How do companies protect consumer data? That's one question the FTC is hoping to answer as it seeks rules to establish clear privacy and data security requirements.

When Lina Khan was elevated to the head of the Federal Trade Commission last summer, many expected the move would put big tech, especially companies like Google, Twitter, and Microsoft in the crosshairs.

By most counts however, Khan, long an outspoken critic of the agency and its softened stance towards monopolies, had a slow start at the FTC. In May, when the agency gained a new commissioner, Alvaro Bedoya, it signaled a tidal shift and empowered Khan with a new Democratic majority.

It took a few months but last week saw one of the first fully realized steps under the majority when the agency said it was looking into rules to crack down on lax data security and mass surveillance.

Specifically, the FTC said it was moving forward with exploring privacy rulemaking in order to better protect the privacy of U.S. citizens and to keep companies honest, namely those engage in excessive data collection and use of personal information.

The announcement, made last Thursday, welcomes public comment on potential consumer harms stemming from poor data security or surveillance technology and whether new rules are needed to address them.

“Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” Khan said following the announcement last week.

“The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent. Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.”

Given the influx of news stories over the years detailing data breaches, how personal data can be bought and sold for targeted advertising, and the commoditization of commercial surveillance, rulemaking around protecting personal has been overdue.

If there was a trade regulation rule for example, the FTC is asking the general public what it should be limited to.

"Personally identifiable data, sensitive data, data about protected categories and their proxies, data that is linkable to a device, or non-aggregated data? Or should a potential rule be agnostic about kinds of data?" reads one sample question on the FTC’s Federal Register Notice.

While the FTC has previously used its authority under the FTC Act to bring enforcement against companies that abuse it - it has the authority to oversee and enforce issues related to the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children's Online Privacy Protection Act for instance - the agency has been hamstrung by the fact that it doesn't have the ability to impose a financial penalty for first time offenders.

Data privacy legislation aimed to further grant the FTC's power around enforcement has been introduced over the years, it just hasn't gone anywhere. Rules around how data is collected, analyzed, and monetized - universally - could help the FTC wield that power and incentivize organizations to heed compliance around them.

Still, it's worth noting that this is just the first step in what is surely to be a very lengthy process for the agency. Even once it's past the comment stage, creating privacy regulations can take years as many organizations will likely challenge rules in court that go against the FTC's usual directive: protecting consumers from deceptive and unfair practices.

The FTC will host a public forum on commercial surveillance and data security next month, on September 8, to further dialogue around the proposed rulemaking.