Earlier this year, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking to crack down on harmful commercial surveillance and lax data security. The proposed rule included a broad definition of “commercial surveillance," which, if left unchanged, would prevent debt collection industry participants from providing consumers with the information they request and require to engage in financial transactions. On November 21, 2022, the Consumer Relations Consortium (CRC) submitted comments to the FTC explaining that other laws and regulations cover these objectives for the financial services industry.
The CRC began its comment by recommending that the FTC focus on enforcing existing laws instead of creating new regulations. Specifically, the CRC pointed to the Gramm Leach Bliley Act (GLBA), which requires financial institutions to explain information-sharing practices to consumers and safeguard sensitive data, and the Safeguards Rule, amended in 2021, which requires debt collectors to implement and maintain an information security program.
After mentioning that overlaying additional and untested privacy rules will have unintended consequences, the CRC responded to the following questions posed by the FTC:
- The FTC asked whether it should pursue a rulemaking and, if so, what kinds of data should be subject to a potential rule. The CRC responded that since the financial services market is already heavily regulated, consumer privacy is adequately protected and a new rule is not necessary. Should the FTC move forward, however, to avoid conflict with existing laws, any new rule should only apply to data the existing laws do not otherwise cover.
- In response to the FTC’s question about which commercial incentives and business models lead to lax data security measures or harmful commercial surveillance practices, the CRC suggested that clear and consistent guidance premised upon well-defined laws leads to stronger standards. As such, the FTC should focus on issuing clear guidance for businesses regarding data not currently subject to regulation. The applicability of new standards should consider the size and nature of data being gathered and stored.
The full comment can be found here.