The Federal Trade Commission (FTC) hosted a public forum last week to target "commercial surveillance and lax cybersecurity." While data privacy is a legitimate concern, FTC chief Lina Khan and her allies are vilifying legitimate business practices and increasingly overstepping their congressionally granted authority.
Many people are concerned about "surveillance" by anyone, no matter the intent. But the data practices Khan's agency is thinking of regulating aren't really surveillance at all. The advance notice of proposed rulemaking covers everything from the mere collection of data to specific questions about certain types of users' unique risks, which could eliminate many beneficial uses of data. Khan is conflating beneficial and risky data collection practices in an effort to kneecap successful business models she dislikes, without thinking about the impact on consumers.
Gone are the days of one-size-fits-all advertisements and experiences. Consumers today want a far more personalized experience. We enjoy it when online clothing retailers offer us coupons if we leave things in our carts and when news aggregators recommend articles based on what we enjoyed reading in the past. Such benefits are possible because of data and because of tools like cookies.
Consumers now have a wide range of choices for how their data is used, and an increasing number of sites encourage us to customize our privacy settings. Users can select different settings based on how much they trust a specific service. If they want a more personalized experience, they can have it, or they can opt out for more privacy. In many cases, consumers make choices based on the sensitivity of their activity and information. For example, most of us would expect a payment site to have more security and privacy features than a local news site.
By overriding such choices, the FTC risks taking away features that improve the consumer experience. It would also misallocate the agency's existing resources away from those bad actors that are truly harming consumers. The FTC has successfully reached sizable agreements around cases involving harm from deceptive privacy practices and lax cybersecurity, such as the Ashley Madison case, in which the FTC reached a multimillion dollar settlement over the affair-promotion company's lax data security practices and consumer deception. This and many other cases the agency has brought show that the FTC already has the authority and resources to go after malicious actors.
Instead, the FTC wants yet more powers, and it wants to take them without a grant of congressional authority. Americans should be far more afraid of what an overzealous FTC might do to the internet than of the benign, voluntary data practices the agency wants to regulate.