FTC Steps Up Regulation of Data Surveillance Companies

On August 11, 2022, the Federal Trade Commission (FTC) announced a Notice of Proposed Rulemaking regarding the collection, sharing and use of certain information which it refers to as “commercial surveillance data” and whether the use of that data constitutes a violation of the provisions of the Federal Trade Commission Act. The Commission has also announced its intention to hold a virtual public forum on September 8, 2022 to discuss the issue.

The United States does not currently have a comprehensive data privacy law, although a bill proposing such a law is currently winding its way through Congress. As a result, data privacy laws represent a patchwork quilt of state law, federal sectoral laws, and international laws that apply to the collection, sharing, use, storage and accuracy of certain kinds of personally identifiable information. In addition, under the century-old FTC Act’s Section 5, which prohibits both “deceptive” and “unfair” trade practices in commerce, the commission has promulgated rules and enforcement actions against companies that either fail to have privacy standards or which fail to abide by published privacy policies. In essence, the FTC asserts, companies which promise to keep data private and not to share it but do so anyway are “deceptive” and companies which collect data without providing users reasonable notice and the ability to opt-out of the collection are “unfair.” Indeed, the FTC recently announced that it might initiate an enforcement action against an ad tech agency that collected and sold licence plate data with geolocation. One of the FTC’s concerns is that this data could be used to track patients’ travels for health care services, including for fertility, gynecological, gnoseological or related services.

The FTC is attempting to use its regulatory authority to address the data surveillance and data broker industry generally, but also to address those who create a market for such data. Consumers are having even the most intimate details of their lives tracked and examined, and companies that collect, aggregate and analyze this data, as well as companies that sell or use this data are not transparent about their data collection and use practices. For example, the General Data Protection Regulation (GDPR) in the EU regulates the collection, transfer and use of any information that identifies a specific individual (personally identifiable information – PII). Collection of PII may only be done for legitimate purposes, companies must be transparent about what they collect, why and what they are doing with the data and they must appropriately secure the data, make sure it is accurate, give the data subject access to the data collected and delete or remove the data when it is no longer needed for the stated purpose. Under GDPR, the collection of personal data—whether it is a name, phone number, address, IP address or tracking information, must generally be done with the informed consent of the data subject AND be done for lawful purposes—consent, knowledge and a “click-through” agreement is not sufficient. GDPR applies to data collected about residents of the EU, irrespective of where the data is collected or by whom. With the UK’s Brexit, a special treaty applies GDPR-like restrictions to residents of the UK, and the U.S. and Europe have negotiated specific safe-harbor provisions permitting the collection of GDPR protected data by U.S. entities, provided that they have enforceable agreements to comply with the GDPR principles. Similar privacy laws exist in many countries from Mexico to Singapore to China.

In the absence of a comprehensive data privacy law in the U.S., companies have to, in addition to complying with GDPR and other international laws, comply with a host of state privacy laws like those in Virginia, California, Utah, Colorado and Connecticut as well as data breach disclosure laws which regulate the collection and use of PII at the state level and require notification to data subjects whenever the PII is “accessed” in a manner inconsistent with the data privacy policy. In addition, the U.S. government has various sectoral privacy laws regulating things like phone records, bank records and even records of video rentals.

The FTC NRPM is an attempt to regulate the marketplace for personal data collected without the knowledge or consent of the data subject—so-called surveillance data.

As the commission noted:

“Commercial surveillance is the business of collecting, analyzing, and profiting from information about people. Technologies essential to everyday life also enable near-constant surveillance of people’s private lives. The volume of data collected exposes people to identity thieves and hackers. Mass surveillance has heightened the risks and stakes of errors, deception, manipulation, and other abuses. The Federal Trade Commission is asking the public to weigh in on whether new rules are needed to protect people’s privacy and information in the commercial surveillance economy.”

This would include things like tracking software used by schools and businesses to monitor and track their students and employees, video surveillance, geolocation and telematics, performance measurements, as well as capturing individuals’ search and browsing histories, what they are reading, their social media and communications, facial recognition and biometric surveillance, automated license plate readers, cell site location tracking, GPS and other location data, tracking purchasing history and the use of AI or other sophisticated tools to profile data subjects.

In particular, the FTC seeks to examine the potential consumer harms arising from lax data security or commercial surveillance practices, including those concerning physical security, economic injury, psychological harm, reputational injury and unwanted intrusion. The FTC noted that it wanted to address certain specific questions including:

Which practices do companies use to surveil consumers?
Which measures do companies use to protect consumer data?
Which of these measures or practices are prevalent? Are some practices more prevalent in some sectors than in others?
How, if at all, do these commercial surveillance practices harm consumers or increase the risk of harm to consumers?
Are there some harms that consumers may not easily discern or identify? Which are they?
Are there some harms that consumers may not easily quantify or measure? Which are they?
How should the commission identify and evaluate these commercial surveillance harms or potential harms? On which evidence or measures should the commission rely to substantiate its claims of harm or risk of harm?
Which areas or kinds of harm, if any, has the commission failed to address through its enforcement actions?
Has the commission adequately addressed indirect pecuniary harms, including potential physical harms, psychological harms, reputational injuries and unwanted intrusions?
Which kinds of data should be subject to a potential trade regulation rule? Should it be limited to, for example, personally identifiable data, sensitive data, data about protected categories and their proxies, data that is linkable to a device or non-aggregated data? Or should a potential rule be agnostic about the kinds of data?
Which, if any, commercial incentives and business models lead to lax data security measures or harmful commercial surveillance practices? Are some commercial incentives and business models more likely to protect consumers than others? On which checks, if any, do companies rely to ensure that they do not cause harm to consumers?

Lax data security measures and harmful commercial surveillance injure different kinds of consumers (e.g., young people, workers, franchisees, small businesses, women, victims of stalking or domestic violence, racial minorities, the elderly) in different sectors (e.g., health, finance, employment) or in different segments or “stacks” of the internet economy. For example, harms arising from data security breaches in finance or health care may be different from those concerning discriminatory advertising on social media which may be different from those involving education technology. How, if at all, should potential new trade regulation rules address harm to different consumers across different sectors? Which commercial surveillance practices, if any, are unlawful such that new trade regulation rules should set out clear limitations or prohibitions on them? To what extent, if any, is a comprehensive regulatory approach better than a sectoral one for any given harm?

In the absence of a comprehensive data privacy law, it appears that the FTC may step into the vacuum and use its authority to regulate unfair trade practices to require greater transparency in data collection, security and use.

For now, companies should, in addition to complying with existing laws, adopt reasonable data privacy and use policies that are both comprehensive and flexible to meet their current and anticipated future business needs. They should, to the extent possible, inform data subjects about what data they are collecting, why, and what the data subjects’ rights are with respect to use, deletion, accuracy and security. They should also ensure that the data they collect is secured, whether stored and used locally or on third-party cloud or SAAS providers and ensure that third parties agree to the protection of such data by contract. Finally, when purchasing data that has been collected by third parties, including data brokers, marketers, advertisers or others, companies should take reasonable steps to make sure that this data was collected and is being shared in compliance with data privacy laws.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark