On August 11, the FTC finally launched its “commercial surveillance and data security” rulemaking after many months of hype and speculation about the FTC’s ability to address consumer privacy through its “Mag-Moss” rulemaking authority. It did so by releasing (by 3/2 vote) an Advanced Notice of Proposed Rulemaking (ANPR) – the first step in a Mag-Moss rulemaking – and holding a press conference featuring Chair Khan, Commissioners Slaughter and Bedoya, and senior FTC staff.
People familiar with the many hurdles in Mag-Moss were watching to see whether the ANPR would be broad and far-reaching (thus guaranteeing a lengthy, complex process) or more narrowly tailored. The answer? The ANPR is remarkably sweeping in scope – covering virtually every form of data collection across the economy, posing 95 questions about factual and legal issues of all kinds, and raising issues that reach beyond the FTC’s legal authority. Indeed, in reading the ANPR, we couldn’t help but wonder whether this is a serious effort to develop a rule or simply a show of activity to address over-hyped expectations. (See more on this topic below.)
Not surprisingly, Commissioners Phillips and Wilson issued strong dissents. Among other things, they raised concerns about agency overreach and the potential to derail the bipartisan privacy bill currently pending in Congress (the ADPPA). Here are more details and takeaways from the FTC’s announcement:
First Step in a Long Process
For those understandably alarmed by the breadth and reach of the ANPR (especially companies struggling to keep pace with the five new state privacy laws), rest assured that there is a long road ahead before any of it becomes an enforceable rule.
First, even as it released its sweeping ANPR, the FTC stated that it is still deciding whether to proceed with a rule at all. The ANPR states: “Through this ANPR, the Commission is beginning to consider the potential need for rules and requirements regarding commercial surveillance and lax data security practices . . . These comments will help to sharpen the Commission’s enforcement work and may inform reform by Congress or other policymakers, even if the Commission does not ultimately promulgate new trade regulation rules.”
Second, if the FTC does proceed with rulemaking, the ANPR is one of many steps in a long process that includes: (1) review of the comments received; (2) a September 8 forum (announced along with the ANPR); (3) a notice of proposed rulemaking (NPR) and request for comments; (4) informal hearings; (5) development of a final rule, with various materials; and (6) judicial review. (See our post on the Mag-Moss process here.) Of particular note, the FTC must be able to show that each practice to be regulated is prevalent, as well as unfair or deceptive. In addition, if the House or Senate shifts in the midterms, there will be lots of Congressional oversight. All in all, based on the FTC’s Mag-Moss track record, any rulemaking here would take many years to complete and could very well outlast Khan’s term as Chair.
Although the ANPR purports to cover two topics (commercial surveillance and data security), it defines these terms to capture nearly all data collection across the economy, as well as the myriad concerns stemming from it. Specifically, the ANPR defines “commercial surveillance” as “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information … [including] both information that consumers actively provide…as well as personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app.” The ANPR, in turn, defines “data security” to mean “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.”
The ANPR, along with a three-page fact sheet released alongside it, then highlight some of the data practices and concerns these definitions encompass, including:
- Collection of data in every aspect of our lives – about, e.g., our groceries, homework, car insurance, movements, friends, menstrual cycles, web-browsing, and faces
- Use of this data to personalize content and set prices, curate news feeds, serve ads, and conduct research on people’s behavior
- Collection of data for one purpose and use for another, including through what the FTC calls “surveillance creep” (i.e., reserving the right to change privacy terms and then changing the terms in material and misleading ways)
- The sale of data to advertisers, data brokers, and other third parties, as well as the purchase of data from these entities and the pulling of data from public sources
- The lack of true choice or control consumers have over their data – because information is hidden or confusing, companies operate behind the scenes, “dark patterns” obscure their choices, and companies “retaliate” against consumers that exercise choice
- Harm to kids and teens, including addiction to social media and other mental health and social effects
- Algorithmic harms, including out-of-context inferences, data errors and inaccuracy, and discrimination in housing, employment, healthcare, and advertising
- Cyberattacks, data theft, fraud, identity theft, and threats to our critical infrastructure
- Using data to target the most vulnerable, including via cyberbullying and cyberstalking
- All of the above, as it relates to businesses and workers, not just “consumers” in the traditional sense
To top it off, the 95 questions in the ANPR add another layer of issues, seeking comment about, e.g., purpose limitations, biometrics, cookie blocking, whether to ban practices outright (including certain types of algorithms), whether the FTC should require companies to certify compliance with standards, algorithmic disgorgement, the metrics used to set prices for targeted ads, the role of trade secrets in creating “opacity,” and a range of competition issues. Certainly, many (if not all) of these topics are important and worth discussing – indeed, regulators here and abroad have been discussing them for years. But after all the talk about FTC rulemaking as a way to establish national privacy standards, and all the work already done by Congress, the States, and the EU on these issues, it seems awfully odd that the FTC would start from the beginning, with a sprawling inquiry about a vast array of topics.
Serious Rulemaking Effort?
