FTC Pushing Ahead Toward Major Privacy Regulation
Privacy In Focus®
On August 11, 2022, the Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking (ANPR), titled “Trade Regulation Rule on Commercial Surveillance and Data Security” (which we summarized in greater detail here). The wide-ranging ANPR seeks feedback on almost 100 questions regarding consumer privacy, data security, and biometric and algorithmic uses. It discusses a number of potential regulatory approaches to what the agency calls “commercial surveillance.” Significantly, the FTC defines “commercial surveillance” as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information,” and “data security” as “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.”
The FTC issued the ANPR invoking its Section 5 FTC Act authority, which requires any eventual rule to be grounded in preventing “unfair or deceptive acts or practices” as specified in the Act. Two Commissioners dissented and expressed serious concerns about the direction the FTC appears to be taking. Comments on the ANPR are due October 21, and activity is well underway to shape federal privacy law.
On September 8, 2022, the FTC hosted a Commercial Surveillance and Data Security Public Forum to seek feedback on the ANPR. All three Commissioners in the Democratic majority participated. The workshop included consumer and industry panels, during which varied speakers addressed consumer harm, the scope of future rules, and concerns about agency authority. We provide below a few highlights from the workshop:
In her opening remarks, FTC Chair Lina Khan stated that the goal of the Public Forum is to inform the agency’s analysis on whether to proceed with the proposed rule beyond the ANPR stage, and what format the rule will take.
Commissioner Slaughter expressed her support for federal privacy legislation but argued that in the absence of such a law, it is the FTC’s duty to protect consumers from data collection, use, and retention practices that violate the FTC Act.
Commissioner Bedoya asserted during remarks that privacy harms go well beyond collection and into the areas of use, purpose specification, commercialization, security, sharing, fair access, and correction, among others. He also stated that current privacy laws enforced by the FTC, such as the FCRA, COPPA, and GLBA, go far beyond notice-and-choice. As a result, he sees the breadth of the questions in the ANPR matching the breadth of American privacy laws and privacy harms.
Consumer advocacy group panelists encouraged the FTC to move forward with the rulemaking, and in doing so, to take broad and aggressive regulatory action by, among other things, codifying all the FTC’s previous data security consent orders into regulation, prohibiting companies from conducting targeted advertising on consumers under the age of 18, and requiring more than just notice and consent to collect a consumer’s data in most contexts.
During the industry panel session, speakers largely agreed that while some rules may be productive, the FTC should not take a one-size-fits-all approach and should craft rules that are specific to the industry, companies, and data involved. They also agreed that data collected from a company that has a transactional relationship with the consumer should not have the same regulatory restrictions as data collected indirectly by a third party, such as a data broker.
Several industry representatives participated in the public comment session and generally pushed back on the ANPR. Several industry representatives called on the FTC to wait for Congress to enact a federal data privacy law, with some explicitly stating that the FTC lacks authority to adopt the breadth of rules suggested by the ANPR. Several industry representatives also pushed back on the FTC’s use of the term “commercial surveillance.”
Given the breadth of potential future FTC activity, we encourage clients to engage in this proceeding early and often. There are serious questions of authority and scope as well as evidentiary hurdles the agency will need to cross in order to create ex ante rules. Practical issues and unintended consequences should be raised so the agency can have a full record before it determines next steps. As one notable example, Commissioner Peter Feldman of the Consumer Product Safety Commission wrote to the FTC to express “concerns” about how its proceeding could limit “the ability of retailers, manufacturers, and others to conduct efficient recalls of hazardous consumer products” and pointed out that “the “Right to Delete” provision of the California Consumer Privacy Act (CCPA) limits the ability of firms to collect and use consumer data for direct notice recalls” among other impacts of privacy regulation.
This proceeding promises to be lively and complex. Stay tuned for more updates from the Wiley team in Privacy In Focus and in our other channels.
© 2022 Wiley Rein LLP