FTC Issues Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security
At a press conference on August 11, 2022, the Federal Trade Commission (FTC or Commission) announced an Advance Notice of Proposed Rulemaking (ANPR), which was published, along with a fact sheet, to explore potential new rules governing what the FTC characterizes as prevalent “commercial surveillance” and “lax data security practices.” The FTC issued the ANPR pursuant to its Section 18 authority under the Magnuson-Moss Act, which authorizes the Commission to promulgate, modify, and repeal rules that define with specificity unfair or deceptive acts or practices within the meaning of Section 5(a)(1) of the FTC Act. This broad and complex ANPR was published in the Federal Register on August 22 (87 Fed. Reg. 51273), and comments are due October 21, 2022. The FTC will host a public forum on September 8, 2022, featuring a structured panel discussion and an opportunity for stakeholders to share their views on the ANPR, subject to a two-minute time limit.
What’s Behind the ANPR?
FTC Chair Lina Khan said in a statement that “firms now collect personal data on individuals on a massive scale and in a stunning array of contexts, resulting in an economy that, as one scholar put it, ‘represents probably the most highly surveilled environment in the history of humanity’. This explosion in data collection and retention, meanwhile, has heightened the risks and costs of breaches—with Americans paying the price.” The FTC offers several reasons to justify the proposal. First, the FTC argues that its inability to fine companies for egregious first-time offenses under its Section 5 authority may “insufficiently deter future law violations.” Second, while the FTC can enjoin conduct that violates Section 5, such relief may be inadequate in the context of alleged commercial surveillance and lax data security practices. Third, the FTC argues that even in instances in which it can obtain monetary relief for violations of Section 5, such relief may be difficult to obtain if certain practices do not cause direct financial injury or the harm cannot be quantified. Lastly, the FTC claims that a rule governing commercial surveillance and data security could provide clarity and predictability about the FTC Act’s application to existing and emergent commercial surveillance and data security practices. The vast, unfocused scope of the ANPR should concern any business engaged in data collection from consumers, as virtually all data collection activities could be implicated.
The FTC proposes several specific definitions for purposes of the rule:
“Commercial surveillance” is “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information. These data include both information that consumers actively provide—say, when they affirmatively register for a service or make a purchase—as well as personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app.”
“Data security” is described as “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.”
“Consumer” “includes businesses and workers, not just individuals “who buy or exchange data for retail goods and services.”
The FTC has posed a variety of questions – 95 of them – that touch on both advertising and privacy issues. The FTC asks for public feedback generally on “(a) the nature and prevalence of harmful commercial surveillance practices, (b) the balance of costs and countervailing benefits of such practices for consumers and competition, and (c) proposals for protecting consumers from harmful and prevalent commercial surveillance practices.” More specifically, the FTC solicits feedback on subjects with headings ranging from “to what extent do commercial surveillance practices or lax security measures harm consumers?” to “automated decision-making systems.” Of note are a variety of questions pertaining to children and teens, although Section 18(h) of the FTC Act restricted the Commission’s ability to act on the then-pending infamous “kid-vid” proceeding, in which the FTC proposed to ban advertising to younger children, and which earned the FTC the moniker as the “national nanny.” Section 18 also restricts the Commission’s ability to issue rules in “any substantially similar proceeding on the basis of a determination by the Commission that such advertising constitutes an unfair act or practice in or affecting commerce.” This is expected to be a point raised in comments.
Commissioners Phillips and Wilson Dissent
The vote to approve publication of the ANPR was 3-2. Commissioners Noah Phillips and Christine Wilson, voting no, each issued dissenting comments. In a strongly worded statement, Commissioner Phillips, who has since announced that he is leaving the FTC, questioned whether the FTC was overstepping its authority and recasting itself “as a legislature, with virtually limitless rulemaking authority where personal data are concerned.” In addition, Phillips claimed the ANPR was too broad and “provides no notice whatsoever of the scope and parameters of what rule or rules might follow; thereby, undermining the public input and congressional notification processes. It is the wrong approach to rulemaking for privacy and data security.” In her statement, Commissioner Wilson expressed concern that the ANPR could undermine efforts to pass a federal privacy law. She also asserted that elements of the ANPR constituted agency overreach and wandered “far afield of areas for which we have clear evidence of a widespread pattern of unfair or deceptive practices.”
The finalized agenda for the FTC’s September 8 public forum is here. This proceeding, as well as the FTC’s October 19 event, “Protecting Kids from Stealth Advertising in Digital Media,” will no doubt generate lively debate.