By Susan Hintze and Sam Castic
On August 11, 2022, the Federal Trade Commission (“FTC”) published an advance notice of proposed rulemaking (“ANPR”) in a 3-2 vote on party lines requesting public comment on questions covering a wide range of “commercial surveillance” and data security practices. The FTC defines “commercial surveillance” to include a wide array of practices most businesses commonly engage in with their customers and employees. The FTC’s scope of data security practices includes expected areas such as data breach response but also includes data management, retention, and data minimization areas it has not dedicated significant attention to in the past. The FTC provided additional summaries of these practices in a “fact sheet” it released with the ANPR.
The Commission issued the ANPR pursuant to Section 18 of the Federal Trade Commission Act (“FTC Act”) also known as Magnuson-Moss (“Mag-Moss”) rulemaking. Such rulemaking is allowed if the FTC “has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.”
The ANPR identifies four reasons for potential regulations:
1. Enabling the FTC to fine companies for first-time violations to “incentivize all companies to invest in compliance more consistently. . .,”
2. Requiring companies to proactively implement specific privacy and security controls to prevent consumer harms,
3. To enable the FTC to seek monetary relief for acts or practices even where harms are not possible to quantify financially, and
4. To clearly and predictably identify requirements companies must comply with even in the absence of prior FTC enforcement actions.
Overall, the ANPR broadly seeks comment on ways in which companies:
a. collect, aggregate, protect, use, analyze, and retain consumer data, as well as
b. transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.
In particular, the ANPR asks 95 questions in the following areas:
the extent to which commercial surveillance practices or lax security measures harm people in their physical security, economically, psychologically, reputationally, or in other “unwanted” ways
The extent to which children and teenagers are harmed by commercial surveillance practices or lax security measures
How the FTC should balance costs and benefits of current business practices and potential regulations
If and how the FTC should regulate commercial surveillance and data security practices, including with rules on:
o data security, such as by requiring specific security controls, regulating customer-facing claims on security practices, or mandating companies certify compliance with objective security standards
o collecting, using, retaining, and transferring consumer data, such as
- prohibitions on collecting facial recognition or other biometric data,
- bans on certain types of companies (social media, search, finance, etc.) owning/operating businesses engaged in “commercial surveillance practices like personalized or targeted advertising,”
- limits on what types of consumer data can be collected and retained and whether “data minimization” should be obligatory, and
- limits on the purposes for which consumer data can be collected or used
o automated decision-making, including for
- measuring and mitigating algorithmic error,
- mandating clear standards for automatic decision-making (including on accuracy, validity, reliability), and
- prohibitions on use of automated decision-making in particular industry sectors or contexts
o discrimination based on protected categories, including
- how to measure and address discrimination resulting from algorithms or automated decision-making, and
- whether rules should narrowly focus on existing protected classifications under applicable law or broadly focus on vulnerable populations
o consumer consent, including
- whether consent is effective in light of the “scale, opacity, and pervasiveness of existing commercial surveillance,”
- whether practices that should be prohibited regardless of consent,
- new requirements for obtaining and allowing revocation of consent, and
- rules for allowing people to opt-out of certain “surveillance” practices (such as personalized or targeted advertising)
o notice, transparency, and disclosure, such as
- mandatory disclosure of commercial surveillance practices,
- mechanisms the FTC should use to review companies’ disclosures,
- how companies are opaque about practices,
- what third parties and auditors the FTC should rely on to “facilitate new disclosure rules,”
- what practices must be clearly disclosed by companies (e.g., on how they or their vendors engage in automated decision-making, what they do to prevent privacy harms, etc.), and
- whether to mandate privacy impact assessments and third-party audits of data practices to assure disclosures are and stay accurate
o remedies, including whether specific forms of relief or damages are required, including for “algorithmic disgorgement, a remedy that forbids companies from profiting from unlawful practices relating to their use of automated systems. . .,” and
o obsolescence for rules issued based on changing business practices or technology.
The FTC notes it may not limit proposed regulations to the topics above, and it welcomes proposals for approaches and rules—including from “those currently in force in foreign jurisdictions, individual U.S. states, and other legal jurisdictions”—from commenters.
Published in the wake of the momentum of a bipartisan comprehensive privacy bill, the American Data Privacy and Protection Act (ADPPA), the ANPR is already generating a variety of responses. It prompted criticism amongst some supporters of the ADPPA. Dissenting FTC Commissioner Christine Wilson expressed “grave concerns that opponents of the bill will use the ANPR as an excuse to derail the ADPPA.” Others see it as an effort to push Congress to pass ADPPA. Indeed, the FTC was previously encouraged to issue this ANPR by certain members of Congress, including Senator Blumenthal, a supporter of ADPPA. The ANPR also received support from the White House and consumer protection groups while others such as the US Chamber of Commerce and FTC Commissioner Noah Phillips criticized the ANPR as overreaching.
Unlike rulemaking directed by Congress, such as sector-specific laws like COPPA and GLBA, Mag-Moss rulemaking involves a lengthy multi-step process, so federal regulations while possible are not imminent. If federal regulations do result from this process, the types of issues covered by the ANPR indicate significant new privacy and personal data governance obligations for companies doing business in the US
Those who wish to submit comments may do so within 60 days after the publication of the ANPR in the Federal Register. The FTC will also host a virtual forum on September 8 and will allow members of the public to speak for 2 minutes.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.