The Federal Trade Commission (FTC) may have just taken its first steps towards the creation of generally applicable federal privacy and security rules. On Aug. 11, 2022, the FTC published an advance notice of proposed rulemaking (ANPR) seeking public comment on commercial surveillance and data security practices. The FTC says it issued the ANPR "because recent Commission actions, news reporting, and public research suggest that harmful commercial surveillance and lax data security practices may be prevalent and increasingly unavoidable."1
- By "commercial surveillance" the FTC means "the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information," including information directly provided by and automatically collected from consumers.2
- By "data security" the FTC means "breach risk mitigation, data management and retention, data minimization, and breach notification and disclosures practices."3
The FTC says that it does not intend to use the ANPR to propose new rules, but rather to "generate a public record" about commercial surveillance and data security practices that are unfair or deceptive. Based on that public record, the Commission says, it will consider potential regulatory approaches.
Despite the FTC's relatively modest description of its ambitions for the ANPR, it is difficult not to see the ANPR as the beginning of a major push by the FTC for a comprehensive data privacy and security law regime that also focuses on the use of so-called "automated decision-making systems," which are generally understood to include systems enabled by machine learning and other forms of artificial intelligence to perform a variety of commercial and public tasks.
FTC Chair Lina Khan has criticized the FTC's "notice and consent" regulatory regime for privacy and security on numerous occasions and has suggested the need for limitations on or outright prohibitions of some data practices.4 It is also noteworthy that the FTC published the ANPR amidst the ongoing debate in Congress over the American Data Privacy and Protection Act, a proposed federal privacy law, suggesting that the FTC might be hoping to use the ANPR to either push Congress to enact a federal privacy law or, in the absence of congressional action, move forward on its own to create such a law through rulemaking. Even so, any new rules from the FTC in this area are likely a long way off.
The FTC "is asking the public to weigh in on whether new rules are needed to protect people's privacy and information in the commercial surveillance economy."5 Notably, the ANPR is focused on the impact to individuals both as consumers in a personal or household capacity and as workers or employees in a business capacity .
DWT's Privacy & Security team summarizes the ANPR below. Our Artificial Intelligence team has published a parallel blog post exploring what the ANPR could mean for the potential regulation of artificial intelligence and machine learning systems.
Overview of the ANPR
In its overview of the ANPR, the FTC summarizes the many ways businesses collect and use data and draws attention to several concerns about these practices. Those concerns include: (1) uses of consumer data for purposes other than the purposes for which it was collected; (2) whether consumers can meaningfully consent; (3) the use of dark patterns; (4) cybersecurity risks and the cost of security harms; (5) the financial, safety, and health risks resulting from the collection and use of data; and (6) the rise in automated decision-making as a new mechanism for discrimination.
The FTC also points to recent rise in privacy and security regulation at the international and state levels, perhaps to highlight the need for a more comprehensive regulatory approach at the federal level.
In addition, the ANPR highlights the FTC's recent enforcement activity, but asserts that case-by-case enforcement without rulemaking "may be insufficient to protect consumers from significant harms."6 Specifically, the FTC highlights the following insufficiencies in its current regulatory framework:
- Remedies are limited, particularly the inability to seek civil penalties for first-time violations of Section 5, which could act as a deterrent;
- Injunctive relief may be inadequate, particularly to remedy inadequate security practices;
- Monetary relief may be difficult to apply, as some harms may not result in financial or other easily quantifiable injury;
- A recent U.S. Supreme Court decision affirmed a Third Circuit decision that held the FTC lacked authority to order disgorgement to compensate consumers for violations of the FTC Act in the absence of specific rules;7 and
- The FTC's limited resources to investigate and enforce would be more efficiently directed with a rule that clarifies the FTC Act's application to commercial surveillance and data security practices.
