On August 11, 2022, the Federal Trade Commission (“FTC”) announced its Advance Notice of Proposed Rulemaking (“ANPR”) seeking public comment on 95 questions focused on purported harms stemming from “commercial surveillance and lax data security practices.” The ANPR also invites views as to whether new trade regulation rules under Section 18 of the FTC Act, or other regulatory alternatives, are needed to protect consumers’ privacy and information. The FTC indicates that the ANPR is intended to invite comment “on all potential rules, including those currently in force in foreign jurisdictions, individual U.S. states, and other legal jurisdictions.” The FTC could ultimately decide not to pursue a rule at all, pursue a single rulemaking proceeding, or pursue multiple rulemakings that address certain ANPR topics. The ANPR was published in the Federal Register on August 22, 2022 and has a comment period that ends in 60 days on October 21, 2022.

In this Data Blog series, we will explore the FTC’s ANPR as it relates to four areas: Part 1 will provide background on the current ANPR and the context to the FTC’s approach to rulemaking under Section 18 of the FTC Act; Part 2 will focus on privacy; Part 3 on data security; and Part 4 on artificial intelligence, algorithms, and discrimination.

Jurisdictional Issues and Perceived Consumer Harms

The ANPR strongly signals that the FTC will continue to interpret its jurisdiction broadly to address potential consumer harms and that the rulemaking could extend to all entities over which the FTC has jurisdiction. Even though the FTC asserts broad jurisdiction over almost all sectors of the economy, the agency is subject to certain statutory limits to its jurisdiction. Broadly speaking, the FTC, through the FTC Act, has jurisdiction over any commercial enterprise affecting commerce, subject to certain exemptions, including banks, savings and loan institutions, federal credit unions, certain non-profits, and certain common carriers. The “business of insurance” is also exempt from FTC jurisdiction.

According to the FTC, potential consumer harms include those concerning physical security, economic injury, psychological harm, reputational harm, and unwanted intrusion. The ANPR highlights privacy and security areas where the FTC believes trade regulation rules are required to curb “unfair or deceptive acts or practices” within the meaning of Section 5 of the FTC Act. The FTC also published a Factsheet on Commercial Surveillance and Data Security, which briefly outlines its concerns stemming from commercial surveillance, including lax data security, harm to kids, retaliation, surveillance creep, inaccuracy in algorithms and datasets, bias and discrimination, and dark patterns.

The ANPR, which the FTC previewed in late 2021, echoes and expands on many of the themes the FTC has identified in its privacy and security enforcement actions. The ANPR stresses that lax data security measures and harmful commercial surveillance practices impact different types of consumers (e.g., young people, workers, women, victims of domestic violence, racial minorities, etc.) in different sectors (e.g., health, finance, employment) or in different “stacks” of the internet economy. The ANPR asks (a) how potential new trade regulation rules should address harms to different consumers across different sectors, (b) the extent to which a comprehensive regulatory approach would be better than a sectoral one for any given harm, and (c) whether any commercial surveillance practices should be clearly limited or prohibited.

Overview of the ANPR

The Commission voted 3-2 to publish the ANPR in the Federal Register. Chair KhanCommissioner Rebecca Kelly Slaughter, and Commissioner Alvaro Bedoya voted in support of the ANPR and issued separate statements. Commissioners Noah Joshua Phillips and Christine S. Wilson voted no and issued strong dissenting statements. Commissioner Alvaro M. Bedoya publicly committed in his Statement regarding the ANPR that he will not vote for any rule that overlaps with the bipartisan American Data Privacy and Protection Act (“ADPPA”) should Congress pass that law. Chair Khan and Commissioner Slaughter also voiced support for the ADPPA.

In the ANPR, the FTC poses 95 questions and invites public comment on (a) the nature and prevalence of what the FTC calls “harmful commercial surveillance and lax data security practices,” (b) the balance of costs and countervailing benefits of such practices for consumers and competition, as well as the costs and benefits of any given potential trade regulation rule, and (c) proposals for protecting consumers from “harmful and prevalent commercial surveillance and lax data security practices.” The ANPR defines key terms, including the following:

  • data security,” which refers to “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices”;
  • commercial surveillance” refers to “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.” The FTC explains that these data include information that consumers actively provide (e.g., when they affirmatively register for a service or make a purchase), as well as the far broader category of personal identifiers and other information that companies collect (e.g., when a consumer casually browses the web or opens an app); and
  • consumer,” which includes businesses and workers, not just individuals who buy or exchange data for retail goods and services.

As the FTC asserts, “[t]his ANPR has alluded to only a fraction of the potential consumer harms,” but the chosen topics and subheadings provide insight into the FTC’s focus. The topics and subheadings from the ANPR’s 95 questions are:

  • To What Extent Do Commercial Surveillance Practices or Lax Security Measures Harm Consumers?
  • To What Extent Do Commercial Surveillance Practices or Lax Data Security Measures Harm Children, including Teenagers?
  • How Should the Commission Balance Costs and Benefits?
  • How, If at All, Should the Commission Regulate Harmful Commercial Surveillance or Data Security Practices that Are Prevalent?
    • Rulemaking Generally
    • Data Security
    • Collection, Use, Retention, and Transfer of Consumer Data
    • Automated Decision-Making Systems
    • Discrimination Based on Protected Categories
    • Consumer Consent
    • Notice, Transparency, and Disclosure
      • What Are the Mechanisms for Opacity?
      • Who Should Administer Notice or Disclosure Requirements?
      • What Should Companies Provide Notice of or Disclose?
    • Remedies
    • Obsolescence

The FTC’s Approach to Rulemaking under Section 18 of the FTC Act

As we have previously discussed, the FTC under Chair Khan has been moving toward expanded privacy and security enforcement, as well as potential regulation. The FTC included the potential Trade Regulation Rule on Commercial Surveillance as an item in its regulatory agenda for 2022 and addressed it in its Statement of Regulatory Priorities published in December 2021. Notably, in her remarks at the 2022 IAPP Global Privacy Summit, Chair Khan recently foreshadowed the broad nature of these potential “market-wide rules” that “could help provide clear notice and render enforcement more impactful and efficient.”

The FTC has clearly sought an effective enforcement mechanism for privacy and security violations since its April 2021 loss in AMG Capital Management, LLC v. FTC, in which the Supreme Court held that courts could no longer award monetary redress in FTC cases brought under Section 13(b) of the FTC Act. Importantly, AMG Capital did not impact the FTC’s ability to obtain civil penalties in the course of enforcing a rule. The FTC has therefore worked to “streamline” its rulemaking powers to address certain privacy and security practices, particularly with respect to “trade regulation rules.” Under Section 18 of the FTC Act, the FTC may prescribe “trade regulation rules,” meaning “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce” within the meaning of Section 5(a)(1) of the Act. After the Commission has promulgated a trade regulation rule, anyone who violates the rule “with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such act is unfair or deceptive and is prohibited by such rule” is liable for civil penalties for each violation.

While Congress has provided rulemaking authority under various laws (e.g., COPPA, GLBA) to the FTC, the FTC’s rulemaking powers for enforcing Section 5 of the FTC Act is grounded in the Magnuson-Moss Act (“Mag-Moss”). As we have previously explained, the FTC has historically avoided Section 18 or “Mag-Moss” rulemaking because of its complex, arduous procedural process. Since 1975, the FTC has completed only seven rulemaking efforts under the Mag-Moss process, with an average completion time of nearly six years. However, as we also emphasized, in July 2021 the FTC voted to update the traditional procedures to “modernize” and expedite future rulemaking efforts.

Even with the FTC’s recent changes to its rule practices, Mag-Moss rulemaking is a long and challenging endeavor. With the publication of the ANPR, the FTC must now engage in the public comment process. The Commission is hosting a public forum on commercial surveillance and data security to be held virtually on Thursday, September 8, 2022, from 2:00 p.m. until 7:30 p.m. Members of the public are invited to attend. The FTC also published a Factsheet on Public Participation in the Section 18 Rulemaking Process.

If the FTC advances from the ANPR stage, the Commission will publish a Notice of Proposed Rulemaking, for which it must again seek public comment. The comment period would be at least 60 days following publication in the Federal Register. The FTC would then need to publish a Final Rule and entertain petitions for exemption from the rule. And even after that, any person may seek judicial review of the FTC’s Final Rule in the D.C. Court of Appeals. The judicial review stage for rulemaking generally has become even more consequential in the wake of the U.S. Supreme Court’s June 2022 decision in West Virginia v. EPA, which we discussed here.

Conclusion

To enhance readiness and compliance programs in advance of any new regulations, it is important for businesses to understand the Section 18 rulemaking process and how the FTC has addressed commercial surveillance and data security practices in the ANPR, as well as its guidance and enforcement actions. As noted above, Part 2 of this Data Blog series will focus on privacy, Part 3 on data security, and Part 4 on artificial intelligence, algorithms, and discrimination.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise Law Clerks Lily Coad and Melissa Muse for their work on this Debevoise Data Blog.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Paul D. Rubin is a corporate partner based in the Washington, D.C. office and is the Co-Chair of the firm’s Healthcare & Life Sciences Group and the Chair of the FDA Regulatory practice. His practice focuses on FDA/FTC regulatory matters. He can be reached at pdrubin@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Michael R. Roberts is a senior associate in Debevoise & Plimpton’s global Data Strategy and Security Group and a member of the firm’s Litigation Department. His practice focuses on privacy, cybersecurity, data protection and emerging technology matters. He can be reached at mrroberts@debevoise.com.

Author

Melissa Runsten is a corporate associate and a member of the Healthcare & Life Sciences Group. Her practice focuses on FDA/FTC regulatory matters and includes the representation of drug, device, food, cosmetic and other consumer product companies. She can be reached at mrunsten@debevoise.com.

Author

Anna R. Gressel is a senior associate and a member of the firm’s Data Strategy and Security Group and its FinTech and Technology practices. Her practice focuses on representing clients in regulatory investigations, supervisory examinations, and civil litigation related to artificial intelligence (“AI”) and other emerging technologies. Ms. Gressel has a deep knowledge of regulations, supervisory expectations, and industry best practices with respect to AI governance and compliance. She regularly advises boards and senior legal executives on governance, risk, and liability issues relating to AI, privacy, and data governance. She can be reached at argressel@debevoise.com.