• by Wendy Davis  @wendyndavis, July 27, 2021

Federal Trade Commissioner Rebecca Kelly Slaughter suggested Tuesday that the agency's approach to privacy could result in new scrutiny of business models that rely on harvesting data -- including behavioral targeting.

"Can we move away from the outdated notice-and-consent model to govern questions surrounding personal data, and instead turn our focus to the underlying business structures and incentives that are anchored in indiscriminate collection and application of personal data to fuel data-driven business models such as behavioral advertising?" she said at the agency's annual PrivacyCon. "It is this underlying incentive structure that has caused so many of the harms and privacy risks we’re here to discuss today."

She also floated the idea that companies should collect as little personal information as possible.

"Rather than focusing on opt-in versus opt-out, and whether privacy policies are clear enough, I believe we should be discussing the concept of data minimization," Slaughter said.

Some privacy advocates have long argued that companies should only collect the amount of data necessary for a specific purpose, and then only use the information for that purpose.

FTC technologist Erie Meyer signaled in a separate speech that the agency plans to crack down on privacy violators.

“We're going to make sure that data abusers face consequences for their wrongdoing,” she said.

Meyer added that privacy violators should be required to “disgorge algorithms that were juiced by ill-gotten data.”

The agency has already forced at least one company, facial recognition enterprise Everalbum, to shed algorithms that were derived from data. In that case, Everalbum allegedly developed the algorithms from photos and videos that users had uploaded to a photo storage app.

Meyer also said that companies shouldn't be able to come into compliance simply by “papering over questionable conduct.”

In the past, the FTC has resolved some privacy prosecutions by requiring companies to develop and post comprehensive data policies.