FTC begins sweeping commercial surveillance and lax data security rulemaking process

Data breaches exposing consumers’ sensitive information continue unabated even as organizations amass and sell vast sets of consumers’ personal, financial, and location data to a thriving data broker industry. Concerns over the use of the growing stockpile of sensitive personal data have reached a fevered pitch in the wake of the Supreme Court’s decision to overturn Roe v. Wade, which raises the specter of law enforcement weaponization of widely available digitized content against American citizens.

Against this backdrop, the Federal Trade Commission (FTC) announced the launch of an Advance Notice of Proposed Rulemaking (ANPR) to crack down on harmful commercial surveillance and lax data security. “Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC Chair Lina M. Khan. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent.”

In the FTC’s view, commercial surveillance refers to the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information. Commercial surveillance heightens “the risks and stakes of data breaches, deception, manipulation, and other abuses.” Data security includes “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.”

The ANPR is just the first step in the FTC’s process. It seeks to get the ball rolling before creating eventual new rules by compiling an extensive public record of their potential need. The Commission argues that it has the authority to implement regulations governing surveillance and lax data security procedures under its establishing legislation, the FTC Act, and decades of enforcement and policy experience in both areas.

ANPR seeks answers to an extensive set of questions

The ANPR is a wide-ranging document that touches on virtually all current controversies around the largely unregulated collection, use, and sale of individuals’ data. Through the ANPR, the FTC invites public comment on the nature and prevalence of harmful commercial surveillance and lax data security practices, the balance of costs and countervailing benefits of such practices for consumers and competition, and proposals for protecting consumers from harmful and prevalent commercial surveillance and lax data security practices.

The ANPR spells out a series of extensive questions for which it seeks answers. These are:

1. To what extent do commercial surveillance practices or lax security measures harm consumers? The FTC articulates a dozen questions on how consumers might be harmed by commercial surveillance or lax security, including what kind of data should be subject to its possible new rules, how it should address indirect harms such as psychological distress, and how a new rule should address injuries to different consumers across different sectors.
2. To what extent do commercial surveillance practices or lax data security measures harm children, including teenagers? The Commission asks commenters to address whether children are particularly vulnerable or susceptible to specific surveillance and lax data security practices, to what extent new rules should provide teenagers with an erasure mechanism, whether services that collect information from large numbers of children should be required to provide them enhanced privacy protections regardless of whether the services are directed to them, and more.
3. How should the Commission balance costs and benefits? The FTC invites comments on the relative costs and benefits of any current practice, as well as those for any responsive regulation, the right time horizon for evaluating the relative costs and benefits of existing or emergent commercial surveillance and data security practices, how it should regulate harmful practices, and more.

Questions about data security and minimization

Aside from the wealth of privacy-focused questions, the FTC delves into technical considerations that outline how the agency might start laying down some data security, retention, and minimization requirements. The ANPR asks whether the FTC should:

1. Implement new rules that require businesses to implement administrative, technical, and physical data security measures, including encryption techniques, to protect against risks to the security, confidentiality, or integrity of covered data.
2. Implement new rules to codify the prohibition on deceptive claims about consumer data security, authorizing the Commission to seek civil penalties for first-time violations.
3. Consider other state and federal laws that already include data security requirements.
4. Require firms to certify that their data practices meet clear security standards and if so, who should develop those standards, the FTC or a third party.
5. Consider new rules to impose limitations on companies’ collection, use and retention of consumer data and whether they should establish minimization requirements or purpose limitations.

The FTC’s ANPR further delves into the controversial topic of biometrics and whether it should consider limiting commercial surveillance practices that use or facilitate facial recognition, fingerprinting, or other biometric technologies. Another emerging and touchy topic addressed in the ANPR is the use of algorithms and automated decision-making systems and whether the FTC should require firms to evaluate and certify that their reliance on automated decision-making meets clear standards concerning accuracy, validity, reliability, or error.

Finally, the ANPR raises a series of questions about consent — how effective current consent agreements are when it comes to surveillance activities, and whether consumers should be allowed to withdraw their consent to share data for surveillance.

What about the ADPPA?

During a press briefing, Commissioner Rebecca Kelly Slaughter said she gave a speech three years ago arguing that case-by-case enforcement for data abuses wasn’t effectively protecting users or deterring law-breaking and called for a new federal law. Since then, the U.S. Congress has made remarkable progress on a sweeping privacy bill called the American Data Privacy and Protection Act (ADPPA), which establishes meaningful restrictions on collecting and using consumers’ sensitive data. Slaughter said she’s “incredibly impressed” with the ADPPA, which she sees as complementary to the FTC’s rulemaking process.

FTC Commissioner Alvaro Bedoya also expressed support for the ADPPA, saying, “It’s the strongest privacy bill that has ever been as close to passing. I hope it passes.” He said he would not vote for any FTC rules coming out of the ANPR if they overlap with the ADPPA.

The two Republican commissioners at the FTC point to the ADPPA as the reason they don’t support the ANPR. “The momentum of ADPPA plays a significant role in my ‘no’ vote on the Advance Notice of Proposed Rulemaking announced today,” Commissioner Christine Wilson said in a statement. “I am gravely concerned that opponents of the bill will use the ANPR as an excuse to derail the ADPPA.”

Commissioner Noah Joshua Phillips said in a statement that “national consumer privacy laws pose consequential questions, which is why I have said repeatedly that Congress—not the Federal Trade Commission—is where national privacy law should be enacted. I am heartened to see Congress considering just such a law today and hope this Commission process does nothing to upset that consideration.”

Reaction to the proposed rulemaking

Elizabeth McGinn, partner at Buckley LLP, tells CSO she’s not surprised the FTC is exploring new rules on data surveillance and lax security. “The areas of concern that the FTC is asking for public comment are areas that the FTC has expressed concern over, issued guidance about, and held workshops about in investigations and enforcement actions.”

Janis Kestenbaum, Partner at Perkins Coie, who worked on privacy and data security matters at the FTC, tells CSO, “The timing of this notice is itself notable given that Congress is closer than it ever has been to enacting comprehensive privacy legislation in the form of the American Data Privacy Protection Act, which covers the very topics that the FTC proposes to address.  While the FTC says it will not move forward with this rulemaking if Congress passes the ADPPA, in the meantime, significant government and private sector resources will be spent addressing this rulemaking in what will be a time-consuming proceeding.”

On Capitol Hill, Republican lawmakers did not warmly embrace the FTC’s action. U.S. Senator Roger Wicker (R-MS) said, “To get real consumer data privacy protections, Congress must act. FTC commissioners have acknowledged that legislation, not regulation, is the preferred way to achieve these protections. I hope today’s action by the FTC helps underscore the urgency for the House to bring the American Data Privacy and Protection Act to the floor and for the Senate Commerce Committee to advance it through committee. The time to move on ADPPA is now.”

Even one Democratic lawmaker, New Jersey’s Frank Pallone, chairman of the Energy and Commerce Committee, gently chastised the FTC. “I appreciate the FTC’s effort to use the tools it has to protect consumers, but Congress has a responsibility to pass comprehensive federal privacy legislation to better equip the agency, and others, to protect consumers to the greatest extent. Ultimately, the American Data Privacy and Protection Act is necessary to establish comprehensive national statutory privacy protections for all Americans and I’m committed to getting it passed and signed into law.”