FTC Issues ANPR Regarding Commercial Surveillance and Data Security
On August 11, 2022, the Federal Trade Commission (“FTC”) released an advance notice of proposed rulemaking (“ANPR”) to govern “commercial surveillance,” which is broadly defined by the ANPR as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information,” or the security organizations apply to that data.
According to the FTC, the purpose of this rulemaking is to “crack down on harmful surveillance and lax data security.” In conjunction with the ANPR, the FTC released a Fact Sheet on the FTC’s Commercial Surveillance and Data Security Rulemaking[1] where they outlined their leading concerns relating to commercial surveillance. These concerns include:
Lax data security being deployed for the “immense volume of information that companies collect and use” due to insufficient or inconsistent investment in securing that data;
Potential harm to children of all ages who are “especially vulnerable to the deception and manipulation that can stem from commercial surveillance” due to the addictive properties of these surveillance-based services;
Retaliatory actions such as denial of service or access where consumers who do not wish to have their personal information collected or a cost being affixed to a consumer who wishes to keep their personal information private;
Expansive data usage or collection after a consumer has signed up for a product or service after a company exercises its right to change their privacy terms and require consumers to accept these changes to maintain their products or service use;
Lack of accuracy or transparency by companies relating to the use of automated systems and algorithms to analyze or utilize consumer data;
Bias or discriminatory practices being utilized against consumers because of the use of commercial surveillance data sets;
Use of “dark patterns” or marketing to “influence or coerce consumers into choices they would otherwise not make, including purchases or sharing personal information.”
In order to minimize these concerns, the FTC explains that they are engaging in rulemaking, rather than the imposition of civil fines, because, currently, they are unable to impose civil fines for unfair or deceptive practices against first-time violators under Section 5 of the FTC Act and their current enforcement abilities are “insufficient to protect consumers from significant harms.”
Pursuant to these rulemaking efforts, the FTC has requested public comment on the following topics until October 21, 2022:
To what extent do commercial surveillance practices or lax security measures harm consumers and children, including teenagers?
How should the FTC balance the cost and the benefit of engaging in this rulemaking process?
If, and how, the FTC should regulate harmful commercial surveillance or security practices; specifically:
General specifics of rulemaking;
Data security;
Collection, use, retention and transfer of consumer data;
Automated decision-making systems;
Discrimination;
Consumer consent;
Notice, transparency and disclosure practices;
Remedies; and
Potential negative impacts or use of any rulemaking processes.
Additionally, the FTC granted consumers an opportunity to share input on these topics at a virtual public forum on September 8, 2022.