Congress should consider comprehensive privacy legislation that enhances consumer protections and includes the “oversight authorities agencies should have,” the GAO said Tuesday. Though the FTC oversees internet privacy across all industries, it lacks a privacy law “governing private companies’ collection, use, or sale of internet users’ data, leaving consumers with limited assurance that their privacy will be protected,” the GAO said. Congress should strengthen the federal privacy framework to “reflect changes in technology and the marketplace,” the report said.

Meta's Instagram will appeal the $401 million fine levied by the Irish Data Protection Commission for breaching the general data protection regulation, it told us. A DPC spokesperson confirmed the amount of the fine Tuesday, saying full details of the decision are due next week. The inquiry began in September 2020 based on information provided by a third party and in connection with processing identified by the DPC itself, the spokesperson emailed. The inquiry involved two types of data processing done by Facebook Ireland: (1) The company allowed child users between 13 and 17 to operate "business accounts" on the Instagram platform that, at certain times, required and/or facilitated publication to the public of the children's phone number and/or email address. (2) At times Facebook ran a user registration system for Instagram in which the accounts of child users were set to "public" by default, making their social media content public unless the account was otherwise set to "private" by changing privacy settings. The inquiry "focused on old settings that we updated over a year ago" and Meta has since released new features to help keep teens safe and their information private, its spokesperson emailed. The company "has engaged fully with the DPC" but disagrees with how the fine was calculated and intends to appeal it.

House Speaker Nancy Pelosi, D-Calif., should hold a floor vote on the House Commerce Committee’s bipartisan privacy legislation, some 50 public interest groups wrote the speaker Thursday. The group includes Public Knowledge, Access Now, Center for Democracy & Technology, Center for Digital Democracy, Communications Workers of America, Open MIC, Fairplay and the Electronic Privacy Information Center. The letter notes the American Data Privacy and Protection Act has “limited preemption” of state privacy laws that cover the same issues as the ADPPA: It doesn’t “preempt state civil rights laws, consumer protection laws of general applicability, or laws related to student or employee privacy, health privacy, financial privacy, social security numbers, facial recognition, electronic surveillance, encryption, or several other categories.”

Comments on the FTC’s potential privacy rulemaking (see 2208110068) are due Oct. 21, said a notice for Monday's Federal Register. The agency is seeking public comment "on the prevalence of commercial surveillance and data security practices that harm consumers," said the notice.

The California Privacy Protection Agency board will meet Thursday to discuss and possibly take action related to proposed federal privacy legislation, including the American Data Protection and Privacy Act (HR-3152), the CPPA said Tuesday. The federal bill could preempt California's privacy law. The board posted an agenda for the 9 a.m. PDT meeting.

The House Commerce Committee will mark up bipartisan privacy legislation Wednesday at 9:45 a.m. in 2123 Rayburn. The American Data Privacy and Protection Act (HR-8152) passed the House Consumer Protection Subcommittee unanimously. The latest version of the ADPPA is another good step, but the bill needs to be strengthened, said Center for Democracy & Technology CEO Alexandra Reeve Givens: “The private right of action still contains many limitations that will curtail individual enforcement, and the protections against retaliating against people who exercise their privacy choices have some loopholes that should be closed.” Public Knowledge highlighted the bill’s provisions giving the FTC authority to mandate a consumers’ right to opt out of targeted ads and a “do not collect” button, “which would allow individuals to get their data deleted from every data broker that has collected information about them.”

Government purchases of Americans’ personal data is a threat to civil liberties, House Judiciary Committee Chairman Jerry Nadler, D-N.Y., and ranking member Jim Jordan, R-Ohio, agreed Tuesday at a hearing. Never has the government had more ability to spy on its citizens, Jordan said, focusing his remarks on Foreign Intelligence Surveillance Act abuse and the surveillance of Trump campaign officials. The mass adoption of electronic devices that allow the tracking of every aspect of life means Congress needs to rethink the law, said Jordan. Law enforcement and intelligence agencies are buying data for their own use, meaning they can obtain vast quantities of information without warrant, including location, search and online preference history, said Nadler. He cited instances of pervasive use of geolocation data to track protesters, sweeping surveillance of thousands of targets to identify a minimal number of suspects and the purchase of data from dating apps. When there’s no constraint on the sale of future use of data, companies have no control over reidentification of the data or where it goes next, said Nadler. Agencies ranging from the Defense Intelligence Agency to the IRS, FBI and CIA are buying personal data of millions of Americans they would otherwise have to obtain through warrants, former House Judiciary Committee Chairman Bob Goodlatte, R-Va., told the committee during testimony. He noted a report from Sen. Ron Wyden, D-Ore., showing the Office of the Director of National Intelligence informed his office it doesn’t need to adhere to the Constitution or the Supreme Court’s Carpenter ruling on collecting cellsite location information when it buys data, which Goodlatte said is “outrageous.” Monday, the ACLU released thousands of pages of data showing Department of Homeland Security agencies paying millions to data brokers, “one of which claims to collect more than 15 billion location data points from over 250 million mobile devices every day,” said Goodlatte.

Bipartisan children’s privacy legislation is in line for a Senate Commerce Committee markup, Chair Maria Cantwell, D-Wash., told us Thursday, as expected (see 2207080053). “Not next week but maybe something after that,” Cantwell said Thursday in response to our question on Capitol Hill about the Kids Online Safety Act from Senate Consumer Protection Subcommittee Chairman Richard Blumenthal, D-Conn., and ranking member Marsha Blackburn, R-Tenn. “I think after that you might see that bill” marked up, Cantwell said.

TikTok should end plans to “force personalized ads” on users, Access Now said in a statement Tuesday. Access Now wrote a July 5 letter to TikTok asking the company to cancel plans to target users over 18 with personalized ads in the European Economic Area, U.K. and Switzerland. Access Now cited a report that TikTok is pausing those plans in favor of working with regulators. Access Now Global Data Protection Lead Estelle Masse said the company “must end” the practice for good: “When we rang the alarm bells, data protection authorities from Italy, Ireland, and Spain listened. With their swift action to protect people’s rights, they shut down a problematic practice and potential harmful precedent before TikTok could implement it.” TikTok didn't comment.

The FTC is committed to using its “full scope” of authorities to protect consumers’ location, health and sensitive data, the agency said in a blog Monday. The announcement follows an executive order from President Joe Biden aimed at combating “digital surveillance” in the wake of the overturning of Roe v. Wade (see 2207080060). The FTC will “vigorously enforce” the law, and past enforcement provides a “roadmap” for infractions involving location and health data, said FTC Division of Privacy and Identity Protection acting Associate Director Kristin Cohen. Cohen warned companies against deceptive acts involving promises to anonymize consumer data. The agency doesn’t “tolerate companies that over-collect, indefinitely retain, or misuse consumer data,” Cohen said, citing federal and state law.