The Federal Trade Commission (FTC) will explore rules to crack down on lax data security and harmful commercial surveillance. 

Commercial surveillance — the business of collecting, analyzing, and profiting from information about people —  and mass surveillance have “heightened the risks and stakes of data breaches, deception, manipulation, and other abuses,” the FTC says. 

The agency announced it would also seek public comment on the harms of commercial surveillance and whether new rules are needed to protect people’s privacy and information. For example, some companies fail to adequately secure the vast troves of consumer data they collect, putting that information at risk to hackers and data thieves.

While little is known about the automated systems that analyze data companies collect, research suggests that these algorithms are prone to errors, bias, and inaccuracy, the FTC says. As a result, commercial surveillance practices may “discriminate against consumers based on legally protected characteristics like race, gender, religion, and age, harming their ability to obtain housing, credit, employment, or other critical needs.”

In recent years, the FTC has used its existing authority under the FTC Act to bring hundreds of enforcement actions against companies for privacy and data security violations. These include cases involving sharing health-related data with third parties, collecting and sharing sensitive television viewing data for targeted advertising, and failing to implement reasonable security measures to protect sensitive personal data such as Social Security numbers.

For example, in June, the FTC ordered CafePress to bolster its data security and the former owner to pay a half million dollars to compensate small businesses for failing to implement reasonable security measures. In May, the agency took action against Twitter for allegedly misusing account security data for targeted advertising. Under the proposed order, Twitter must pay a $150 million penalty and is banned from profiting from its deceptively collected data.

However, these past enforcement actions “may not be enough to protect consumers,” the FTC says, as its ability to deter unlawful conduct and practices is limited because the agency lacks authority to seek financial penalties for initial violations of the FTC Act. 

As a result, the FTC wants rules that establish clear privacy and data security requirements across the board and provide the Commission the authority to seek financial penalties for first-time violations, which could, in turn, incentivize all companies to invest more consistently in compliant practices.

In a statement, FTC Commissioner Rebecca Kelly Slaughter noted she was eager for Congress to make progress toward a privacy law, referring to the House panel advancing a comprehensive data privacy bill that aims to set a national standard for how companies collect and use Americans’ data. 

“The best time to initiate this lengthy process was years ago, but the second-best time is now. Effective nationwide rules governing the collection and use of data are long overdue. As the nation’s principal consumer-protection agency, we have a responsibility to act,” the Commissioner said.