On August 11, 2022, the Federal Trade Commission launched its consumer privacy rulemaking process by issuing an Advance Notice of Proposed Rulemaking (“ANPRM”) on commercial surveillance and data security. Through the ANPRM, the FTC proposed a series of questions on broad ranging topics related to privacy and data security. Below we highlight some key questions and debate regarding the ANPRM, as well as takeaways for companies.
Background
The US still does not have a federal comprehensive privacy law. In July, we finally saw progress as the House Energy and Commerce Committee agreed to advance the American Data Privacy and Protection Act (“ADPPA”) to a full floor vote. While many are optimistic of a federal privacy law, there is still general concern that the ADPPA will fail. The ADPPA faces criticism from both business and advocacy groups, as well as the California Privacy Protection Agency, and currently does not have the necessary support from Senate Commerce Committee Chair Maria Cantwell.
To address the lack of a federal privacy law, the FTC announced its intent to make its own rules. The ANPRM is the first step in that process. The FTC issued the ANPRM along party lines with Chair Kahn and Commissioners Slaughter and Bedoya voting in favor and Commissioners Wilson and Phillips voting against.
The filing of the ANPRM opens a 60-day public comment period during which any member of the public can submit a comment, on either general topics or addressing a specific question. On September 8, 2022, at the end of this comment period, the FTC will hold a virtual public forum to discuss the ANPRM and invite public feedback. Advanced registration is required. After this forum, the FTC will issue a Notice of Proposed Rulemaking with the proposed text of the rule, incorporating information from the comment period. The public will then have a second opportunity to present comment. After this public participation, the FTC will publish a final rule that will include a statement of basis and purpose at which point consumers or organizations have 60 days to file a petition seeking judicial review of the rule.
FTC Jurisdiction and Questions for Comment
The FTC issued the ANPRM pursuant to Section 18 of the FTC Act, and posed 96 questions covering a broad range of commercial data practices, including on the following topics:
- Children and Teens. The FTC invites comment on the extent to which surveillance practices and lax data security measures impact children and teenagers. Questions include whether it is an unfair practice to not maintain privacy-protective settings as a default for children and teens even if sites are not targeted to minors, whether different age groups should receive different protections, and how the FTC should treat “manipulative practices,” including whether prolonged screen time facilitates commercial surveillance.
- Biometric Information. The ANPRM requests comment regarding biometric information, including the types of biometric data collected and their purposes and whether certain biometric practices, such as facial recognition, should be limited.
- Targeted Advertising. The FTC seeks information regarding targeted advertising, including information about the accuracy and cost effectiveness of targeted advertising as compared to alternative techniques, such as contextual advertising.
- Automated Decision-making Systems and Discrimination. Several questions in the ANPRM focus on automated decision-making systems and possible discriminatory effects. For example, the ANPRM questions the prevalence of algorithmic error and a specific cost-benefit analysis of allowing companies to employ automated decision-making systems in particularly sensitive areas such as housing, credit, and employment. The FTC also poses questions regarding the ability to mitigate algorithmic error in the absence of new trade regulation rules and whether new rules could ensure that automated decision-making practices better protect non-English speaking communities from fraud and abuse.
- Remedies. The FTC considers new forms of relief beyond the deletion of data and monetary penalties. It suggests algorithmic disgorgement as a remedy to “prohibit companies from profiting from unlawful practices related to their use of automated systems.”
Key Takeaways
- We have a long way to go. The FTC rulemaking process is a lengthy one and, given a possible change in the makeup of the FTC in two years, may not ultimately result in a final rule. There has also been significant recent judicial pushback on administrative actions. Commissioner Wilson’s dissent explicitly refers to the “sharp criticism” that agency overreach has recently drawn from courts.
- Focus on current law and those taking effect in 2023. Due to the questions surrounding the passage of the ADPPA and the ultimate success of the FTC rulemaking process, companies should focus their attention on compliance with the state laws taking effect in 2023. The California Privacy Rights Act and the Virginia Consumer Data Protection Act both take effect January 1, 2023. The Colorado Privacy Act and the Connecticut Data Privacy Act both take effect July 1, 2023, and the Utah Consumer Privacy Act takes effect December 31, 2023. However, stakeholders should still keep up to date with the ADPPA and ANPRM and consider submitting comments.
- Insight into FTC concerns and potential enforcement. While the FTC may not ultimately issue a final rule, the ANPRM provides insight into areas of specific interest to the FTC. Children and minors, biometric information, targeted advertising, and automated decision-making systems and discrimination are all major concerns. This aligns with recent trends we have seen in state laws. The FTC is also concerned that data deletion as a remedy is not sufficient to deter bad conduct. The FTC currently cannot issue monetary penalties for first time violations, and the issuance of rules would allow the FTC to issue penalties in such instances. Although the FTC may not currently be able to issue monetary penalties, we have seen the FTC issue alternative penalties, such as algorithmic disgorgement. For example, algorithmic disgorgement has been used in actions where the FTC had an interest in imposing severe penalties on companies such as Cambridge Analytica, Everalbum’s facial recognition algorithm, and as a penalty for COPPA violations. With the reference to algorithmic disgorgement in the ANPRM, we expect an increase in the use of this remedy going forward.
- Potential for enforcement actions that go beyond requirements of privacy law. The ANPRM suggests the current privacy landscape of notice and choice might be inappropriate in some areas, citing other countries’ move away from this framework and toward “additional privacy defaults and increased accountability for businesses and restrictions on certain practices.” The ANPRM specifically asks whether certain conduct should be prohibited. It is possible that the FTC may incorporate some of these beliefs into its enforcement actions, although we expect such actions would be challenged as an overstep.
We will continue to monitor progress on the rulemaking process and the progress of the ADPPA and will update accordingly.