FTC Proposes Regulatory, Data Collection Enforcement and Security Change | Cooley LLP
Key points to remember
- On August 11, 2022, the Federal Trade Commission announced a Notice of Proposed Rulemaking (ANPR) to initiate a process that would allow it to develop and enforce rules on what the FTC called “trade surveillance,” which ‘it defines broadly as the “collection, aggregation, analysis, storage, transfer or monetization of consumer data and direct derivatives of such information”, or the security applied to such data.
- The FTC said it must explore these regulations to “crack down on harmful surveillance and lax data security.”
- ANPR has highlighted several areas of concern in commercial surveillance and data security, including lax data security, potential harm to children from surveillance-based services, retaliation against consumers who refuse to share personal information, changes in privacy terms over time, lack of transparency in systems for analyzing collected data, biases and/or discriminatory practices arising from commercial monitoring, and the use of “dark patterns” to influence consumer choices related to their data.
- According to the FTC, enforcement alone, without rulemaking, may not sufficiently protect consumers from significant harm, because FTC law does not permit the FTC to seek civil penalties for first-time violations of Section 5. of the FTC law.
- Using its business regulatory authority under Section 18, the FTC would be able to impose civil penalties for early violations of these rules.
- The deadline for submitting comments to ANPR will be 60 days after publication of the notice in the Federal Register.
- The public will also have the opportunity to share their comments on these topics during a virtual public forum on September 8, 2022.
- The Consumer Financial Protection Bureau quickly followed by issuing a circular claiming that inadequate information security programs can violate the Consumer Financial Protection Act’s prohibition against unfair acts or practices, misleading or abusive. For more information on this circular, please see our August 19 Customer Alert.
On August 11, the FTC announced an ANPR on commercial surveillance and data security, in an apparent effort to revive the FTC’s ability to obtain monetary relief for early violations after the Supreme Court’s ruling in AMG Capital Management LLC v FTC, which severely limited the FTC’s power to do so. In the ANPR, the FTC proposes to establish trade regulation rules that would allow it to impose fines for first violations. With ANPR, the FTC is targeting what it calls “commercial surveillance” and what it describes as lax security around personal data collected by companies.
The FTC is concerned that companies have strong incentives to take advantage of commercial surveillance, which it defines as the “collection, aggregation, analysis, storage, transfer, or monetization of consumer data and derivatives direct access to this information,” to track and monitor consumers. online behavior as much as possible. ANPR notes that consumers may not be aware of the extent of commercial surveillance or have significant means to avoid it. In particular, the FTC expressed concern about:
- Lax data security to protect consumer data from malicious actors, citing a lack of encryption and other security measures to mitigate data security risks.
- Potential harm to children from surveillance-based services, which the FTC says are addictive for children.
- Retaliation against consumers who refuse to share their personal information by denying them services or charging more for services, raising questions about the validity of their consent.
- Extended uses of data after collection or after using services when companies change privacy terms and require consent to new terms to maintain services.
- The lack of transparency of the system and the algorithms used to analyze the data and the potential flaws in these systems that could harm consumers.
- Bias and discrimination arising from the use of commercial surveillance datasets and practices.
- Use of “dark models” to influence consumers to make certain choices related to online engagement and the sharing of personal information.
The FTC specifically noted that while there are potential benefits to increased personalization, it is aware of reports that such personalization has “facilitated consumer harm” – and that it can be difficult or even impossible for consumers to avoid commercial surveillance practices. The FTC’s regulations would also encompass employee monitoring practices.
The FTC ties this potential harm to security concerns, noting that these datasets can increase the risk of “cyberattacks by hackers, data thieves, and other malicious actors.”
The FTC explained that it turns to rulemaking because it is unable to impose civil penalties for first-time violations by companies engaged in unfair or deceptive marketing surveillance pursuant to the FTC. Section 5 of the FTC Act. The FTC said its current enforcement capabilities are “insufficient to protect consumers from significant harm” from commercial surveillance, in the absence of rulemaking. The FTC said this approach would encourage companies to invest in compliance in this area.
Interestingly, the FTC cites various privacy and data security regulatory regimes as inspiration, including those of the European Union, Brazil, and Canada, as well as recently enacted requirements at the US state level. He notes that these regimes place less emphasis on the traditional notice-and-consent approach. Instead, the FTC has focused on how these jurisdictions take the privacy-by-default approach, “increased accountability” for companies, and restrictions on specific practices in this area. It highlights the requirements of the EU General Data Protection Regulation to have a lawful basis for the processing of personal information and the consequent consumer rights, as well as similar rights increasingly provided at the level of American states.
Main categories of questions submitted for public comment
ANPR specifically raises the following categories of questions for public comment:
- To what extent do commercial surveillance practices or lax security measures harm consumers?
- How do surveillance business practices or lax data security measures harm children, including teenagers?
- How should the FTC balance costs and benefits?
- How, if at all, should the FTC regulate harmful commercial surveillance or prevailing data security practices? Topics of particular interest include:
- Regulation in general
- Data Security
- Collection, use, storage and transfer of consumer data
- Automated decision systems
- Discrimination based on protected categories
- Consumer Consent
- Notice, Transparency and Disclosure
- Potential obsolescence of any regulations
The FTC invites public comment on ANPR and the specific questions it poses. The deadline for submitting comments will be 60 days after the notice is published in the Federal Register in the coming days. The public will also have the opportunity to share their comments on these topics during a virtual public forum on September 8, 2022.
Developing FTC rules is a long, multi-step process. Under its “Mag-Moss” regulatory authority, the FTC must, as it did here, issue an ANPR for public comment which must also be sent to congressional watchdog agencies. Then come the public hearings – and there could be several, given the complexity and importance of this issue – followed by a final settlement. Within 60 days of the enactment of the final rule, any person may seek reconsideration in the Court of Appeals for the District of Columbia and ask the court to order the FTC to consider additional submissions or strike down the rule. if it is not supported by “substantial evidence”. in addition to any claim under the Administrative Procedure Act. Court decisions are only subject to review by the Supreme Court. Finally, if there is a change of control in either house of Congress in 2023, additional control hearings could further increase the time before the FTC is able to finalize the rule. Given this dynamic, it could be years before this rule is in effect.
A joint effort
The FTC and the Consumer Financial Protection Bureau appear to be taking a collaborative approach to protecting consumer data held by financial institutions. On the same day the FTC announced the ANPR, the CFPB issued a consumer financial protection circular taking the position that providing “[i]adequate security for sensitive consumer information collected, processed, maintained or stored by… [a] business may constitute an unfair practice” under the Consumer Financial Protection Act. Further information on the circular is available in our August 19 Customer Alert.