US FTC Launches Rulemaking on Commercial Surveillance and Data Security Practices
The upshot, for busy people:
- On August 11, 2022, the Federal Trade Commission (FTC) voted 3-2 on partisan lines to file an Advance Notice of Proposed Rulemaking (ANPR) that would regulate the protection of consumers’ privacy and data security in a rulemaking titled “Trade Regulation Rule on Commercial Surveillance and Data Security.”
- The release of this ANPR—in the midst of discussions about comprehensive federal privacy legislation, including the proposed federal American Data Privacy and Protection Act (ADPPA) as well as implementation of forthcoming state privacy laws such as the California Privacy Rights Act (CPRA)—signals the FTC’s desire to police a wide range of potential privacy harms related to the “information asymmetry” between companies and consumers. The FTC is particularly interested in potential harms stemming from “dark pattern practices” and “lax data security practices,” among many others in the sprawling release.
- The deadline for public comments is 60 days after the ANPR is published in the Federal Register. To further address the topics in the ANPR, the FTC announced a virtual public forum to be held on September 8, 2022, from 2 p.m. until 7:30 p.m. eastern time (instructions for joining are at: https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum).
Background—The FTC’s rulemaking authority.
Since her swearing-in on June 15, 2021, Chair Lina Khan has been direct about her plans to write rules outlawing specific “unfair and deceptive” acts and practices. The agency’s rulemaking authority comes from Section 18 of the FTC Act, added by Congress as part of the Magnusson Moss Warranty Act – Federal Trade Commission Improvements Act of 1975. This type of rulemaking is distinct from the Administrative Procedure Act (APA) authority available to most federal agencies and to the FTC with respect to certain laws. For more information about the intricacies of “Mag-Moss” rulemaking and why the FTC is choosing to begin rulemaking rather than rely on its traditional enforcement-first approach (short answer—so that the FTC can get money penalties for first-time violators), please review our previous Legal Update.
Context—A brief overview of the FTC’s interest in privacy.
For decades, the FTC has been the primary privacy regulator in the US, using its broad discretion under Section 5 of the FTC Act to police unfair and deceptive acts or practices. The FTC has used its broad mandate to confront a diverse array of privacy-related harms that can be construed as “unfair or deceptive” and thereafter recover various forms of relief, including injunctions, consent decrees, and in certain cases, damages. Enforcement has typically taken place when a company has failed to adhere to public representations made about its privacy and data security practices. However, under Chair Khan, the FTC has indicated an intent to implement strong privacy rules on how companies collect and use personal information online as opposed to being limited to investigating individual companies on a case-by-case basis.
What does the ANPR say?
The FTC voted along party lines to seek public feedback on the “harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR raises a number of questions for public comment—95 to be exact—on a range of topics related to commercial surveillance and lax data security practices, a balancing of the costs and benefits of such practices, and any relevant proposals for consumer protection. Even the FTC’s use of terminology to characterize these alleged practices is telling. The categories copied below convey a sense of the breadth of questions:
- To What Extent Do Commercial Surveillance Practices or Lax Security Measures Harm Consumers?
- To What Extent Do Commercial Surveillance Practices or Lax Data Security Measures Harm Children, including Teenagers?
- How Should the Commission Balance Costs and Benefits?
- How, If at All, Should the Commission Regulate Harmful Commercial Surveillance or Data Security Practices That Are Prevalent? The FTC focused on these areas:
- Rulemaking Generally
- Data Security
- Collection, Use, Retention, and Transfer of Consumer Data
- Automated Decision-making Systems
- Discrimination Based on Protected Categories
- Consumer Consent
- Notice, Transparency, and Disclosure
- Remedies
- Obsolescence
Given that the FTC largely justified the need for rulemaking to expand available remedies—money remedies, specifically—the discussion of remedies is particularly noteworthy. Past FTC enforcement orders have imposed a variety of remedies, including prohibitions on surveillance products, requiring companies to implement comprehensive privacy and security programs, requiring deletion of illegally obtained consumer data, and mandating improved transparency. However, the FTC Act limits the agency from seeking civil penalties for first-time violations of Section 5. Under duly promulgated privacy rules, the FTC could impose civil penalties on first-time violators. Notably, the ANPR mentions “algorithmic disgorgement”—whereby companies using deceptive data practices must delete the data at issue and the algorithm built with it—as a potential remedy, which the FTC has already employed in several recent enforcement actions.
