What the FTC’s Data Collection Review May Mean
Increased regulatory scrutiny could come in the coming years if the U.S. Federal Trade Commission cracks down on corporate data collection. Privacy professionals and attorneys from the International Association of Privacy Professionals (IAPP) and Lowenstein Sandler, respectively, weigh in on the federal agency’s announcement this month.
The FTC said it would explore introducing rules on what it calls “commercial surveillance,” referring to the collection, analysis, and commercial profit from data collected from and about the public. . The FTC also claimed that the massive scale of this surveillance increases the risks of data breaches and manipulation.
The agency said it wanted public comment regarding the alleged harms and damages attributed to the collection of data about people, citing the tracking of browsing histories, online purchases and physical location through devices, apps and software. The FTC has exposed the failure of some companies to sufficiently secure the massive amounts of consumer data they have collected, as well as the potential for discrimination against consumers due to bias or inaccuracies in algorithms. .
The public comment period is just the first step in a process that could take several years, says Cobun Zweifel-Keegan, chief executive of the International Association of Privacy Professionals. “It’s quite rare for them to engage in this process, partly because it takes so long,” he says. “That’s not the goal of what they do as an agency. They are much more law enforcement oriented.
Zweifel-Keegan sees it as a continuation of a needed broader conversation with various regulators looking at data, privacy, and how companies manage this space. The questions posed by the FTC, he says, are not terribly new. “There’s nothing in there that comes completely out of left field. It is certainly in line with the direction other regulators are heading.
More responsibility needed
The FTC, Zweifel-Keegan says, is making it clear that it wants to move away from a regime focused on opinions and choices for online privacy, toward a regime with more accountability, clearer restrictions on the treatment of data and more protective default settings. .
The FTC’s regulatory steps, which include reviewing alternatives to new regulations, could take years, Zweifel-Keegan says, but establishing a final rule isn’t the only goal of the FTC. ‘agency. “He’s also interested in shaping the political conversation, including in Congress,” he says.
The 60-day comment period for this case begins when it is printed in the Federal Register with an expected mid-October deadline for stage one comments, Zweifel-Keegan said. Considering the steps and years it can take, the process has only been completed a handful of times since 1980, he says, and has never taken less than five years to complete a regulation from scratch. . “There are a lot of moving parts in a five-year timeframe that could change the course of that,” Zweifel-Keegan says.
As the FTC releases more material on the proposed regulations, there may be more clarity, he says, about what the possible rules might be and how they might align with other regulatory changes. . States such as California and Colorado already have ongoing or active data privacy rules, and Zweifel-Keegan sees the FTC following those policies. “The best thing for organizations to actually do at this point would be to comment,” he says.
FTC and learning from business realities
This could help the FTC better understand business realities, Zweifel-Keegan said, including the risks and rewards of their business models. For example, the FTC is studying how to establish rules to encourage companies to minimize the amount of data collected to what is strictly necessary and to shorten their retention period. “Understanding how this balance will work will be an interesting exercise,” says Zweifel-Keegan. “The more information the FTC has to understand how this economic and ethical balance works in practice, that would be really beneficial.”
The potential FTC rule comes at a time when state and federal data privacy laws are already in effect. US privacy and data protection law is making its way through Congress. In January 2023, the California Privacy Rights Act (CPRA) is expected to go into effect. Other states, including Virginia, Utah, Colorado and Connecticut, also have data privacy legislation set to go into effect next year.
The FTC’s announcement may be a curve ball in an already complex but not unexpected landscape, says Mary Hildebrand, partner at Lowenstein Sandler and founder and chair of the law firm’s privacy and cybersecurity group. “The new commissioner signaled almost as soon as she was appointed that she would be taking a much tougher stance on privacy and cybersecurity.”
The FTC needs to go through a variety of steps and steps before it can fully establish its regulatory position on data privacy, she says. “The FTC needs to create a public record that there’s almost a pattern of deception, unfair and deceptive practices, so it can proceed and even prepare regulations,” Hildebrand said. “We are a long way from the FTC actually issuing regulations.”
The wording of the FTC’s announcement drew particular attention, particularly references to cracking down on commercial surveillance. “That, I think, is meant to get a lot of attention, and succeeded in doing so,” she says. The FTC’s description of commercial surveillance, Hildebrand says, can put a wide range of businesses in the agency’s crosshairs. “Commercial surveillance, as it’s defined, I would be hard pressed to think of any collection and processing of data that is done online that doesn’t fit that broad description,” she says. “We are talking about very common commercial business practices here.”
“Laxity of data security”
The FTC’s reference to “lax data security” includes more than preventing and reporting data breaches, Hildebrand says. “This encompasses data governance, data minimization, data stewardship and data retention policies.”
There is a difference in tone, she said, between what the FTC seems to be proposing and how states approach data privacy. While the FTC discusses consumer data privacy protections, Hildebrand says examples of state laws use language that allows consumers more control over data privacy. “CAPL and a number of other state laws have pretty extensive opt-out rights,” she says.
Navigating the policies that the FTC might introduce can be a challenge for businesses. Hildebrand likens the situation to building a house while living in it as building codes keep changing. “This is not a welcome development because we have so many federal and state authorities involved not only in enforcing applicable laws, but also in developing them.”
For example, if a company takes steps to comply with the CPRA, it will still need to balance compliance with other states’ data privacy laws as well as any rules developed by the FTC. “It’s going to raise all sorts of interesting questions about which laws control, what are the best practices, and how best to comply with them,” says Hildebrand. “It creates more confusion.”
If the federal data privacy law becomes law, she says it could clarify some of that because it would likely replace most state laws on the subject. “If Congress passes a new law, the FTC will work with that, to provide rules and regulations that explain it,” Hildebrand said. Federal data protection law will likely designate the enforcement agency, which could fall to the FTC, she says.
“I would be a strong supporter of a national data protection law. I think it’s high time,” says Hildebrand. “We just want to know what the rules are.”
What to read next:
Can data collection persist despite post-Roe privacy issues?
Roe v. Wade and the New Data Privacy Trouble
Intensified Data Privacy Enforcement Measures