Thanks to a Federal Trade Commission rule, the GDPR possibly could be enforced against those companies in the United States too.
Countless companies have scrambled to update their privacy policies before the GDPR takes effect today. To avoid customer backlash and simplify operations, many global companies are implementing privacy practice updates for all their customers, not just EU residents, says Jay Stanley, senior policy analyst with the American Civil Liberties Union’s Speech, Privacy, and Technology Project.
Fairly typical of the changes companies are making is eBay’s creation of easy-to-recognize icons to help highlight privacy topics, among updates to user control of their data. It is also offering new information about when it deletes user data, as well as the “different purposes for which we use your personal information,” the company said in a statement.
GDPR rules call for much more extensive updates, some privacy advocates say. In many cases, companies now need clear and informed consent to process a consumer’s personal data, and consumers have the right to ask that companies erase their data. Consumers can also object to use of their data, including online profiling, and the GDPR allows them to dispute decisions made using automated processing, including artificial intelligence, without human intervention.
While the United States doesn’t have strong privacy rules like the GDPR, the FTC has a rule that organizations must abide by their own privacy policies, and it can take action against those that fail to do so.
“Such a statement could be enforced by the Federal Trade Commission under its ability to police unfair or deceptive business practices,” he says. “If a company says it’ll comply with the GDPR and then doesn’t, that would be deceptive at minimum.”
The Federal Trade Commission Act, which gives the agency authority to investigate unfair or deceptive business practices, could be used to enforce GDPR-related promises, an agency representative confirms. The FTC could take action when “a company chooses to implement some or all of GDPR across [its] entire operations, and makes promises to U.S. consumers about their specific practices,” she says.
The statute has a limited scope, however, and in most cases, the FTC cannot levy a fine against a company that violates its own privacy promises. Without regular fining authority, the agency can’t compete with the GDPR’s maximum fines of 20 million euros or 4 percent of a company’s annual revenue, whichever is greater.
Instead, a typical FTC enforcement action in a privacy or data security case requires the targeted company to create a comprehensive privacy or security plan, and to submit to independent audits every other year for 20 years. If the company then violates the agency enforcement plan, the FTC can levy fines of more than $40,000 per violation.
Further limiting the FTC’s ability to enforce GDPR-related privacy rules are companies’ own precautionary measures. As companies revamp their privacy policies to comply with the GDPR, many have been careful to avoid making new promises, Jerome says. And many of the changes have been “more in form than substance.”
And the FTC already has a questionable track record of holding companies accountable for privacy violations. The agency has frequently failed to bring enforcement actions against repeat offenders, says Sunny Seon Kang, international consumer counsel at the Electronic Privacy Information Center.
Facebook, for example, is facing questions about its privacy protections after the Cambridge Analytica data leak, but the company remains under a 2011 consent decree with the FTC that, among other things, prohibits the company from misrepresenting the privacy or security of users’ personal data. The FTC has, thus far, taken no action against Facebook for the Cambridge Analytica leak.
Facebook has worked for 18 months to ensure that it complies with GDPR, a representative says. “We have made our policies clearer, our privacy settings easier to find, and introduced better tools for people to access, download, and delete their information,” she adds.
The social-media giant is also building a tool to help users see the websites and apps that send Facebook information when used. The tool will allow Facebook users to delete this information from their accounts and to turn off the ability for Facebook to store it, she says.
Still, many privacy advocates say Facebook’s promises related to transparency and user control fall short of the GDPR’s scope.
Beyond the FTC, individuals and organizations could file lawsuits against companies that fail to comply with the GDPR, privacy advocates say. By pressing companies to strictly comply with their GDPR-compliant privacy policies, the GDPR could create a de facto global privacy standard that international companies must follow.
“Companies really need to take this seriously, and [privacy] practices need to change, or we will force them to change,” says David Martin, senior legal officer of the European Consumer Organization.