Although the rulemaking process has indeed begun, all five FTC commissioners indicated that they would prefer that Congress pass a federal privacy law. In his dissent, Commissioner Phillips opined that the effect of this ANPR is to “recast the Commission as a legislature, with virtually limitless rulemaking authority.” Commissioner Wilson warned of the “potential to derail the ADPPA” in her dissent. Moreover, both Republican-appointed commissioners pointed to perceived deficiencies with the ANPR procedure. Commissioner Bedoya responded that the ANPR will not interfere with the federal legislation effort nor would Bedoya “vote for any rule that overlaps” with the ADPPA. Commissioner Slaughter, a long-time proponent for privacy regulation, stated that she would “prefer Congressional action” but “as the nation’s principal consumer-protection agency, we have a responsibility to act.” Even given the breadth of questions raised in the ANPR that will likely define the scope of the rulemaking, action by the FTC would not be as comprehensive as legislation nor would it create a clear national privacy framework that preempts state laws.
What comes next?
Mag-Moss rulemaking is a slow and cumbersome process. In contrast to the rulemaking procedure under the APA (which takes, on average, less than a year to complete rules), the timeline for Mag-Moss rulemaking is almost six years, on average,1 though the FTC adopted revised rules (yet to be tested) that purport to streamline the rulemaking process somewhat. For more details about the process, please review the agency-published FAQs. Now that the FTC has issued an ANPR explaining the area of potential rulemaking, the next steps are to:
- Allow for public comment on the ANPR
- Issue a Notice of Proposed Rulemaking to outlaw specific “unfair or deceptive” acts or practices
- Hold an informational hearing where concerned individuals can present their own evidence against the rule and, if necessary, cross-examine the FTC’s evidence
- Issue a final rule
- Survive judicial review
- This is a major hurdle in light of recent Supreme Court decisions such as West Virginia v. EPA that have indicated the Court’s hostility toward overreach by federal agencies such as the FTC. Indeed, Commissioner Phillips’s dissent hinted that this rulemaking might ultimately fall under the “major questions” doctrine articulated in that case. For more on these implications, please see this webinar.
What does this mean for my business?
With new privacy rules, the FTC would give more guidance to companies regarding their collection, use, and sharing of consumer data, which some in the business world may welcome as opposed to being surprised via enforcement letter that they are engaging in an unfair or deceptive practice. Of course, businesses may not welcome yet another overlapping set of data requirements that may impose additional and different obligations than those imposed by the various state privacy laws currently in force or forthcoming.
But companies need not sit on their hands. The ANPR provides valuable opportunities for companies and industry groups to explain many of the benefits of commercial data practices or the costs associated with some of the more aggressive rules hinted in the agency’s 95 questions. Moreover, the ANPR provides a very helpful window into the agency’s concerns regarding current practices, which creates a roadmap for companies looking to prioritize compliance efforts. Among other things, the FTC is particularly concerned about dark patterns, which refer to interfaces and user experiences that lead people to make unintended and potentially harmful decisions about their personal information—practices that the agency has repeatedly highlighted over the past year in enforcement actions and policy statements. In this way, the ANPR echoes the draft regulations for the California Privacy Rights Act, which also address dark patterns.
To the extent that companies disagree with the factual predicate reflected in the ANPR as well as the FTC’s assertion of its legal authority to promulgate the broad rules contemplated in this proceeding, the comment process provides an opportunity to explain why the FTC’s concerns are not valid or why such practices are not prevalent as well as to provide a preview of the legal arguments the FTC would face in court in a challenge to its rules.
1 Lubbers, Jeffrey S., It’s Time to Remove the ‘Mossified’ Procedures for FTC Rulemaking (February 2, 2015). George Washington Law Review, Vol. 83, p. 1979, 2015, American University, WCL Research Paper No. 2015-7, Available at SSRN: https://ssrn.com/abstract=2560557.