The Federal Trade Commission (FTC) has announced that it is considering proposals that would place strong and sweeping new regulations on consumer data processing and handling, with a focus on the “commercial surveillance” conducted by data brokers. The FTC rules now enter a public comment period of 60 days after passing a 3-2 vote for publication in the Federal Register, and could bypass the legislative process to become the first real comprehensive federal standards addressing data privacy issues for all industries.
FTC rules could bring massive change to companies dealing in consumer data
The process is only at its very beginning and has several remaining steps to completion, but the new FTC rules have a path to bypassing the usual legislative process that has bogged down the development of federal data privacy standards.
FTC Chair Lina M. Khan took on the business of commercial surveillance in a public statement, citing the growing digitization of the economy as a pressing need for immediate strengthening of consumer data regulations. Khan described business models that “hoover” up personal data as potentially engaging in a variety of illegal practices, obscured by the opaque nature of the industry and lack of insight into how companies collect personal data and the massive profiles that third parties accumulate.
The proposed FTC rules address a general lack of consent given to collect consumer data, along with awareness about how much is taken and how it is used, but also address data security and the potential for addiction that commercial surveillance games and services create when they are aimed at children.
The FTC has some existing means to address consumer data abuses under the FTC Act, but the chief limitation on these powers is the lack of ability to assess fines. The proposed FTC rules would represent a significant expansion of power for the agency, and proceeds with a 3-2 split among the commissioners that seemed to boil down to differences over the involvement of Congress in consumer data regulation (as well as some level of political affiliation).
A virtual public forum is being held on September 8, roughly halfway into the public commentary period, to which the general public is invited to attend. This is scheduled to run for five hours and cover a broad variety of topics, from the cost/benefit considerations of proposed regulations to what forms of relief for damages might look like.
Consumer surveillance under fire as public grows increasingly frustrated with “big data” breaches
Surveys show that consumers have become well-informed about the hidden costs of commercial surveillance, but the FTC notes that they are nevertheless expected to acquiesce to these terms as a price of access to modern technology and communications. There is also increasing restiveness regarding a seemingly endless stream of consumer data breaches, severely undermining faith in the ability of companies to safeguard all of the personal information they are “hoovering” up.
The FTC rules proposal thus far consists of a list of 95 questions regarding the shape its new regulations might take. One example is an exploration of requirements for businesses to encrypt consumer data, querying how “granular” such a requirement might be if it were included. Another is the extent to which existing trade regulations, such as COPPA and the GLBA Safeguards Rule, should be used as guidelines for data security requirements. COPPA creates special rules for the protection of consumer data for those under the age of 13, such that many sites and services simply forbid users under that age due to the complexity of compliance. The Gramm–Leach–Bliley Act (GLBA) puts special requirements on the handling of sensitive financial data.
Though the announcement thus far seems to be welcomed by privacy advocates and opponents of commercial surveillance, it is tempered by the expectation that this rulemaking process will ultimately take years to play out and may well cross political administrations (and appointed commissioners). Republican appointees are more likely to oppose new FTC rules, generally viewing this sort of business regulation as a matter for Congress to handle. The move might end up being more effective to spur Congress into working through its own version of similar legislation, which could be handled within a much shorter time window if a true effort was made.
Daniel Kaufman, Partner at BakerHostetler, who previously served as the acting director of the FTC’s Bureau of Consumer Protection, is not bullish on the potential of this path to regulation of commercial surveillance: “By a 3-2 vote, the FTC has initiated a rulemaking that is truly broad in scope and, if completed, would have an enormous impact on how companies do business. This rulemaking will proceed for many years, and any broad rule that ultimately issues would likely encounter serious legal challenges regarding whether the agency has the authority to implement such a rule.”
As things stand now, the actual FTC rules will be developed at some point after the public commentary period is over. In Congress, the American Data Privacy and Protection Act (ADPPA) is before both the House and Senate and has bipartisan support. However, there is also state-level opposition to the bill due to it potentially weakening existing consumer data protection standards and restrictions on commercial surveillance. Big tech is also rallying against the ADPPA, primarily in opposition to the ability of consumers to use its findings to bring class action suits against them.