FTC Publishes Advance Notice of Proposed Rulemaking For a New Privacy Rule
August 11, 2022, Covington Alert
Today, the Federal Trade Commission (“FTC”) released an Advance Notice of Proposed Rulemaking (“ANPRM”) to seek public comment on data privacy and security practices – which it has begun to refer to as “commercial surveillance” practices – that potentially harm consumers. Specifically, the ANPRM broadly asks whether the agency “should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”
The ANPRM is not unexpected, as the FTC indicated earlier this year in a submission to the Office of Management and Budget that it is considering initiating a rulemaking under Section 18 of the FTC Act, 15 U.S.C. § 57a, to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” Under the FTC Act and the agency's Rules of Practice, the FTC is required to publish an ANPRM prior to the commencement of any trade regulation rulemaking proceeding under Section 18. 15 U.S.C. § 57a(b)(2); 16 CFR § 1.10. The ANPRM must "[c]ontain a brief description of the area of inquiry under consideration, the objectives which the Commission seeks to achieve, and possible regulatory alternatives under consideration by the Commission." 15 U.S.C. § 57a(b)(2)(A)(i); 16 CFR § 1.10(b)(1). Although today's ANPRM describes the potential subject matter of the regulation, it provides little or no detail on the objectives which the FTC seeks to achieve or the various regulatory alternatives under consideration.
Questions in the ANPRM focus on assessing the types and degree of consumer harm stemming from "lax data security" and "commercial surveillance" practices. For example, the FTC calls for comment on whether lax data security and commercial surveillance practices result in non-pecuniary consumer harms, such as physical, psychological, and reputational harm. The FTC has also solicited comments on harms to children, "including teenagers," resulting from these practices, and request comment on whether erasure tools or default privacy settings would be appropriate for teenagers. Additionally, the ANPRM asks for comments on algorithmic decision-making, including the prevalence of algorithmic error, discrimination based on protected categories facilitated by algorithmic decision-making systems (and whether the FTC should consider additional categories of protected classes, such as unhoused people or residents or rural communities), and how the FTC should address algorithmic discrimination through the use of proxies. Also notable, the ANPRM requests comment on the effectiveness of consumer consent, and asks if trade rules promulgated by the FTC should "prohibit certain specific commercial surveillance practices, irrespective of whether consumers consent to them."
Notably, the ANPRM does not propose specific new rules. Rather, it is intended to develop a record that will inform future proposed rules, which the FTC will need to develop under Magnuson Moss rulemaking procedures. These procedures require the FTC to take several steps before promulgating new rules, including issuing reports and recommendations for public comment, holding informal hearings, and providing interested parties with limited rights of cross-examination of witnesses at those hearings. See Prospects for FTC Privacy Rules (Aug. 2021). Because of these procedures, any new proposed rules likely will take considerable time to develop, although participation now is likely to help shape the dialogue to come. It is perhaps because of this that the ANPRM acknowledges that if new rules are not forthcoming the record developed in response to the ANPRM nevertheless will “help to sharpen the Commission’s enforcement work and may inform reform by Congress or other policymakers.”
Comments on the ANPRM will be due 60 days after the date of its publication in the Federal Register, which recently has been taking a month or more. The FTC also today announced that it will be hosting a public forum on these issues on Thursday, September 8, 2022. Registration and other information for this public forum can be found here. We are monitoring the proceedings and advising on strategies for participation or how to best prepare.
If you have any questions concerning the material discussed in this client alert, please contact the members of our Data Privacy and Cybersecurity practice.
Back
