior.

“Worse than this unchecked collection is the continuous cycle of companies buying more data on each consumer, aggregating, creating profiles, and selling these profiles to additional third parties with little screening about potential uses,” he said. “Countless data aggregators collect, buy, and combine data from multiple sources and sell it to marketers, researchers, or government agencies.”

The FTC currently is considering whether to issue privacy regulations. Advocates have long clamored for official restrictions on data gathering, while the ad industry has argued that any new rules should come from Congress.

New rules or not, Levine made it clear that the FTC is already pressing companies to curb the amount of information they gather about consumers.

“An increasing number of orders in our privacy and data security cases are requiring companies to minimize the consumer data they collect and retain it for no longer than is reasonably necessary,” he said. “Data that isn’t collected can’t be compromised, and the unnecessary retention of vast troves of personal data heighten the risks and increase the stakes of data breaches, manipulation, and other abuses.”

Meanwhile, officials in other states aren't waiting for the FTC to issue privacy rules.

Earlier this year, Washington state passed My Health My Data, which prohibits app developers, website operators and others from collecting, processing or sharing a broad range of information about consumers' health without their explicit consent.

And California lawmakers just approved the Delete Act, which aims to enable residents to easily remove their information from every data broker registered with the state.

Advocacy groups backed that measure, while business organizations -- including groups representing advertisers and data brokers -- opposed it.

“Without data, companies would not be able to deliver critically important products and services consumers benefit from today, sometimes without even being aware of how this data supports their safety and enjoyment of everyday life,” 19 groups including the Association of National Advertisers, American Association of Advertising Agencies, California Retailers Association, Interactive Advertising Bureau, Los Angeles Area Chamber of Commerce and NetChoice said in a letter sent earlier this month to lawmakers.

That law currently awaits Governor Gavin Newsom's signature.