95 Problems but Privacy Won’t Be One?
The ANPRM lists ninety-five (95) data privacy and security-related issues about which the FTC seeks public comment—everything from the way that companies process consumer data to how they transfer, share, sell, or monetize that data in unfair and deceptive ways, and everything in between. If this 95-question list does not adequately convey the breadth of this proposed rulemaking, then consider how the FTC proposes to define “commercial surveillance.” “Commercial surveillance” is “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.” The FTC further explains that this term includes information that consumers “actively provide” when they register for a service and “personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app.” The FTC acknowledges that the “latter category is far broader than the first.”
Ultimately, the FTC’s objective is to understand, among other issues:
The incentives that drive companies to track and surveil consumers’ online activities;
The type of consumer information that companies collect (e.g., browsing and purchase histories, location and physical movements, personal details) most of which consumers did not proactively share;
Companies’ use of algorithms and automated systems to build consumer profiles and make inferences about consumers to predict consumer behavior and preferences;
Biased and inaccurate algorithmic outputs that often derive from the underlying data, model selection, and/or design flaw;
The use of dark patterns or marketing to influence consumer choices—choices that consumers otherwise would not make, including sharing personal information; and
Companies that require consumers to sign-up for surveillance as a condition for service.
The FTC Has Tried Everything, but It Wasn’t Enough
For more than two decades, the Commission has utilized all the tools in its regulatory toolbox to address data privacy and security. It has initiated “scores” of privacy and data security-related enforcement actions, required companies to submit written reports about their commercial practices under Section 6(b) of the Federal Trade Commission Act (“FTC Act”), and engaged in “general policy work.” Despite these efforts, “harmful commercial surveillance and lax data security practices” persist. It is for this reason that the FTC initiated this proposed rulemaking. The ANPRM reasons that “[n]ew trade regulation rules could . . . set clear legal requirements or benchmarks by which to evaluate covered companies[,]” and it may “incentivize all companies to invest in compliance more consistently.”
Accordingly, in a 3-2 vote of the FTC’s five (5) Commissioners, the FTC invoked its authority under the Magnuson-Moss Warranty Act (“Magnuson-Moss Act”), 15 U.S.C. § 57a, and Section 5 of the FTC Act to launch this proposed rulemaking. Section 5 is the statutory hook upon which the FTC proposes to regulate “unfair or deceptive trade practices” in the form of “commercial surveillance and lax data security practices.”
Potential Speed Bumps Along the FTC’s Privacy Road
It is unclear whether the FTC will succeed in its effort to promulgate a final rule that sweeps as broadly as proposed in the ANPRM. First, the two dissents issued by Commissioners Phillip and Wilson likely are harbingers of future challenges to a finalized rule and their written dissents offer a tangible (potentially viable) road map for future challenges to a final rule. For example, Commissioner Phillips opines that the ANPR may violate the FTC Act’s rulemaking provisions because “[t]he areas of inquiry are vast and amorphous, and the objectives and regulatory alternatives are just not there” and contrasts this ANPRM with “recent ANPRs issued by the Commission, which addressed far more limited topics. . . .” He further notes that the ANPR “does not identify the full scope of approaches it could undertake, does not delineate a boundary on issues on which the public can comment, and in no way constrains actions that it might take in an NPRM or final rule[,]” making it difficult for stakeholders “to engage meaningfully and provide comment.”
Second, the Supreme Court’s recent decision in West Virginia v. EPA, 20-1530 (June 30, 2022), which holds that when an agency asserts “extraordinary” regulatory authority of “broad economic and political significance[,]” i.e., a major question, the agency must point to an express delegation of congressional authority demonstrating that Congress clearly intended the agency to act. It is not clear whether the FTC’s proposed privacy rule passes muster. To be sure, the FTC may point to its Section 5 authority in response to such a claim. However, it is not clear whether Congress contemplated a broad rule that regulates data use across industries when it enacted Section 5 of the FTC Act nearly five decades ago.
Finally, for the first time in many years, Congress seems poised to enact a bipartisan federal privacy law in American Data Privacy and Protection Act (ADPPA), which is currently in the House Committee on Energy and Commerce. If Congress passes ADPPA before the FTC completes its lengthy rulemaking administrative process, ADPPA may supersede a final rule. This is a distinct possibility given the length of the FTC’s rulemaking process. As noted above, the ANPR is the first step in a long process that requires: (1) a 60-day public comment period; (2) the issuance of a notice of proposed rulemaking, which also is subject to a public comment period; (3) informal hearings; and (4) the drafting of a final rule.