Blog Data, Privacy + Cybersecurity Insights August 12, 2022

FTC Announces Advanced Notice of Proposed Rulemaking on Privacy and Data Security

On August 11, 2022, the FTC issued an Advanced Notice of Proposed Rulemaking (ANPR) to request public comment on commercial privacy and security practices and their effects on consumers. The ANPR is a first – and tentative – step towards the development of privacy and data security regulations that would, if passed, strengthen the FTC’s privacy and security authority and could establish wide ranging new requirements for companies that handle personal information. The FTC commissioners approved the measure by a 3-2 majority along party lines, with Republican-appointed Commissioner Noah Phillips, who recently announced his departure from the agency, issuing a fiery dissent.

Interested parties have 60 days from publication of the ANPR to submit comments.

Background

For more than 25 years, the FTC has used its statutory authority against “unfair or deceptive acts or practices” to bring enforcement proceedings against companies that allegedly “deceived” consumers about their privacy practices or engaged in “unfair” activities, such as failing to adequately safeguard personal information. Enforcement in these cases typically relied on settlements with the companies and consent orders requiring the companies to implement new measures to safeguard personal information. In some cases, the FTC required companies to implement detailed data governance programs.

The FTC’s approach to privacy and data security enforcement has been piecemeal, with the agency choosing to advance industry standards one case at a time rather than through comprehensive regulations.

While FTC privacy and security enforcement has survived judicial scrutiny, recent court losses have demonstrated the limits of the FTC’s authority. For example, a 2018 decision by the Eleventh Circuit narrowed the scope of the remedies the FTC could seek in data security cases by requiring the FTC to demonstrate that the selected measures specifically remedied the identified harms. Last year, the Supreme Court ruled that the FTC needed to follow a more rigorous administrative process in order to seek certain forms of monetary relief, such as repayment of illegally-obtained fees.

In the meantime, anticipation that the FTC would initiate rulemaking on privacy and security has grown in recent years. Last March, Acting FTC Chair Rebecca Kelly Slaughter announced the formation of a new group within the FTC to explore rulemaking. Shortly after after her Senate confirmation, the FTC’s new Chair, Lina Khan, announced her intention to pursue privacy and data security rules.

This ANPR is the first step in the winding rulemaking process the FTC must follow under the 1975 Magnuson-Moss Warranty Act. From here, the FTC will need to review the public comments it receives, and, if it decides to pursue regulations, notify Congress before it can file a Notice of Proposed Rulemaking. The FTC then needs to hold hearings in which interested parties will have broad procedural rights, including rights to cross-examine and present rebuttal submissions.

The ANPR aims to curb “lax data security” and “commercial surveillance.”

Throughout the ANPR, the FTC states that the agency’s aim in proposing rulemaking is to address “lax data security practices” and “harmful commercial surveillance.”

The ANPR defines the concept of data security widely to include traditional data security concerns such as breach risk mitigation and breach notification, as well as broader concepts such as data management, data retention, data minimization, and disclosure practices.

The ANPR also specifically identifies a need to regulate “commercial surveillance,” a charged term which the ANPR defines as the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.

In a break with past practice, the ANPR proposes to define “consumers” to include businesses and workers, citing the need to “protect small businesses or individuals in contexts involving their employment or independent contractor status.” Previously, the FTC has refrained from applying privacy and security requirements to personal information about employees and individuals acting in a professional capacity.

Pursuing stronger enforcement powers

The ANPR states that regulation of privacy and data security through enforcement alone has been “insufficient to protect consumers from significant harms.” Specifically, the ANPR explains that the limits to the remedies available to the FTC have prevented the agency from curbing harmful corporate behavior. The ANPR, therefore, suggests that the FTC would pursue rules that enable it to levy monetary penalties without needing to establish direct financial injury to consumers.

The ANPR also explains that proposing rules could “foster a greater sense of predictability for companies and consumers” while at the same time reducing “the uncertainty that case-by-case enforcement may engender.” A further motivation for rulemaking is the current lack of adequate resources to pursue the high volume of reported violations that the agency receives.

Dissents from Commissioners Phillips and Wilson raise questions about the scope of the FTC’s authority

All five Commissioners wrote separately in support of their respective votes. Commissioners Khan, Slaughter and Bedoya – the three Democratic appointees – each highlighted novel areas that will be explored in the ANPD. For example, Chair Khan addressed her interest in studying “information asymmetries” through the regulatory process; Commissioners Slaughter and Bedoya both highlighted the role a proposed rule could play in strengthening civil rights and addressing harms to vulnerable communities.

In dissent, Commissioner Wilson questioned the timing of the ANPR, particularly in light of Congress’s continued debate over the bipartisan American Data Privacy and Protection Act (ADPPA). Commissioner Phillips, who this week announced he was stepping down from his role, argued in dissent that the ANPR exceeds the Commission’s Rule 18 authority by including “common business practices we have never before even asserted are illegal.” Commissioner Phillips’s dissent previews challenges any future rule resulting from the ANPR may have under the Supreme Court’s recent elaboration of the “major questions doctrine” in West Virginia v. EPA.

Consultation questions

The ANPR sets out dozens of questions on which the FTC is seeking public comment. Key topics include, among others:

  • Whether the FTC should seek to regulate privacy and security, and if so, how;
  • Identifying and quantifying harms to consumers – and specifically to children and teens specifically;
  • Automated decision making systems;
  • Discrimination based on protected categories;
  • Consumer consent;
  • Notice, transparency and disclosure; and
  • Remedies for violations.

How to submit comments

Interested parties have 60 days from publication of the ANPR to file comments. The ANPR encourages commenters to include supporting materials and executive summaries along with their comments.

In addition, the FTC announced that it will hold a public forum on September 8, 2022, from 2 p.m. until 7:30 p.m. eastern time. More information is available here.

The post FTC Announces Advanced Notice of Proposed Rulemaking on Privacy and Data Security appeared first on Data + Privacy + Cybersecurity Insights.