Which leads us to our next topic: Is the ANPR a serious effort to launch (or consider) a rulemaking or something else? Could it be an attempt to push Congress to move forward on the ADPPA? Could it be a delay strategy, pending the outcome of the ADPPA? Is the FTC simply trying to show – through this preliminary step – that it is delivering on its bold rulemaking promises?
As noted above, the ANPR sends mixed messages – on the one hand, broadly describing the issues for rulemaking and, on the other, stating that the FTC still hasn’t decided whether to proceed. But the oddities of the ANPR don’t stop there. In fact, at times, the FTC seems to be flaunting its lack of focus, such as when it says it isn’t constrained by the scope of the ANPR and invites comment on any privacy regulation here or abroad – to wit: “This ANPR does not identify the full scope of potential approaches the Commission might ultimately undertake by rule or otherwise. It does not delineate a boundary on the issues on which the public may submit comments…The Commission invites comment on all potential rules, including those currently in force in foreign jurisdictions, individual U.S. states, and other legal jurisdictions.”
Similarly, the ANPR asks questions about issues that are clearly beyond the FTC’s authority, such as whether the FTC should implement certain protections for children (many of which would require Congress to amend COPPA) and whether the FTC should bar certain industries from operating a business engaged in personalized advertising. It also asks the public to opine on enormously broad and complex legal issues, such as whether “unfairness” encompasses discrimination, how the First Amendment and Section 230 would bear on the FTC’s yet unwritten rule, and what legal theories could regulate automated systems. Once again, these are all important issues, but the FTC’s lack of focus at this stage suggests that we won’t see an actual rule anytime soon.
Commissioners Phillips and Wilson have never been shy, but their dissents here are among the strongest on record. Phillips decries the breadth and lack of focus in the ANPR, which “provides no notice whatsoever of the scope and parameters of what rule or rules might follow, thereby undermining the public input and congressional notification processes.” He also says that the ANPR “recasts the Commission as a legislature, with virtually limitless rulemaking authority…[and] contemplates banning or regulating conduct the Commission has never once identified as unfair or deceptive.” In addition, he criticizes the ANPR for failing to include “any meaningful discussion about whether there should be different rules based on the sensitivity of data” or even ask how sensitive data should be defined. Phillips concludes that he would have supported an ANPR for data security, or been “more sympathetic” to privacy rules tailored to sensitive data, in contrast to the majority’s “naked power grab.”
Commissioner Wilson, a longtime supporter of federal privacy legislation, expresses greatest concern about effects of the ANPR on the ADPPA – and particularly, that opponents of ADPPA will use the ANPR to derail federal legislative efforts. She also warns about the long-term effects of overreach on the FTC, stating: “Chair Khan’s public statements give me no basis to believe that she will seek to ensure that proposed rule provisions fit within the Congressionally circumscribed jurisdiction of the FTC. Neither has Chair Khan given me reason to believe that she harbors any concerns about harms that will befall the agency (and ultimately consumers) as a consequence of her overreach.”
- Unfairness: The ANPR attempts to lay the groundwork for heavy reliance on the FTC’s unfairness authority, devoting considerable text to establishing the first two required prongs – consumer harm and consumers’ inability to avoid the harm themselves. The ANPR is virtually silent, however, on the third prong – whether the costs of a rule (to both consumers and competition) outweigh the benefits. Indeed, the ANPR discusses the benefits of a potential rule extensively but punts discussion of the costs to the public comments (see Qs 24-29). The FTC’s silence here is telling. Did it consider these costs before moving forward? What would happen to free content? What about personalization and discounts that consumers like? How might competition be affected adversely by an FTC rule?
- Majority Views on ADPPA: Khan, Slaughter and Bedoya all praised the ADPPA in their statements and at the press conference, stating that they hope it will become law and generally agreeing that, if it does, they would not pursue rules that are “inconsistent” with it.
- Data Restrictions vs. Notice and Choice: Consistent with Khan’s many policy statements over the past year, the ANPR emphasizes the need for substantive data restrictions in lieu of notice and choice, and many of the questions in the ANPR explore this issue. (The FTC’s unfairness authority would, of course, be critical here.)
- Civil Penalties: As the ANPR reminds us, a key reason to pursue rulemaking is to enable the FTC to obtain civil penalties for first-time violations – relief that is unavailable when the FTC pursues case-by-case enforcement under the FTC Act. The ANPR also cites other justifications for rulemaking, but civil penalties are first and foremost.
- “Major question?” A lurking issue for the FTC is how the Supreme Court’s recent ruling in Va. v. EPA might affect the FTC’s rulemaking authority. That case stands for the proposition that when an agency asserts “extraordinary” regulatory authority of “broad economic and political significance” (a “major question”) it must be able to point to a clear Congressional authorization, not “vague” or “rarely-used” statutory language. Here, the FTC is arguably relying on clear FTC Act language authorizing rulemaking. Nevertheless, a court might conclude that a broad rule regulating data use across the economy is a “major question” that goes well beyond what Congress contemplated when it enacted the FTC’s rulemaking provisions approximately 50 years ago. If this rulemaking actually proceeds to completion, we will likely see this issue tested in court.