Greetings from Portsmouth, New Hampshire!
We've reached the point of playing "Take Your Pick" with formulating the U.S. privacy regime. The best shot at comprehensive federal privacy legislation in years, the proposed American Data Privacy and Protection Act, versus the U.S. Federal Trade Commission beefing things up via proposed privacy and data security rulemaking.
Make no mistake, one of these will come to fruition. It just might be awhile before we see it. Debates around the ADPPA are ongoing and bogging the current legislative process down while FTC rulemaking has its own tedious stakeholder process but also undoubtedly faces legal challenges that leave a finalization date very much up in the air.
Neither scenario presents a clear streamlined path to improved regulatory landscape with certainty for companies. There might need to be some added incentive to kick either process into overdrive and round up support. That motivation may have arrived courtesy of Twitter whistleblower Peiter Zatko.
The platform's former head of security filed a complaint alleging Twitter operates under lax cybersecurity practices, including overbroad data access and data mishandling. Zatko is scheduled to appear before the U.S. Senate Committee on the Judiciary Sept. 13 to discuss his claims, but federal lawmakers are already calling on the FTC and other regulators to do their own investigations as Congress does its own due diligence.
Timing is why these Twitter claims may spur current efforts for generating new support or speeding up processes for federal legislation and rulemaking.
Folks may scoff at that concept while looking back to the FTC's historic fines against Facebook and Equifax in 2019. The FTC at the time was standing on its big fines being enough of a deterrence for other companies moving forward while Congress made a play for bipartisanship at the end of 2019 that fizzled into two proposals that helped create the privacy gridlock lawmakers are still fighting through today.
The Twitter complaint feels different. This alleged privacy crisis is happening in the thick of two processes this time. The FTC also fined Twitter $150 million in May as part of a settlement featuring corrective measures that may have been violated if Zatko's allegations are found credible. Potential violation of the FTC settlement could force a re-think on deterrence, and what better way to do that than through federal privacy legislation or FTC rules.
A lot will be learned from Zatko's appearance before the Senate Judiciary Committee, but importantly, there is real potential for a fresh spark to further ignite the ongoing privacy work by Congress and the FTC.