FTC Seeks to Move Beyond Notice and Consent to Restrict Data Collection and Use
The FTC indicated that it will use its rulemaking authority under the FTC Act’s Section 18 to create a new rule that will likely seek to rein in broad data collection and use.
In October 2021, FTC Commissioner Rebecca Kelly Slaughter made two speeches in which she expressed a desire to move beyond the FTC’s “notice-and-consent” framework to address broader surveillance practices that underlie the digital advertising economy, specifically by applying “bright-line purpose and use restrictions that minimize the data that can be collected and how it can be deployed.”
Driving these changes is the concern that the notice and consent framework has left collection, retention, and sharing of data largely unchecked, which Slaughter argues can be harmful to consumers whether or not the collection itself has been disclosed in some way. To underscore her concerns she cites an FTC staff report published in October 2021, which revealed the extent to which ISPs are able to amass consumer information. The report details how this information can be combined with data from brokers to categorize and target consumers based on their race, ethnicity, sexual orientation, economic status, political or religious affiliation.
The FTC is concerned this information could be used by companies to discriminate against certain groups, and even if discrimination is not intended, could exacerbate economic or racial inequalities, marginalize workers, or deepen other disparities. Additionally, Slaughter remarked on how the practice of unconstrained data collection, retention, and sharing has increased the severity of data breaches and fueled misinformation campaigns.
The FTC appears particularly skeptical about services that treat consumer data as a commodity to sell, rather than as a part of providing the service or product the consumer requested. The agency is also concerned about secondary uses of data, meaning uses other than the purpose for which the data was initially collected. Therefore, any new FTC rule is likely to tighten the acceptable practices around collection and use of consumer information, and require collection and use to be linked to the purpose for which it was provided by the consumer.
Although the FTC has recently streamlined its Section 18 rulemaking process, it is likely to remain relatively slow moving and the FTC will be required to demonstrate that data collection and use problems are substantial, unavoidable, and not outweighed by countervailing benefits to consumers or to competition.
That being said, it would be wise for companies that do not already have minimization measures in place, to start developing them now. In particular, it is important to review and tighten any polices that broadly allow for the secondary use of data. Not only will this put companies in a better position should a new FTC rule be enacted (or alternatively, a federal privacy law be passed), but it is already recommended for companies who need or will soon need to comply with Colorado, California and Virginia privacy laws. Moreover, as noted above, companies that collect and retain a lot of data are more vulnerable to attack, and if they are attacked, any required notification and/or remediation will be much more cumbersome and costly the more data there is.
Keep an eye on this space for new developments.