SECTION 5’s SHORTCOMINGS: THE NEED FOR A FEDERAL DATA PRIVACY LAW TO ADDRESS BIG TECH'S EXPLOITATION OF CONSUMER DATA

Hannah DeGraw

As our society becomes more digitized, the most dominant American technology companies, otherwise known as “Big Tech”, have utilized their immense financial and technological resources to collect and monetize consumer information, often without the knowledge or full consent of users. The consequences of Big Tech’s extensive access to users’ private information may not be immediately apparent to many consumers. However, it is crucial to recognize that this kind of surveillance, conducted without proper oversight or consumer consent, sets a dangerous precedent that large corporations can exploit consumer data for commercial gain. Moreover, tolerating Big Tech’s invasive collection of user information has consequences far beyond targeted advertising; it directly threatens consumers’ privacy, autonomy, and safety.

The rise of Artificial Intelligence (“AI”) has enabled these companies to process vast amounts of data to predict consumer behavior, personalize advertisements, and manipulate user experiences in real time.[1] Voice assistants such as Google Assistant, Apple’s Siri, and Amazon’s Alexa gather enough data from voice recognition technology to create a profile about the user’s age, gender, height, weight, ethnicity, personality traits and possible health issues.[2] Further, by continuously collecting data through geolocation technology on smartphones and apps, companies gain detailed insights into where each person lives, works, and travels.[3] Gathering this specific information enables companies to generate location-specific advertising, which contributes to billions of dollars in annual sales for businesses.[4]

Big Tech has also openly utilized facial recognition and biometric data such as fingerprint recognition from social media platforms and smart devices to identify and track individual users.[5] In addition to using this information for their own use, companies profit off this technology by selling their software and data to law enforcement or third parties.[6] This information is particularly sensitive, as it can be used to reveal whether an individual used certain healthcare services, attended religious gatherings, or participated in political protests or union meetings.[7] As this data can be accessed or subpoenaed later as evidence, it is increasingly critical that Big Tech companies are transparent with consumers about whether and how that information is being collected and stored, which they have repeatedly failed to do. Further, these corporations have frequently put consumers’ personal information at risk by not adequately restricting third party access to data.

Over the years, Big Tech has repeatedly faced scrutiny and penalties for unethical and illegal actions yet has continued to violate users’ rights. One major reason for this persistent behavior is that the current regulatory framework has been inadequate in providing an effective, long-term solution. The FTC Act, Section 5, is the primary federal statute used to regulate “unfair or deceptive acts or practices in or affecting commerce”’ including data privacy violations by Big Tech.[8] The process by which the FTC investigates and addresses these violations reveals significant limitations in its enforcement mechanisms.

First, the fines imposed on Big Tech under Section 5, though significant, fail to deter misconduct. Facebook’s $5 billion penalty in 2019, for example, barely impacted the company.[9] Its stock price rose nearly 2%, adding $10 billion to its market value, while revenue increased by over $15 billion the following year.[10] Similarly, Google’s revenue surged after a $22.5 million fine in 2012 and another $170 million fine in 2019, highlighting how these penalties are absorbed as operational costs, allowing predatory data practices to persist.[11]

Second, Section 5’s reactive framework addresses violations only after they occur, enabling Big Tech to exploit gaps in regulation. The statute’s vague language and restricted rulemaking authority prevent the FTC from establishing proactive and consistent regulations. Moreover, Section 5 does not grant consumers a private right of action, leaving individuals dependent on an under-resourced FTC for redress.

Although the FTC’s Section 5 has been a useful tool for consumer protection, it has proven inadequate for addressing Big Tech's complex and evolving data practices. Potential solutions, such as increasing FTC staff, could enhance enforcement but would not resolve the deeper structural problems with Section 5. Similarly, relying on state-level regulations creates a fragmented system that lacks the uniformity needed for effective national oversight of Big Tech.[12] A patchwork of varying state laws would complicate compliance for companies, increasing the risk of legal errors due to inconsistent standards.[13] This complexity not only raises operational challenges for companies but also weakens protections for consumers, as fragmented regulations fail to ensure consistent privacy safeguards across state lines​.[14] A federal data privacy law remains the most viable long-term solution for regulation, providing consistency and addressing the gaps in current regulatory frameworks.

A recently proposed bill, the American Privacy Rights Act (“APRA”) represents a significant step toward solving these issues by establishing comprehensive, nationwide data protection standards.[15] Introduced by bipartisan lawmakers in early 2024, APRA has gained momentum due to its focus on consumer rights and corporate accountability.[16] The Act tackles several core deficiencies of Section 5 by implementing proactive transparency requirements, stronger enforcement mechanisms, and allowing individuals to pursue legal action.[17] Specifically, the APRA would introduce revenue-based fines, establish clear rules for data collection practices, empower the FTC with greater rulemaking authority, and provide individuals with a right to seek redress.[18]

Some skeptics argue that APRA may face the same fate as previous federal data privacy proposals, such as the American Data Privacy Protection Act (“ADPPA”) in 2022.[19] The ADPPA failed to pass largely due to disagreements over its preemption of state laws, particularly California’s more stringent privacy regulations.[20] However, there are key differences between the APRA and its predecessors that makes its success more likely. First, the APRA has more bipartisan support, helping to overcome some of the political barriers that hindered previous attempts to pass a federal data privacy law.[21] Additionally, unlike the ADPPA, the APRA includes an agreement that the federal law will preempt state laws by default but also addresses state concerns by allowing for the retention of higher privacy standards in specific areas to ensure that the Act does not entirely override state laws.[22] This balance between federal oversight and state autonomy gives the APRA a stronger foundation for gaining broader support. While not without challenges, APRA’s efforts to address gaps in Section 5 of the FTC Act marks a meaningful step toward stronger consumer data privacy protection.

