FTC Issues Rulemaking to Protect Consumers
On August 11, 2022, the Federal Trade Commission (FTC) voted 3-2 to file an Advance Notice of Proposed Rulemaking (ANPR) regulating consumers’ privacy and data security. The rulemaking is called “Trade Regulation Rule on Commercial Surveillance and Data Security”.
From day one of her appointment, Chairwoman Lina Khan has been direct about having a heightened focus on outlawing unfair and deceptive business practices. The ANPR is consistent with this anticipated posture. The FTC has made it clear that privacy and data security issues particularly around children, AI, commercial surveillance, dark pattern practices, and lax data security practices, are central to the ANPR. The ANPR also includes civil penalties signaling the FTC’s attempt to regain its enforcement power.
The ANPR covers data collected directly from consumers, and data automatically collected by companies when consumers are on their websites and apps. The FTC is considering whether new rules should be directed at the collection and use of sensitive/protected categories or if they should be applied more broadly to all categories of personal information. Of particular interest is the ANPR definition of a consumer. It includes “businesses and workers, not just individuals who buy or exchange data for retail goods and services,” This has already raised concern by many in the industry and is sure to evoke many comments.
This move is seen as the FTC’s attempt to formalize a national privacy regulation, though it does not appear to be as comprehensive as proposed federal legislation. Further, it does not preempt the current state privacy laws. To that point, all five FTC commissioners have opined that they would prefer Congress pass a federal privacy law rather than the agency draft rules.
The FTC is asking for comments on 95 questions that address several key issues:
- Automated Decision Making: Measuring and identifying algorithmic errors
- Balance: Balancing the costs and benefits of privacy and security regulations with their impact on impeding or enhancing competition
- Consent: Understanding the effectiveness of consumer consent and contemplating different choices and standards for different types of consumers
- Discrimination: Regulating algorithms to prevent discrimination
- Enforcement: Empowering the FTC with more enforcement power
- Governance: Establishing rules for the collection and use of biometric information, facial recognition, fingerprinting, targeted advertising, and data retention
- Harm: Understanding how “commercial surveillance practices or lax security measures” harm consumers, specifically children
- Notice: Establishing rules for transparency, consumer comprehension, and privacy impact assessments
- Security: Requiring technical, and physical data security measures and the certification of those practices
The rulemaking process the FTC will follow is guided by the 1975 Magnuson-Moss Warranty Act. The next steps are to:
- Allow for public comment on the ANPR
- Issue a Notice of Proposed Rulemaking. Comments may be submitted until October 10th
- Host a public forum
- Issue a final rule
- Undergo a judicial review
The FTC is clearly establishing its privacy beachhead. Will the ANPR move forward and become the national privacy framework or will it act as the catalyst for Congress to pass a comprehensive federal privacy bill? We will continue to monitor this subject as it progresses and provide additional updates.