FTC to Embark on New Privacy Rulemaking

Ella Shenhav
Shutts & Bowen LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Privacy and data security professionals have been closely monitoring the ongoing battle regarding a new proposed federal law, the American Data Privacy and Protection Act ( ADPPA), which in July made it out of committee with surprising bipartisan support, and which could change the privacy landscape throughout the country, preempting multiple state laws and setting a uniform standard for privacy and data security compliance.  But while the ADPPA has been re-negotiated and revised over and over again, the Federal Trade Commission (FTC) has been brewing up its own set of privacy and security rules. On August 11, 2022, the FTC issued an Advance Notice of Proposed Rulemaking (ANPRM), which asks for public comment on 95 questions on a variety of privacy and data security topics, touching almost every industry in the nation. Comments are due within 60 days of publication of the ANPRM in the Federal Register, and a virtual forum will be held on September 8, allowing members of the public to speak for two minutes.

Some commentators have speculated that the FTC’s ANPRM is a reaction to the ADPPA losing some steam in Congress – the FTC might be attempting to pressure lawmakers to find a workable solution and pass a federal law before the midterm elections, which will likely cause additional setbacks in legislation.  If the FTC is planning on pushing forward its new rulemaking at the same time as Congress is finalizing – and hopefully passing – the ADPPA, the potential conflicts could be significant, and cause headaches to businesses spanning multiple industries and business models.

The FTC derives its power to regulate privacy and data security issues from Section 5(a) of the Federal Trade Commission Act (FTC Act) (15 USC §45), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” This short sentence has given, in over a century since it was enacted, tremendous power to the FTC to regulate unfair, deceptive, or unfair and deceptive privacy practices. Unfair privacy practices are those that are injurious to consumers, unethical or unscrupulous, whereas deceptive practices are those that may mislead customers, such as when a company does not follow its own stated privacy policy. With this jurisdiction vested in it by the FTC Act, the FTC has enforced privacy and data protection violations in a multitude of industries, levied many millions dollars of fines, and required businesses to completely overhaul their privacy and data security practices and procedures through consent decrees and court orders. If the new FTC rules are finalized and implemented, there will be yet another body of privacy law for businesses to become familiar with and abide by.

Rulemaking of this type can be a lengthy procedure, often taking five years or more. It is possible that the FTC is indeed signaling that, should Congress fail to pass an umbrella federal statute governing privacy and data security, it will fill that federal void on its own.  Either way, the message is clear: legislative changes are forthcoming in the near future, and it is the responsibility of every potentially-affected business to stay up to date on the newest requirements.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Shutts & Bowen LLP | Attorney Advertising

Written by:

Shutts & Bowen LLP
Shutts & Bowen LLP
Contact
more
less

Shutts & Bowen LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide