On August 11, 2022, the Federal Trade Commission (“FTC”) issued an Advance Notice of Proposed Rulemaking (“ANPR”) seeking public comment regarding the collection, aggregation, analysis, retention, transfer, or monetization of consumer data, which the FTC calls “commercial surveillance,” and regarding data security practices. The ANPR invites comment on a wide range of topics (until November 21, 2022) in order to generate a public record based on which the FTC may decide to issue regulations.
The FTC cites a number of concerns prompting the ANPR, including the widespread collection and sharing of consumer data, potential harms of automated decision-making, so-called “dark patterns,” and security practices that the FTC criticizes as “lax.” In the ANPR and at a virtual press conference on August 11, FTC personnel stated that case-by-case enforcement has not adequately addressed and deterred practices that the FTC considers to be harmful or potentially harmful, particularly due to the FTC’s limited ability to seek monetary penalties.
The ANPR invokes the FTC’s authority to issue regulations under Section 18 of the FTC Act (15 U.S.C. § 57a(b)(3)), which grants power to regulate unfair or deceptive acts and practices and to enforce and seek monetary penalties for violations of regulations promulgated thereunder. As the ANPR states, and the FTC stressed during the press conference, the FTC only has authority to issue regulations under this section if the practices concerned are unfair or deceptive and if they are “prevalent.”
The FTC seeks comment on the following subjects (and lists detailed, specific questions in the ANPR):
- The harms caused to consumers, and specifically children and teens, by “commercial surveillance” and “lax security measures,” including emotional and mental health harms;
- The harms caused to children and teens by targeted advertising, and whether the FTC should limit targeted advertising practices;
- How the FTC should balance the costs and benefits of current practices;
- How and whether the FTC should regulate data security measures and the remaining topics in this list;
- The collection, use, retention, and transfer of consumer data (including specifically biometric data);
- Automated decision-making (including specifically algorithmic error);
- Algorithmic discrimination based on protected categories like race, sex, and age;
- Consumer consent to data security and handling practices, including what makes consent effective and informed; and
- Notice, transparency, and disclosure, including when they are effective, how companies create opacity about their practices, and what information notices and disclosures should be required to contain.
The two FTC commissioners who dissented from the ANPR advocated for congressional legislation dealing with data protection instead of regulatory action. Commissioner Wilson criticized the ANPR as overstepping the FTC’s scope of authority. Commissioner Phillips echoed this, finding the ANPR did not satisfy the legal requirement of providing a “brief description of the area of inquiry under consideration, the objective which the Commission seeks to achieve, and possible regulatory alternatives under consideration by the Commission,” and emphasizing that the “areas of inquiry are vast and amorphous, and the objectives and regulatory alternatives are just not there.” In his opinion, the ANPR is based on insufficient evidence and experience, fails to give meaningful notice of the FTC’s plans, treads into areas currently under consideration by Congress (such as general privacy legislation and updates to COPPA), and lacks consideration of thorny policy issues and the potential detriments of regulation.
Those wishing to contribute to the factual record by commenting on the FTC’s topics of interest should review the ANPR and submit their comments by November 21, 2022. We will be watching the FTC’s activity around potential rulemaking very closely and update you on any new developments.