The Federal Trade Commission (FTC) announced on August 11 that it is launching a commercial surveillance and data security rulemaking, which is likely to impose new restrictions and obligations on all businesses that collect, use, and store consumer or employee data. The FTC cast an extremely wide net with its first step in the rulemaking process, highlighting a broad range of “concerns” about ordinary ways that companies use data today. If regulations to curb these practices are ultimately promulgated, it would impact businesses across nearly all sectors of the economy. Significantly, privacy rules and security rules would allow the FTC to obtain civil penalties of $46,517 per violation along with other equitable relief, creating the risk of huge fines for companies that experience data breaches or are accused of mishandling consumer and employee information.
Despite the FTC’s announcement last year that it was considering such a rulemaking, the announcement is somewhat surprising in light of the ongoing debate in Congress over the American Data Privacy and Protection Act, a bipartisan comprehensive privacy bill that was recently voted out of committee in the U.S. House of Representatives.
The FTC kicked off the process with an “advance notice of proposed rulemaking” (ANPR). This is the first of many procedural steps required under the FTC’s unfair or deceptive acts or practices (UDAP) rulemaking authority in section 18 of the FTC Act. As required by the Act, the ANPR describes the subject matter under consideration, the objectives the agency seeks to achieve, and possible regulatory alternatives under consideration. This ANPR is sprawling, covering 95 topics addressing a huge range of issues. It broadly addresses two central concerns: “harmful commercial surveillance” and “lax data security.”
The FTC offers an extraordinarily broad definition of the type of “commercial surveillance” it is seeking to curb, and sets out an equally broad set of harms that it could use as evidence of the need to regulate. At issue is nearly every conceivable business activity involving data: “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.” Notably this is not limited to sensitive or even personally identifiable data. The FTC also broadly defined “consumers” to include “business and workers, not just individuals who buy or exchange data for retail goods and services,” suggesting that the agency could try to regulate employee and B2B data. And the FTC is looking beyond typical measures of consumer harm: it seeks to build a record of psychological harms, reputational injuries, and unwanted intrusions that flow from the collection and use of data.
Although the ANPR seems to set the stage for restricting the mere collection and use of data, it also suggests a willingness to set affirmative requirements for how companies protect data once they have it. The ANPR asks about “data security,” which includes “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.” Potential monetary loss and other substantial injury from lax data security practices is a more traditional area of enforcement for the FTC.
At this stage of the process, the FTC is seeking public comment on the costs and benefits of these practices, and looking to build support for a draft rule. Chair Lina Khan has taken steps to “streamline” the FTC’s rulemaking procedures under section 18, suggesting a desire to move quickly, or at least as quickly as the cumbersome statute will allow. While it is likely to be years before a final rule would take effect, interested parties should participate in the public comment process now in order to help shape the direction of the draft rule and to raise factual issues that the FTC will need to resolve before any regulations can become final.
I. What Is in the ANPR?
Questions to Establish Consumer Harm. The FTC first seeks comment on the extent to which commercial surveillance practices or lax security measures harm consumers. These include questions about how these practices affect ordinary consumers and about children and teenagers specifically, including questions about:
- The practices companies use to “surveil” consumers and the measures used to protect consumer data, the prevalence of these practices, and the extent to which these practices harm consumers;
- Areas of harm that the FTC has failed to address through enforcement actions, and whether the FTC has adequately addressed “indirect pecuniary harms,” such as psychological harms, reputational injuries, and unwanted intrusions;
- The “kinds of data” that should be subject to a trade regulation rule;
- Various specific concerns about how surveillance and lax security affect kids and teenagers, such as the use of manipulative user interfaces, and whether parental consent adequately protects children and teens from these harms.
A Solicitation of Costs and Benefits. The FTC next asks a series of questions about how it should weigh the costs and benefits of regulation in the context of commercial surveillance and data security. Specifically, it asks what “time horizon” the FTC should use to evaluate regulatory costs and benefits, and the extent to which regulations are likely to impede or enhance innovation and competition, among other things.
A Request for Regulatory Proposals. The ANPR next includes general questions about whether section 18 rulemaking is the right approach to address these issues, or whether existing legal authorities, including self-regulation, are sufficient. The FTC then seeks comment on specific practices that it may seek to regulate, including:
- Data Security. The FTC asks whether businesses should be required to implement administrative, technical, and physical data security measures, and how granular those requirements should be.
- Collection, Use, Retention, and Transfer of Consumer Data. The FTC asks about whether it should “limit” the use of facial recognition, fingerprinting, or other biometric technologies, and whether certain services (such as finance, healthcare, search, or social media) should be banned from engaging in “personalized or targeted advertising.” The FTC also poses a series of questions about the extent to which rules should mandate data minimization, purpose limitations, data retention, and interoperability.
- Automated Decision-Making Systems. The ANPR seeks comment on the how to address issues related to “algorithmic errors,” including whether rules should restrict the use of certain automated decision-making practices.
- Discrimination. The FTC seeks comment on how to evaluate and measure algorithmic discrimination, the prevalence of discriminatory practices, and how the Commission should analyze algorithmic discrimination, including the extent to which the FTC should rely on “unfairness” under Section 5 to promulgate antidiscrimination rules.
- Consumer Consent. The ANPR asks for comment about whether consumer consent is effective to prevent “unfair” consumer surveillance, and the extent to which rules should prohibit certain surveillance practices irrespective of consumer consent.
- Notice, Transparency, and Disclosure. The agency also asks about the extent to which rules should provide increased transparency or disclosure around commercial surveillance practices, including the specifics of what should be included in disclosures, and whether the FTC should rely on third-party intermediaries (academics, auditors, etc.) to facilitate disclosure rules.
An Exploration of Remedies. Finally, the FTC asks about the remedies it should implement, such as algorithmic disgorgement or other forms of relief or damages that are not explicit in the FTC Act.
II. The Rulemaking Process – A Long Road Ahead
As noted above, the ANPR is just the first of many steps in the FTC’s rulemaking process, which is considerably more burdensome than ordinary APA rulemaking. After the 60-day comment period on the ANPR, the FTC must issue a notice of proposed rulemaking (NPRM), setting forth the text of the proposed rule, any alternatives under consideration, and the reasons for the rule. At the request of any interested party, the FTC must hold informal hearings overseen by a chief presiding officer, which can include oral presentations, document submissions, and cross-examination (subject to some limits). After hearings are concluded, the FTC may promulgate a final rule based on the rulemaking record, accompanied by a “statement of basis and purpose.” Before the rule becomes effective, any interested party may challenge the rule in the D.C. Circuit Court of Appeals, potentially reopening the rulemaking record or setting aside the rule. Given the complexity of the rules suggested by the ANPR, this process will likely take years to complete.
Stakeholders will have multiple opportunities to participate in these proceedings, including in a public forum that the FTC is hosting on September 8, 2022, and by submitting comments in response to the ANPR, which will be due 60 days after publication in the Federal Register.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.