FTC Defends Expansive Privacy and Data Security ANPR at Public Forum

The FTC continues its defense of the wide-reaching Advance Notice of Proposed Rulemaking (ANPR) on “Commercial Surveillance and Data Security” that the Commission, by a 3-2 vote, issued in August. (See the supporting statements of Chair Lina Khan and Commissioners Rebecca Slaughter, and Alvaro Bedoya, and the dissenting statements of Commissioners Christine Wilson and Noah Phillips.)

On Thursday, September 8, the FTC hosted a public forum on the notice, featuring remarks by Chair Khan, Commissioner Bedoya, and panels featuring guests representing industry and consumer interests. The participants in each panel were:

Panel 1: Industry Perspectives (Moderator: Olivier Sylvain, Bureau of Consumer Protection)

  • Jason Kint, Chief Executive Officer, Digital Content Next
  • Marshall Erwin, Chief Security Officer, Mozilla
  • Paul Martino, Vice President and Senior Policy Counsel, National Retail Foundation
  • Rebecca Finlay, Chief Executive Officer, Partnership on AI

Panel 2: Consumer Advocate Perspectives (Moderator: Rashida Richardson, Office of the Chair)

  • Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC)
  • Harlan Yu, Executive Director, Upturn
  • Amb. Karen Kornbluh, Director, Digital Innovation and Democracy Initiative, German Marshall Fund
  • Spencer Overton, President, Joint Center for Political and Economic Studies
  • Stacey Gray, Senior Director for U.S. Policy, Future of Privacy Forum (FPF)

Opening up the Forum, Chair Khan emphasized that the Commission’s goal is to learn and understand how the FTC might most effectively create and enforce an effective rule.  The Chair noted that the FTC intends to involve all parties in the rulemaking process.  At the time of the event, the FTC had already received 65 comments on the ANPR. While the ANPR includes an impressive swath of 95 questions, the Commission designed the Forum to focus on three questions:

  1. Which commercial surveillance practices are prevalent?
  2. How should the commission identify harm?
  3. Which harms has the commission failed to address?

Industry representatives voiced a consensus that consumers are amenable to direct marketing and data collection based on consent. Commentors highlighted that if consumers pay for a subscription, they typically understand that they are consenting to the subscription provider collecting data to enhance their experience of the product. Commentors noted that privacy concerns from consumers generally focus on behavioral advertising, automated and AI-powered data collection, and transfers of data to third parties where there was no express consent.  Industry representatives highlighted the appropriateness of enhanced mechanisms to facilitate increased transparency, data minimization and choice.

Consumer advocate panelists expressed consensus that widespread data collection imposes a variety of potential harms, including increasing data breach risk, national security risks, and creating opportunities for discrimination and harassment.  In particular, panelists highlighted the potential for discrimination in less obvious ways. They provided examples of the potential for users to face discrimination in the opportunities advertised to them, e.g., if an algorithm delivers job opportunities primarily to male audiences. They also highlighted how users may face discrimination if collected data makes it harder to seek opportunities, e.g., if arrest records or eviction notices are collected for landlord background checks. Panelists also noted a concern that widespread data collection may create national security risks, including by allowing nation states and other hostile actors to identify sensitive commercial data about U.S. military and intelligence personnel. (Congress is concerned too: Section 605 of the proposed National Intelligence Authorization bill orders the Director of National Intelligence to report to Congress on exactly that issue.)

Panelists advocated for some form of a data minimization rule, allowing collection of data only if reasonably related to the service being provided. Panelists suggested that it may be appropriate to ban all secondary uses of data and prevent any sale of data to data brokers. Some panelists, however, noted that banning secondary uses would come with notable economic and non-economic costs, e.g., if it became harder to acquire demographic data for positive voter outreach.

Panelists also highlighted consent and anonymization as useful ways to improve the legitimacy of data collection, although noted that they might be insufficient to protect privacy interests. Some pointed out that the GDPR’s regime to legitimate data processing, whereby consent is just one of six lawful bases, may be an instructive model.  Panelists also argued that consent should not be a valid basis in certain circumstances, such as for children or in employer-employee relations.

Addressing the elephant in the room (and perhaps some Republicans not in the room), Commissioner Bedoya closed the Forum with concluding thoughts in defense of the ANPR’s breadth.  Commissioner Bedoya’s comments drew on the U.S. commercial privacy tradition reaching back to Warren and Brandeis’s 1890 article, and argued that the early privacy torts went beyond restrictions on collecting information and extended to use, access, and correction. “The breadth of ANPR reflects breadth of  [American commercial privacy] tradition,” Bedoya concluded.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.