FTC ANPR Explores Wide Ranging Topics for Privacy and Cybersecurity Rulemaking
On Thursday, August 11, the Federal Trade Commission (“FTC”) announced that it is exploring rules to crack down on harmful commercial surveillance and lax data security practices. The FTC’s Advance Notice of Proposed Rulemaking (“ANPR”) solicits public comment on whether it should put into effect new rules and restrictions concerning standards and requirements for information security, the ways in which companies collect and process data in commercial contexts, and whether any practices related to the transfer, sharing, selling, or other monetization of personal information should be categorized as unfair or deceptive. The FTC voted 3-2 to publish the notice, with Chair Khan and Commissioners Slaughter and Bedoya voting in favor and issuing separate statements. Commissioners Phillips and Wilson voted against publication and also issued separate dissenting statements. The following Monday, Commissioner Phillips announced he would be leaving the FTC this fall.
FTC Rulemaking Authority
The FTC, under Section 18 of the Federal Trade Commission Act (“FTC Act”), is authorized to make industry-wide trade regulations (“Magnuson-Moss Rules” after the authorizing statute) that “define with specificity” conduct that violates the FTC Act’s ban on “unfair or deceptive” business practices. Because of scope of this authority, the rulemaking procedures include a number of lengthy procedural safeguards, which include the ANPR, the Initial and Final Notice of Proposed Rule Making (“NPRM”), requested hearings with cross-examination on certain issues, and the recommendations of the Presiding Officer. The rulemaking procedures were changed in July 2021, during which time the FTC voted 3-2 to increase its control over the rulemaking process. This change opened the ability for the FTC to expand its oversight of privacy and cybersecurity issues. Importantly, the Chair has named herself the Chief Presiding Officer and will presumably designate the Presiding Officer for the rule.
Sidley Senior Counsel, former FTC Chairman, Tim Muris said:
Like last year’s changes to the procedures for Section 18, and as the dissenting Commissioners note, this ANPR fails basic procedural and substantive standards for beginning a rulemaking, especially one this important. Rather than providing notice of sensible alternatives under consideration, the document is so vast as to indicate an agency at the very beginning of trying to understand these extraordinarily complex issues. An ANPR is surely premature under these circumstances.
The FTC’s ANPR affords significant focus to the concept of “commercial surveillance,” which the FTC broadly defines as the “business of collecting, analyzing, and profiting from information about people” and is intended to cover practices far broader than traditional consumer reporting or data broker activities. The FTC therein highlighted concerns about the volume of consumer data collection within the modern digital economy, including passive collection of information that consumers do not proactively share, and potentially, may not be aware of. The FTC additionally noted cybersecurity risks attendant to the collection of large volumes of information and the potential for misuse of this data for, among other purposes, data theft and fraud. Further concerns highlighted by the ANPR include the impacts from automated systems ingesting these large volumes of data which could be prone to error and biases, and in turn potentially result in discrimination.
The breadth of topics within the ANPR—including 95 pointed and often multi-part questions—was notable, but not a surprise. The FTC has used its existing authority under section 5 of the FTC Act to bring enforcement actions against companies for privacy and data security violations, and has used a variety of policy thought leadership strategies, including its annual PrivacyCon, to highlight its interest in potential consumer harms relating to commercial surveillance, AI, and information security standards for many years. However, this ANPR makes clear that the FTC is interested in expanding its ability to protect consumers affected by such practices, including by expanding the FTC’s authority to seek financial penalties for first-time violations.
The FTC appears poised to move expeditiously along what would be a long road to eventual rules. The deadline for submitting comments is 60 days from the publication in the Federal Register. A virtual public forum has been scheduled for Thursday, September 8, 2022, from 2 p.m. until 7:30 p.m. EST, during which the public will also have the ability to share their input on the topics.
Intersection with ADPPA and Chair/Commissioner Statements
Meanwhile, intense debate and incremental progress continues in Congress over the American Data Privacy and Protection Act (ADPPA), bi-partisan comprehensive privacy legislation that had been reported out of the House Energy and Commerce Committee on July 20, just a few weeks before the ANPR was issued. Both Republican Commissioners criticized the ANPR in part as potentially threatening the progress and momentum of that sorely needed comprehensive federal privacy law.
Chair Khan, in her statement, highlighted that the FTC is the “de facto law enforcer” of consumer privacy practices and has authority, under Section 18 of the FTC Act, to issue rules identifying specific business practices as being “unfair” or “deceptive.” Observing that there would be a number of procedural steps to be taken by the FTC to implement any rules, and dismissing concerns that the ANPR would stymie legislation, she expressed hope that the ANPR and subsequent public comment would provide companies with more clarity about their data privacy obligations and build a record that could “serve as a resource to policymakers across the board.” She also highlighted her particular interest in building a record around the following topics: the limits of the protective effect of the “notice and consent” framework for certain categories of data collection; the administrability of implementing and enforcing consumer data privacy rules; the prevalence of business models incentivizing persistent commercial surveillance; discrimination resulting from use of automated systems; and perhaps surprisingly, workplace surveillance.
Commissioner Slaughter’s statement and Commissioner Bedoya’s statement also conveyed optimism over the ADPPA and consensus that federal privacy legislation is needed. However, both emphasized that the FTC does have authority to regulate in this space and that the ANPR would neither interfere with the legislative efforts to pass the bill nor conflict with the provisions included in the bill. Commissioner Bedoya highlighted his topics of particular interest as follows: emerging discrimination issues; mental health outcomes for kids and teens associated with social media use; protecting non-English speaking communities from fraud and other abusive data practices; and protecting against unfair or deceptive practices related to biometrics. Commissioner Slaughter highlighted her interest in data minimization efforts and purpose of use specifications; civil rights violations and the impacts on vulnerable and marginalized populations from discriminatory algorithms; and children’s privacy issues and the potential harms from social media use.
Commissioners Phillips and Wilson dissented, arguing that the ANPR represented a serious overreach of FTC authority. Commissioner Phillips’ statement characterized the majority’s use of “commercial surveillance” terminology as an “academic pejorative,” and expressed his concern that the ANPR “provides no clue what rules the FTC might ultimately adopt,” and that the ANPR seeks to limit or ban conduct it deems harmful without proposing alternatives that would empower consumers to take control of their data and privacy. Echoing the recent Supreme Court decision in West Virginia v. E.P.A., Commissioner Phillips highlighted how the ANPR seeks to address major questions that should be left to Congress, and stated that he could not support what appears to be “first step in a plan to go beyond the [FTC]’s remit and outside its experience to issue rules that fundamentally alter the internet economy without a clear congressional mandate.” Commissioner Phillips also decried what he called the majority’s “dystopic” view of American commerce.
Commissioner Wilson, in her statement, also observed that such regulatory and enforcement overreach, as proposed in the ANPR, “increasingly has drawn sharp criticism from courts,” and that “[r]ecent Supreme Court decisions indicate FTC rulemaking overreach likely will not fare well when subjected to judicial review.” She emphasized that Chair Khan’s recent statements do not suggest that the proposed rule provisions would “fit within the Congressionally circumscribed jurisdiction of the FTC.” She also expressed her concerns that the ANPR would be used as an excuse by opponents of ADPPA to derail the bill.
A Likely Long Wait for Finality
While the outcome of this ANPR is likely years away, it nonetheless provides significant insight into the potential enforcement objectives of the Commission for the next couple of years. Departing Commissioner Phillips has expressly called out the limited enforcement record on several of the purported commercial surveillance issues as a key flaw in the intended rulemaking process. Indeed, enforcement actions are a key tool for the FTC to build a record on the prevalence of potentially unfair and deceptive acts and practices to support rulemaking. Accordingly, while the ANPR process should be monitored as it portends future rules the FTC may enact, the FTC’s Consumer Protection Bureau may well be stirred to act on these issues in the meantime.