Through a series of queries related to the overarching questions listed below, the FTC seeks public comment regarding "(a) the nature and prevalence of harmful commercial surveillance and lax data security practices, (b) the balance of costs and countervailing benefits of such practices for consumers and competition, as well as the costs and benefits of any given potential trade regulation rule, and (c) proposals for protecting consumers from harmful and prevalent commercial surveillance and lax data security practices."8
- 1. To what extent do commercial surveillance practices or lax security measures harm consumers?
- 2. To what extent do commercial surveillance practices or lax security measures harm children, including teenagers?
- 3. What are the costs and countervailing benefits of commercial surveillance practices for consumers and competition?
- 4. How "prevalent" are the commercial surveillance practices that would support a rulemaking under Section 18 of the FTC Act?
- 5. How, if at all, should the Commission regulate harmful commercial surveillance or data security practices that are prevalent and how should it address the topics listed below?
- a. Rulemaking generally (i.e., should there be rulemaking?)
- b. Data security
- c. Collection, use, retention, and transfer of consumer data
- d. Automated decision-making systems
- e. Discrimination based on protected categories
- f. Consumer consent
- g. Notice, transparency, and disclosure
- i. Mechanisms for opacity
- ii. Who should administer notice or disclosure requirements
- iii. What should companies provide notice of or disclose?
- h. Remedies
- i. Obsolescence
Key areas of focus in the questions include:
- The privacy of children, including teenagers (i.e., those older than the Children's Online Privacy Protection Act's (COPPA) 13-year-old threshold);
- Biometric information, facial recognition, and fingerprinting
- Personalized or targeted advertising
- Purpose limitations
- Data minimization
- Automated decision-making systems, including algorithmic error and discrimination
- Effectiveness and limits of consumer consent
- Effectiveness of opt-out regimes
The Comment Period
Interested parties must submit comments by Oct. 21, 2022. The FTC encourages commenters to provide supporting material, describe the relative costs and benefits of their recommended approach, and link their recommendations to specific practices identified in the ANPR, among other things. The FTC will hold a public forum about the ANPR on Sept. 8, 2022.9
Consumer advocacy groups, businesses from numerous industries and many others will undoubtedly take great interest in the ANPR and the FTC's exploration of rulemaking on privacy and security. Comments on the ANPR are likely to be numerous. DWT's Privacy & Security team will monitor the ANPR and related FTC activities, as well as the ongoing congressional debate on the adoption of a federal privacy law.
1 ANPR, 10. The FTC also provided two factsheets on "Commercial Surveillance and Data Security" as well as "Public Participation in the Section 18 Rulemaking Process" with its Press Release (available here).
2 ANPR, 13.
3 ANPR, 12.
4 See "FTC Chair Lina Khan calls for a paradigm shift on data privacy," Washington Post, Apr. 12, 2022, washingtonpost.com/politics/2022/04/12/ftc-chair-lina-khan-calls-paradigm-shift-data-privacy/. Indeed, the ANPR notes that recently enacted laws “have reduced the emphasis on providing notice and obtaining consent and have instead stressed additional privacy ‘defaults’ as well as increased accountability for businesses and restrictions on certain practices.” ANPR, 10-11.
5 FTC Press release at "Overview." The need to propose or adopt new rules is tempered in part by the possibility that Congress will enact a federal privacy law, H.R. 8152, the American Data Privacy and Protection Act ("ADPPA"). During a "virtual news conference" on August 11, the Commissioners made clear that they would reconsider proposing or adopting any rules that would overlap federal law if the ADPPA were enacted.
7 ANPR, 23 n. 124 ("The Supreme Court recently held, in AMG Capital Management, LLC v. FTC, 141 S. Ct. 1341 (2021), that Section 13(b) of the FTC Act, 15 U.S.C. 53(b), does not allow the FTC to obtain equitable monetary relief in federal court for violations of Section 5. This has left Section 19, 15 U.S.C. 57b—which requires evidence of fraudulent or dishonest conduct—as the only avenue for the Commission to obtain financial redress for consumers."
8 ANPR, 24.