On August 11, 2022, the Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking (ANPR) and announced it was exploring a rulemaking process to “crack down on harmful commercial surveillance” and lax data security. The agency defines commercial surveillance as “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.”
The FTC View
The FTC has not released any proposed rules but seeks public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect consumer data privacy. As part of the ANPR, and before setting out a host of questions for public comment, the FTC offers its take on the opaque ecosystem surrounding the collection of mobile data and personal information (which the FTC asserts is often done without consumers’ full understanding). The FTC discusses the subsequent sharing and sale of information to data aggregators and brokers that then sell data access or data analysis products to marketers, researchers, or other businesses interested in gaining insights from alternative data sources. The agency argues that based on news reporting, published research and its own enforcement actions, the benefits of the current consumer data marketplace may be outweighed by “harmful commercial surveillance and lax data security practices,” thus potentially requiring rules to protect consumers and to offer more regulatory clarity to companies beyond the FTC’s case-by-case enforcement. As FTC Chair Lina Khan said in her statement accompanying the ANPR: “[T]he growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used —means that potentially unlawful practices may be prevalent, with case-by-case enforcement failing to adequately deter lawbreaking or remedy the resulting harms.”
FTC Invitation for Comment
After describing the FTC view on the issues, the Commission invites public comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. Within the ANPR are a myriad of questions (too numerous to list here; a fact sheet is available here and the press release also offers a breakdown). Though, perhaps the multimillion-dollar questions asked by the agency are: Which kinds of data should be subject to a potential privacy rule? To what extent, if at all, should a new regulation impose limitations on companies’ collection, use, and retention of consumer data?
This ANPR is the culmination of heightened interest within the FTC and Congress about the need for stronger data privacy regulation that would limit certain data tracking practices, particularly for sensitive data, that are widespread (and poorly understood) in an era of an increasingly digitized economy. Indeed, in the past month, we’ve written posts on the FTC’s renewed focus on the collection of location and health data, and a bill introduced in the Senate that would ban the sale of location and health data.
A Look Ahead
Since the ANPR only represents an initial exploration, it remains to be seen whether the FTC will see through to the end what would be a multi-year rulemaking process. While Chair Lina Khan has previously voiced her concerns about “today’s surveillance economy,” the latest move by the FTC, beyond setting the stage for potential rulemaking, could also be seen as creating leverage to push a hesitant Congress into passing comprehensive data privacy legislation. As it stands now, some form of bipartisan legislation (the so-called ADPPA) has advanced in the House, but faces an uncertain future in the Senate (also uncertain is to what extent the text of a final law would address some or all of the concerns posed by the FTC in the ANPR and whether a new law would give the FTC targeted rulemaking and guidance authority in this area).
While some headlines have focused on how the FTC’s proposed rulemaking could rein in the data practices of “Big Tech,” the effect of any future rule could reverberate throughout almost all industries. Putting aside the “commercial surveillance” tactics discussed by the FTC, it should be noted that many businesses deploy existing data collection and use practices that can be beneficial or neutral to consumers, such as practices that enable personalization, enhanced communication, “smarter” mobile services and anonymized data products that allow businesses and investors to gain additional insights. The difficult question is how to preserve “acceptable” uses of data (e.g., aggregated, de-identified, anonymized, or collected with sufficient consent) while addressing legitimate privacy concerns, without creating more privacy “defaults” that erect compliance burdens without necessarily remedying perceived privacy harms.
The Bottom Line
At this early stage, the FTC’s rulemaking is unformed. If the FTC chooses to eventually write a new data privacy rule, it will first have to evaluate public comments. Organizations whose operations rely on consumer data or data products derived from consumer-related data should speak up and offer substantive comments to the various questions posed in the ANPR, as what the FTC might view as unfair or deceptive in the future could potentially be red flag issues for a particular business. Relevant trade associations should be making sure the choices of their constituents are heard at this early stage while the FTC is still charting its course.