On August 22, 2022, the Federal Trade Commission (FTC) published its advance notice of proposed rulemaking (ANPR) to request public comment on commercial surveillance and data security practices. The ANPR comes at the same time as Congress is considering the federal American Data Privacy and Protection Act (ADPPA).
The FTC seeks public comment on a broad range of data privacy and security practices, including several rather expansive concepts. “Commercial surveillance,” for the purposes of the ANPR, means the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.” This definition, including the undefined term “direct derivatives,” makes it clear that the FTC is interested in a wide examination of the use of consumer data in today’s economy.
In another expansive provision, the ANPR defines “consumer” to expressly include “workers,” and “not just individuals who buy or exchange data for retail goods and services.” A resulting regulation that governs the use of employee data would go beyond the scope of state comprehensive privacy law in Colorado, Connecticut, Utah and Virginia, although it would be consistent with the California Privacy Rights Act whose exclusion for employee and business-to-business data is set to expire on January 1, 2023.
The FTC has the authority to regulate data privacy and security practices under Section 18 of the FTC Act, 15 U.S.C. § 57a, also known as Magnuson-Moss rulemaking authority. The FTC Act grants the FTC the authority “to propose a rule defining unfair or deceptive acts or practices with specificity when the [FTC] ‘has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.’” The FTC can determine that certain unfair or deceptive acts or practices are prevalent on the basis of cease-and-deist orders or when the FTC has other information indicating a widespread pattern of unfair or deceptive acts or practices. These requirements are manifested in the ANPR which sets forth examples of FTC enforcement actions and seeks public comment on several topics, including those listed below.
- The extent to which commercial surveillance practices or lax security measures harm consumers, including the kinds of data that should be subject to a trade regulation rule.
- The extent to which commercial surveillance practices or lax data security measures harm children and teenagers including identifying sites or services should implement child-protective measures even if they do not direct their content to children and teenagers.
- The manner in which the FTC may balance costs and benefits of anticipated regulation, taking into consideration its impact on, for example, innovation and competition.
- The manner in which the FTC should regulate prevalent harmful commercial surveillance or data security practices, including the regulation of data security practices, automated decision-making systems, and privacy notices and disclosures.
- The remedies available to the FTC, such as, for instance, algorithmic disgorgement in connection with automated decision-making technologies, and whether there is a limit to the FTC’s authority to implement remedies by regulation.
The Commissioners submitted statements along with the ANPR, providing their views on the matter. FTC Chair Lina M. Khan and Commissioner Rebecca K Slaughter view the ANPR as a method of engaging with a range of stakeholders and building a public record to serve, at a minimum, as a resource to policymakers who are considering the ADPPA. In support of the ANPR, Commissioner Alvaro M. Bedoya stated that he does not see the ANPR process as reason to delay passage of the ADPPA. In contrast, Commissioner Noah J. Phillips sees the ANPR as an overreach of FTC authority, and Commissioner Christine S. Wilson expressed concern that critics of the ADPPA would use the ANPR as an excuse to derail federal privacy legislation.
The FTC will hold a virtual public forum to discuss the ANPR on Thursday, September 8, 2022, from 2 p.m. until 7:30 p.m. ET. Comments must be received on or before October 21, 2022. Additional information on the ANPR, including how to register for the public forum and submit comments may be found here. Further analysis of the security related provisions can be found in the Privacy, Cyber & Data Strategy and Financial Services & Products Advisory CFPB and FTC Looking to Ramp Up Data Security Requirements. As further updates become available, Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to cover them on our blog.