FTC Publishes an Advance Notice of Proposed Rulemaking Regarding Commercial Surveillance and Data Security

On August 11, 2022, the Federal Trade Commission (“FTC”, the “Commission”) published an Advance Notice of Proposed Rulemaking (“ANPR”, the “Notice”) intended to address what the FTC refers to as “commercial surveillance and lax data security practices,” involving companies’ collection, use and monetization of consumer data in ways that harm consumers and impact competition.  This ANPR marks the beginning of a long process that may or may not result in a final rule. This process begins with a sixty-day period after the ANPR’s publication in the Federal Register during which the Commission will accept public comment. Specifically, the FTC solicits public comment regarding:

1. The nature and prevalence of what it characterizes as “harmful commercial surveillance and lax data security practices”;
2. The balance of costs and countervailing benefits of such practices for consumers and competition, as well as the costs and benefits of any given potential trade regulation rule; and
3. Proposals for protecting consumers from harmful and prevalent commercial surveillance and lax data security practices.

In particular, the Commission invites comments on whether it should regulate the ways in which companies (i) collect, aggregate, protect, use, analyze, and retain consumer data, as well as how they (ii) transfer, share, sell, or otherwise monetize consumer data in ways that are unfair or deceptive. In her Statement, Chair Lina Khan singles out five specific areas with respect to which she is “especially eager” for the Commission “to build a record.”

In addition to providing general topics of interest to the FTC listed above, the ANPR also sets forth 95 questions for public comment (available both in the ANPR and here). These questions can be categorized into several subtopics of particular concern to the Commission. These topics are:

1. The Extent to which Commercial Surveillance Practices or Lax Security Measures Harm Consumers;
2. The Extent to which Commercial Surveillance Practices or Lax Data Security Measures Harm Children, including Teenagers;
3. The methods the Commission should employ when balancing Costs and Benefits;
4. The approach the Commission should take with respect to:
   • Rulemaking generally;
   • Data Security;
   • Collection, use, retention, and transfer of consumer data;
   • Automated decision-making systems;
   • Discrimination based on protected categories;
   • Consumer consent;
   • Notice, transparency, and disclosure;
   • Remedies; and
   • The potential obsolescence of a final rule on this topic.

Despite the extensive list of questions provided in the Notice, however, the Commission has made a point to clarify that the ANPR neither identifies all potential approaches the Commission might ultimately take with respect to this issue nor limits the issues on which comments may be submitted. Thus, while the Notice provides some clarity into the FTC’s rulemaking intentions regarding data security and commercial surveillance, there is still much that has yet to be determined with respect to the substance of any future rule.

Significantly, a divided Commission voted 3-2 in favor of proceeding with the proposed rulemaking process. Chair Khan, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya issued separate statements in support. Commissioners Noah Joshua Phillips and Christine S. Wilson  issued dissenting statements, based in part, as Commissioner Wilson explained, on the rulemaking’s “potential to derail” comprehensive federal privacy legislation. The five separate statements also reveal potentially consequential divisions among the Commissioners with regard to the scope of the FTC’s rulemaking authority over both unfair and deceptive acts and practices and unfair methods of competition; divisions that are likely to play out in future legal challenges to any rule that might be proposed. The dissenting Commissioners also cautioned against agency overreach, noting how the many subjects addressed in the ANPR may go well beyond the agency’s expertise, and citing the Supreme Court’s recent decisions in West Virginia v. EPA and AMG Capital Management, LLC v. FTC, which demonstrate interest in limiting the scope of administrative agency authority.

This concern about potential agency overreach is particularly poignant in light of Footnote 47 of the ANPR. This footnote alludes to possible use of the FTC’s rulemaking authority over Unfair Methods of Competition pursuant to Section 6(g) of the FTC Act. In the event that the FTC decided to proceed with Section 6(g) rulemaking, it could do so without publishing an ANPR.

Several members of U.S. Congress also weighed in on the ANPR. Senator Marsha Blackburn (R-TN) raised the issue of waiting for the “results of active discussions in Congress” prior to issuing such rules. Senator Brian Schatz (D-HI) applauded the FTC’s efforts in “scrutinizing discrimination in the algorithms that Americans interact with every day and that pose significant risks when used negligently or maliciously.” Senator Jerry Moran (R-KS), who introduced the Consumer Data Privacy and Security Act, noted that “Americans need a clear, federal standard for data privacy, and the best way to accomplish that is by Congress passing legislation.”

In addition to accepting public comments posted to Regulations.gov, those wishing to comment on the ANPR may be able to voice them at the FTC’s virtual public forum on September 8.

We believe that this is an important opportunity for input into the rulemaking process and are available to assist clients in preparing responses. For example, companies that collect or manage personal data may want to pay close attention to and weigh in on FTC’s consideration of these issues to ensure any regulation is workable and based on experience these companies have had; and health care organizations that are subject to HIPAA Privacy requirements may be particularly interested in how any FTC regulations may apply to protections of health data that is being disclosed to mobile health apps or personal health records, outside of HIPAA protections.

We continue to monitor the Commission’s activities in this area and will provide additional alerts as the process progresses. We are also monitoring proposed federal privacy legislation and the intersection with state privacy laws and regulations.