FTC Launches National Privacy Rulemaking
On August 11, 2022, the Federal Trade Commission (FTC) released its much anticipated advance notice of proposed rulemaking (ANPR), titled “Trade Regulation Rule on Commercial Surveillance and Data Security.” The ANPR is the first in a series of steps by the FTC that, if completed, could culminate in the adoption of the first nationwide, sweeping privacy regulation. The ANPR asks a wide range of questions about privacy, data security, and algorithmic uses, and suggests a number of paths forward for greater regulation of privacy and what it calls “commercial surveillance.” Importantly, and as the ANPR notes, any eventual rule must be grounded in “unfair or deceptive acts or practices” as specified in Section 5 of the FTC Act, and the ANPR is the first – and critical – step in gathering information regarding an eventual FTC rule.
The FTC’s ANPR comes at a time when the privacy landscape in the United States is highly active and in substantial flux. There has been an active debate about federal privacy legislation, while several states are simultaneously poised for their own omnibus privacy laws to take effect in 2023. The FTC has made clear that privacy and data security issues are a top priority, and has been active across a range of areas, including children’s privacy, “commercial surveillance,” artificial intelligence (AI), and data security practices. This ANPR is consistent with those priorities, focusing on what the FTC terms “commercial surveillance” and “lax data security practices.” As detailed more below, the ANPR asks questions about potential consumer harm from these practices—both generally and with specific respect to children and teens. The ANPR also previews what rules in these areas may look like, asking questions about potential rules regarding data security; consumer data collection, use, and transfer; automated decision-making systems; discrimination; consumer consent; and notice, transparency, and disclosure, among other things.
Below, we provide a summary of the ANPR, as well as what stakeholders can expect for next steps and timing in this rulemaking, which will be subject to more process than a traditional Administrative Procedure Act (APA) rulemaking. For a more detailed summary and analysis of the rulemaking proceeding and opportunities to participate, please reach out to Wiley’s Privacy, Cyber & Data Governance Team.
The ANPR Considers Broad Regulations
In terms of scope, the ANPR purports to cover both data that is collected directly from the consumer, as well as data, including personal identifiers, that the FTC explains “companies collect, for example, when a consumer casually browses the web or opens an app.” It also asks whether potential rules should be focused on specific types of data (e.g., personally identifiable information, sensitive data, data about protected categories, data that is linkable to a device, non-aggregated data) or if the potential rules should be “agnostic about kinds of data.”
Notably, in the ANPR the FTC defines the term “consumer” broadly—to include “businesses and workers, not just individuals who buy or exchange data for retail goods and services,” which could lead to broad regulation of employee and B2B data, as well as traditional consumer data.
Moreover, the ANPR does not explicitly address the entities that a potential rule would apply to but does ask about the impact of perceived “lax data security measures” and “commercial surveillance” on various sectors such health, finance, employment, internet search, and social media.
The ANPR Targets Commercial Surveillance and Data Security Practices
The FTC generally seeks comment on two broad categories: (1) the “nature and prevalence of harmful commercial surveillance” and (2) “lax data security practices.” It defines “commercial surveillance” as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information,” and “data security” as “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.” For each of these categories, the FTC lists several more targeted questions on which it seeks comment.
Consumer Harm Questions. First, the FTC seeks comment on the extent to which “commercial surveillance practices or lax security measures” harm consumers. Notably, the ANPR asks questions specifically about harm to children and teenagers, in addition to questions about general consumer harms. At a high-level, the FTC is seeking comment on:
- The practices companies use to “surveil” consumers;
- The measures companies use to protect consumer data;
- The process the FTC should use to “identify and evaluate these commercials surveillance harms or potential harms”;
- Whether the FTC has adequately addressed indirect pecuniary harms, including potential physical harms, psychological harms, reputations injuries, and unwanted intrusions;
- Special considerations for data related to minor children, including whether failing to provide children and teenagers with privacy protections is an unfair practice even if the site or service is not targeted to minors and whether there should be limits on sharing children and teens’ data.
Cost/Benefit Questions. The FTC seeks comment on how it should balance the costs and benefits of any privacy and security regulations. Specifically, the FTC asks what variables it should consider, including any that are hard to quantify, what the “right time horizon” is for evaluating the costs and benefits of data practices and regulations, and whether any new trade regulation would impede or enhance competition.
Question About How to Regulate. FTC seeks proposals for “protecting consumers from harmful and prevalent commercial surveillance and lax data security practices.” It asks generally whether a Section 18 trade regulation rule is the right approach, seeking comment on whether existing legal authorities or self-regulation is sufficient. Then, the FTC more specifically seeks comment on the following:
- Data Security. The FTC asks whether businesses should be required to implement administrative, technical, and physical data security measures and whether businesses should be required to certify that their data practices meet clear security standards.
- Collection, Use, Retention, and Transfer of Consumer Data. The FTC asks about the collection and use of biometric information, including about the prevalence of the use of facial recognition, fingerprinting, or other biometric technologies. The FTC also asks whether certain sectors, such as finance and healthcare, should be prohibited from engaging in personalized or targeted advertising. In addition, the FTC asks several questions regarding whether it should broadly impose restrictions on the period of time that companies can collect or retain consumer data, irrespective of the data’s purpose, and the effects of doing so.
