Attorney General Bonta: FTC Should Follow California’s Example and Adopt Robust Data Privacy Protections

OAKLAND – California Attorney General Rob Bonta today urged the Federal Trade Commission (FTC) to adopt robust protections against commercial surveillance and data security practices that harm consumers. The California Department of Justice (DOJ) has engaged in extensive consumer privacy enforcement and has developed a deep fund of knowledge concerning commercial surveillance and data security practices through its enforcement of the California Consumer Privacy Act (CCPA), the only operative comprehensive privacy rights framework in the country, among other consumer protection laws. In a letter to the FTC, Attorney General Bonta draws on this experience to identify key areas for federal regulatory action and urges the FTC to use its regulatory authority to define and prohibit additional forms of unfair and deceptive acts and practices related to data privacy protection.

“California’s first-in-the-nation privacy law provided Californians with groundbreaking rights over their personal information – and it’s past time that consumers nationwide were provided with similar protections,” said Attorney General Bonta. “Consumers deserve to know that their data is protected and their privacy respected. I urge the FTC to look to California’s example, and establish much-needed, commonsense consumer privacy protections.”

California has long been at the forefront of consumer privacy regulation and enforcement, giving consumers more control over their data and personal information through the CCPA and requiring additional protections for patient privacy as part of the Confidentiality of Medical Information Act. Most recently, California enacted the California Age-Appropriate Design Code Act, which requires businesses to consider the best interest of child users and to default to privacy and safety settings that protect children’s mental and physical health and wellbeing. Through DOJ’s recent privacy investigations, rulemaking, and enforcement actions, such as settlements with Sephora and Glow, DOJ has developed unique insights into commercial surveillance and data security. 

In today’s letter, the Attorney General draws on this experience to recommend that the FTC promulgate regulations that establish critical privacy protections, including:

• Establishing clear guardrails to protect particularly sensitive personal information, such as precise geolocation and biometric information;
• Providing consumers with a right to opt-out of the sale of their personal information by data brokers;
• Prohibiting businesses and operators of third-party online trackers from tracking or selling data from users that have enabled privacy controls, like the GPC;
• Requiring online services and products that are likely to be accessed by children to have a more stringent age verification process;
• Requiring businesses that collect or maintain health information from consumers, but are exempt from federal health information privacy laws, to have reasonable security; and
• Protecting vulnerable patients from algorithmic decision-making tools in the healthcare and insurance industry that perpetuate unfair discrimination.   

A copy of the comment letter can be found here.