United States: FTC Proposes Change In Regulation, Enforcement Of Data Collection And Security

Key Takeaways

• On August 11, 2022, the Federal Trade Commission announced an advance notice of proposed rulemaking (ANPR) to initiate a process that would allow it to develop and enforce rules on what the FTC has termed "commercial surveillance," which it broadly defines as the "collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information," or the security applied to that data.
• The FTC said it needed to explore this rulemaking to "crack down on harmful surveillance and lax data security."
• The ANPR highlighted several areas of concern in commercial surveillance and data security, including lax data security, potential harm to children from surveillance-based services, retaliation against consumers who decline to share personal information, changes to privacy terms over time, lack of transparency in the systems that analyze the collected data, bias and/or discriminatory practices arising from commercial surveillance, and the use of "dark patterns" to influence consumer choices related to their data.
• According to the FTC, enforcement alone, without rulemaking, may not sufficiently protect consumers from significant harm, as the FTC Act does not allow the FTC to seek civil penalties for first-time violations of Section 5 of the FTC Act.
• By using its Section 18 trade regulation authority, the FTC would be able to impose civil penalties for first-time violations of those rules.
• The deadline for submitting comments to the ANPR will be 60 days after the notice is published in the Federal Register.
• The public also will have an opportunity to share input on these topics at a virtual public forum on September 8, 2022.
• The Consumer Financial Protection Bureau quickly followed by publishing a circular asserting that inadequate information security programs can constitute violation of the Consumer Financial Protection Act's prohibition on unfair, deceptive, or abusive acts or practices. For more information on that circular, please see our August 19 client alert.

On August 11, the FTC announced an ANPR about commercial surveillance and data security, in an apparent effort to revive the FTC's ability to obtain monetary relief for first-time violations after the Supreme Court's ruling in AMG Capital Management LLC v. FTC, which severely limited the FTC's authority to do so. In the ANPR, the FTC proposes to establish trade regulation rules that would allow it to issue fines for first-time violations. With the ANPR, the FTC takes aim at what it terms "commercial surveillance" and what it describes as lax security around the personal data collected by companies.

FTC's concerns

The FTC is concerned that companies are strongly incentivized to leverage commercial surveillance, which it defines as the "collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information," to track and surveil consumers' online behavior as much as possible. The ANPR notes that consumers may not be aware of the scope of the commercial surveillance or have meaningful ways to avoid it. In particular, the FTC expressed concerns about:

• Lax data security for keeping consumer data safe from malicious actors, citing a lack of encryption and other security measures to mitigate the data security risks.
• Potential harm to children from surveillance-based services, which the FTC contends are addictive to children.
• Retaliation against consumers who opt out of sharing their personal information by denying them services or charging more for services, raising questions about the validity of their consent.
• Expanded uses of data post-collection or post-use of services when companies change the privacy terms and require consent to the new terms to maintain services.
• Lack of transparency in the system and algorithms used to analyze the data and the potential flaws in such systems that could result in harm to consumers.
• Bias and discrimination arising from the use of commercial surveillance data sets and practices.
• Use of "dark patterns" to influence consumers to make certain choices related to online engagement and sharing of personal information.

The FTC specifically noted that, while there are potential benefits to increased personalization, it is aware of reports that such personalization has "facilitated consumer harms" – and that it can be difficult, if not impossible, for consumers to avoid commercial surveillance practices. The FTC's rulemaking would encompass employee surveillance practices as well.

The FTC ties these potential harms to security issues by noting that these data sets may increase the risks of "cyberattack by hacker, data thieves, and other bad actors."

Rulemaking

The FTC explained that it is turning to rulemaking because it is unable to impose civil fines for first-time violations by companies engaged in unfair or deceptive commercial surveillance pursuant to Section 5 of the FTC Act. The FTC stated its current enforcement abilities are "insufficient to protect consumers from significant harms" related to commercial surveillance, absent rulemaking. The FTC said that this approach would incentivize companies to invest in compliance in this area.

Interestingly, the FTC cites various data privacy and security regulatory regimes as inspiration, including those in the European Union, Brazil and Canada, as well as recently enacted US state-level requirements. It notes that these regimes place a reduced emphasis on the traditional notice and consent approach. Instead, the FTC focused on how these jurisdictions take the approach of privacy by default, "increased accountability" for businesses and restrictions on specific practices in this area. It highlights the EU's General Data Protection Regulation's requirements for having a lawful basis for processing personal information and the consumer rights provided thereunder, as well as similar rights increasingly provided at the US state level.

Key categories of questions for public comment

The ANPR specifically raises the following categories of questions for public comment:

• To what extent do commercial surveillance practices or lax security measures harm consumers?
• To what extent do commercial surveillance practices or lax data security measures harm children, including teenagers?
• How should the FTC balance costs and benefits?
• How, if at all, should the FTC regulate harmful commercial surveillance or data security practices that are prevalent? Topics of particular focus include:
  • Rulemaking generally
  • Data security
  • Collection, use, retention and transfer of consumer data
  • Automated decision-making systems
  • Discrimination based on protected categories
  • Consumer consent
  • Notice, transparency and disclosure
  • Remedies
  • Potential obsolescence of any rulemaking

Next steps

The FTC is seeking public comment on the ANPR and the specific questions it poses. The deadline for submitting comments will be 60 days after the notice is published in the Federal Register in the coming days. The public also will have an opportunity to share input on these topics at a virtual public forum on September 8, 2022.

FTC rulemaking is a lengthy, multistep process. Under its "Mag-Moss" rulemaking authority, the FTC must, as it has done here, issue an ANPR for public comment that also must be sent to congressional oversight agencies. Next are public hearings – and we could see several, given the complexity and importance of this issue – followed by a final rule. Within 60 days of promulgation of the final rule, any person can seek review in the District of Columbia Court of Appeals and petition the court to direct the FTC to consider additional submissions or set aside the rule if it's not supported by "substantial evidence," in addition to any claims under the Administrative Procedure Act. Court decisions are subject only to Supreme Court review. Finally, if there is a change of control in either chamber of Congress in 2023, additional oversight hearings could further increase the time before the FTC is able to finalize the rule. Given these dynamics, it could be years before this rule is in effect.

A joint effort

The FTC and the Consumer Financial Protection Bureau appear to be taking a collaborative approach to the protection of consumer data held by financial institutions. On the same day that the FTC announced the ANPR, the CFPB published a Consumer Financial Protection Circular taking the position that providing "[i]nadequate security for the sensitive consumer information collected, processed, maintained, or stored by ... [a] company can constitute an unfair practice" under the Consumer Financial Protection Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.