FTC Publishes ANPR for Public Comment on Commercial Surveillance and Harmful Data Security Practices
On August 22nd, the Federal Trade Commission (FTC) filed an Advanced Notice of Proposed Rulemaking (ANPR) to the Federal Register, starting the 60-day public comment period. The ANPR was published to “request public comment on the prevalence of commercial surveillance and data security practices that harm consumers.” Spanning 95 questions, the enumerated list of topics that the Commission seeks comments and concerns for covers 10 areas: harms to consumers; harms to children; costs and benefits; regulations; automated systems; discrimination; consumer consent; notice, transparency, and disclosure; remedies; and obsolescence.
The ANPR and following public comment period is the first of six steps the FTC must take under the Section 18 Magnuson-Moss rulemaking process. In the second step, the FTC must provide notice to certain Congressional committees at least 30 days before the Notice of Proposed Rulemaking is published. The third step involves publishing the Notice of Proposed Rulemaking “stating with particularity the text of the rule, including any alternatives . . . and the reason for the proposed rule.” Here, the Notice can only be issued if the FTC has reason to believe that unfair or deceptive acts or practices are prevalent. The fourth step requires informal hearings to be held if requested by interested parties. These hearings include the right to cross-examine and present rebuttal submissions in certain circumstances, and conclude with the presiding officer making a “recommended decision.” In the fifth step, the FTC develops a final rule that includes a statement of basis and purpose, the prevalence of the unfair or deceptive acts or practices addressed by the rule, the manner and context in which the acts are unfair or deceptive, and the economic effect of the rule. The final rule must be published 30 days before the rule can go into effect. Finally, the FTC can enforce the rule in federal court to recover civil penalties against anyone who violates the rule “with actual knowledge [that the act is unfair, deceptive, or otherwise prohibited] or knowledge fairly implied.”
The three Commissioners who voted to begin the lengthy process provided their topics of interest in their concurrences. Chair Khan shared that she would like to build a record on procedural protections versus substantive limits of existing frameworks like the “notice and consent” model, the administrability of security controls and privacy principles that may be difficult to enforce, business models that are premised on persistent tracking and user surveillance, discrimination based on protected categories, and workplace surveillance.. Commissioner Slaughter wrote that she is interested in public comments about data minimization, purpose and use specification, civil rights in the context of discriminatory algorithms, and privacy concerns about children and teens. The recently appointed Commissioner Bedoya stated his interest in emerging discrimination issues on online platforms, children’s and teens’ mental health, fraud and abusive data practices that affect non-English speaking communities, and unfair or deceptive practices related to biometrics.
It is worth noting that the Commission may choose not to proceed with rulemaking if Congress passes the American Data Privacy and Protection Act, as indicated in all five of the Commissioners’ statements. However, as there is no existing comprehensive federal privacy law that safeguards consumer privacy through enforceable cybersecurity measures, the public comment period remains open. The deadline for public comments is October 21st, and a remote forum explaining the process and substance of the proposed rulemaking will be held on September 8th.
Anokhy Desai is a Westin Fellow at the International Association of Privacy Professionals.