[1] Dorian Lynskey, ‘'Alexa, are you invading my privacy?’ – the dark side of our voice assistants, The Guardian (Oct. 9, 2019, 1:00 PM), https://www.theguardian.com/technology/2019/oct/09/alexa-are-you-invading-my-privacy-the-dark-side-of-our-voice-assistants.

[2] Max Zahn, Collection of voice data for profit raises privacy fears, ABC News (Jan. 18, 2023, 6:04 AM), https://abcnews.go.com/Technology/collection-voice-data-profit-raises-privacy-fears/story?id=96363792.

[3] Geoapify, What is Geolocation: How It Works and Its Many Uses, (April 11, 2023) https://www.geoapify.com/what-is-geolocation/#:~:text=By%20leveraging%20location%2Dbased%20insights%2C%20companies%20can%20offer,into%20their%20customers'%20behavior%2C%20preferences%2C%20and%20habits.

[4] Paige Boshell, The Power of Place: Geolocation Tracking and Privacy, Business Law Today (Mar. 25, 2019) https://businesslawtoday.org/2019/03/power-place-geolocation-tracking-privacy/#:~:text=At%20least%2075%20companies%20receive,than%2014%2C000%20times%20a%20day.

[5] See Press Release, Fed. Trade Comm’n, FTC Warns About Misuses of Biometric Information and Harm to Consumers (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-misuses-biometric-information-harm-consumers.

[6] Thorin Klosowski, Facial Recognition Is Everywhere. Here’s What We Can Do About It, N.Y. Times (July 15, 2020), https://www.nytimes.com/wirecutter/blog/how-facial-recognition-works/.

[7] See Press Release, Fed. Trade Comm’n, FTC Warns About Misuses of Biometric Information and Harm to Consumers.

[8] Federal Trade Commission, Enforcement Authority, https://www.ftc.gov/about-ftc/mission/enforcement-authority.

[9] Tara Seals, Privacy Experts: Facebook’s $5B Fine Unlikely to Do Much, Threat Post (July 15, 2019, 6:07 PM), https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/.

[10] Charlotte Jee, Facebook is actually worth more thanks to news of the FTC’s $5 billion fine, MIT Technology Review (July 15, 2019), https://www.technologyreview.com/2019/07/15/134196/facebook-is-actually-richer-thanks-to-news-of-the-ftcs-5-billion-fine/.

[11] Tiago Bianchi, Annual revenue of Google from 2002 to 2023, Statista (May 22, 2024), https://www.statista.com/statistics/266206/googles-annual-global-revenue/.

[12] Alan Friel, State Privacy Law Patchwork Presents Challenges, Privacy World (June 10, 2024), https://www.privacyworld.blog/2024/06/state-privacy-law-patchwork-presents-challenges/.

[13] Phillip Yanella, New State Privacy Laws Creating Complicated Patchwork of Privacy Obligations, Blank Rome (June 7, 2024), https://www.blankrome.com/publications/new-state-privacy-laws-creating-complicated-patchwork-privacy-obligations.

[14] Nuala O’Connor, Reforming the U.S. Approach to Data Protection and Privacy, CFR (Jan. 2018), https://www.cfr.org/report/reforming-us-approach-data-protection#:~:text=Yet%20record%2Dshattering%20data%20breaches,between%20state%20and%20federal%20requirements.

[15] Rebecca Kern, Bipartisan draft bill breaks stalemate on federal data privacy negotiations, Politico (June 6, 2022, 5:46 PM), https://www.politico.com/news/2022/06/03/bipartisan-draft-bill-breaks-stalemate-on-federal-privacy-bill-negotiations-00037092.

[16] Id.

[17] Id.

[18] Id.

[19] Leah Dempsey, Data Privacy Strikes Back: American Privacy Rights Act, Brownstein (April 11, 2024), https://www.bhfs.com/insights/alerts-articles/2024/data-privacy-strikes-back-american-privacy-rights-act#:~:text=He%20is%20currently%20considering%20a,by%2Dsection%20is%20available%20here.

[20] Id.

[21] Gopal Ratnam, Bipartisan Federal Data Privacy Deal Close, Lawmakers Say, Government Technology (April 28, 2024), https://www.govtech.com/policy/bipartisan-federal-data-privacy-deal-close-lawmakers-say.

[22] Kirk J. Nahra, New Federal Privacy Bill Draft Hits Congress, WilmerHale (April 19, 2024), https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240418-new-federal-privacy-bill-draft-hits-congress#:~:text=Softens%20the%20Preemption%20Provision:%20One,small%20preemption%20carveout%20for%20remedies.