- Automated Decision-Making Systems. The FTC requests comment on the prevalence and methods of measuring algorithmic error and whether companies should be required to take steps to prevent such errors and the possible effects of any restrictions.
- Discrimination. The FTC seeks comment on the prevalence of algorithmic discrimination and how it should evaluate, measure, and regulate such discrimination, including whether the FTC should focus on the impact to certain protected classes.
- Consumer Consent. The ANPR questions the effectiveness of consumer consent, and asks about blanket restrictions to certain practices, irrespective of consumer consent. It also asks about different consumer choice options and standards; namely, if different standards should apply to different consumer groups.
- Notice, Transparency, and Disclosure. The ANPR asks about rules that would impose transparency and disclosure requirements on companies. Here, the FTC asks the “opacity of different forms of surveillance practices,” as well as the impact of trade secrets and IP protections on disclosures. It asks if the FTC should rely on third-party intermediaries—including government officials, journalists, and auditors—to help facilitate disclosure rules. It also requests comment on the specifics of what would be included in required disclosures, and what standards for consumer comprehension should apply. In this section, the FTC also asks about privacy impact assessment and/or auditing requirements.
The ANPR Touches on Important Issues of Implementation and Enforcement.
FTC Remedies. The ANPR explains that one of the reasons for this rulemaking is that “the FTC Act limits the remedies that the Commission may impose in enforcement actions on companies for violations of Section 5,” which “generally does not allow the Commission to seek civil penalties for first-time violations of that provision.” Specifically, the Supreme Court recently limited the FTC’s ability to seek retrospective monetary relief (such as restitution or disgorgement) for violations of section 5 of the FTC Act in the AMG Capital Mgmt. v. FTC decision. An advantage that the FTC sees in promulgating a trade regulation rule is that “the Commission may impose civil penalties for first-time violations.” Of note, the ANPR asks whether any new rules should “enumerate specific forms of relief or damages that are not explicit in the FTC Act but that are within the Commission’s authority,” pointing directly to “algorithmic disgorgement,” which the FTC has utilized in several more recent enforcement cases.
First Amendment Considerations. The ANPR also recognizes that the proposal may have potential First Amendment implications. As we have written previously, some of the reasons that have been advanced in support of a rulemaking suggest that a final rule could amount to a content-based regulation of commercial and non-commercial speech. If the agency decides to move forward, it will need to carefully consider these implications.
Communications Decency Act Considerations. The ANPR also asks to what extent Section 230 of the Communications Decency Act (“Section 230”), 47 U.S.C. § 230, bars the FTC “from promulgating or enforcing rules concerning the ways in which companies use automated decision-making systems to, among other things, personalize services or deliver targeted advertisements[.]” As we have explained before, Section 230 protects interactive computer service providers, such as social media platforms, by (1) clarifying that they are free to host third-party content without being liable for the substance of that content and (2) establishing an additional liability shield from private lawsuits for users and providers of interactive computer services who moderate their content.
Timing and Next Steps for the FTC’s Mag-Moss Rulemaking
Last year, at the direction of Chair Khan, the FTC revised its internal rules to streamline its rulemaking process under Section 18 of the FTC Act for trade regulation rulemaking, which is often referred to as “Magnuson-Moss” or “Mag-Moss” rulemaking. While this streamlining removed a number of steps that would have made this privacy rulemaking an even lengthier process, it is important for stakeholders to understand the trade regulation rulemaking process is still much more cumbersome and involved than traditional APA rulemaking. Under the Mag-Moss process, the FTC must:
(1) Issue an ANPR (which it has done here).
(2) Based on information received, issue a Notice of Proposed Rulemaking (NPRM) and open a public comment period.
(3) Issue a notice of informal hearing, which will identify the presiding officer, and include a final list of disputed issues of material fact necessary to be resolved during the hearing, a list of the interested persons who will make oral presentations, and an invitation to interested persons to submit requests to conduct or have conducted cross-examination or to present rebuttals.
(4) Hold the informal hearing and, at its conclusion, the presiding officer will issue a “recommended decision based on their findings and conclusions as to all relevant and material evidence.”
(5) Issue the rule, along with a statement of basis and purpose that must include a discussion of economic effects.
Today’s action marks the beginning of this process, which, given the number of steps that the FTC must complete, will not be short. However, the ANPR is a critical stage of the process for submitting evidence and engaging the FTC on its potential rulemaking approach
Stakeholders will have multiple opportunities to review and participate in the proceeding, including participating in a public forum the FTC is hosting on September 8, 2022, and submitting comments in response to the ANPR, which will be due 60 days after the ANPR is published in the Federal Register.
Wiley’s Privacy, Cyber & Data Governance team has helped companies of all sizes from various sectors proactively address risks and address compliance with new privacy laws. Our Issues and Appeals and FTC Regulation teams support comments and regulatory advocacy strategy before the FTC and other federal agencies on privacy and cyber law and policy. Please reach out to any of the authors with questions.