Privacy & Information Security Law Blog

On August 11, 2022, the Federal Trade Commission announced it is seeking public comment regarding its advance notice of proposed rulemaking (“ANPR”) on commercial surveillance and data security, on which we previously reported. The FTC defines “commercial surveillance” as the business of collecting, analyzing and profiting from consumer data.

Specifically, the FTC seeks comment on whether the Commission should implement new rules concerning the ways in which companies (1) collect, aggregate, protect, use, analyze and retain consumer data, as well as (2) transfer, share, sell or otherwise monetize consumer data in ways that are unfair or deceptive.

On Thursday, September 8, 2022, the FTC will host a virtual public forum to discuss the ANPR, on topics including:

• To what extent do commercial surveillance practices or lax security measures harm consumers, including children and teenagers?
• How should the FTC balance the costs and benefits of existing or emergent commercial surveillance and data security practices, and rules that would address them?
• How, if at all, should the FTC regulate harmful commercial surveillance or data security practices?
  • Subtopics include:
    • Data security (e.g., developing requirements for businesses to implement administrative, technical and physical data security measures, including encryption techniques, to protect consumer data);
    • Collection, use, retention and transfer of consumer data (e.g., limiting the use or transfer of consumer data only to the extent necessary to deliver the specific service a consumer explicitly seeks);
    • Automated decision-making systems (e.g., their prevalence, errors, reliability, and impact on product access and pricing);
    • Discrimination based on protected categories of personal information (e.g., through algorithmic decision-making);
    • Consumer consent (e.g., to companies’ commercial surveillance practices);
    • Notice, transparency and disclosure regarding commercial surveillance practices;
    • Remedies for new rules (e.g., relief or damages not specified in the FTC Act, such as algorithmic disgorgement, a remedy that forbids companies from profiting from unlawful practices related to their use of automated systems); and
    • Potential obsolescence of any rulemaking (e.g., whether new rules may account for evolving advertising business models).

The FTC’s announcement highlights that everyday technologies enable “near constant surveillance of people’s private lives,” and that such surveillance exposes individuals to identity thieves and hackers, as well as heightens the risks and stakes of errors, deception, manipulation, and other abuses.

In support of the ANPR, FTC Chair Lina M. Khan stated, “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent. Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.”

The press release further notes that the FTC’s enforcement power has been limited because the Commission lacks the authority to seek financial penalties for initial violations of the FTC Act. In its press release, the FTC emphasizes that, by contrast, new rules “that establish clear privacy and data security requirements across the board and provide the Commission the authority to seek financial penalties for first-time violations could incentivize all companies to invest more consistently in compliant practices.” The Commission’s announcement also includes the Text of the Notice of Proposed Rulemaking Regarding the Commercial Surveillance and Data Security, a Factsheet on Commercial Surveillance and Data Security, and a Factsheet on Public Participation in the Section 18 Rulemaking Process.