More regulatory oversight may come in the years ahead if the US Federal Trade Commission cracks down on data collection by companies. Privacy professionals and attorneys, respectively from the International Association of Privacy Professionals (IAPP) and Lowenstein Sandler, are weighing in on the announcement from the federal agency this month.
The FTC said it would explore introducing rules on what it calls “commercial surveillance,” referring to the collection, analysis, and commercial profit gleaned from data gathered from and about the public. The FTC also claimed the massive scale of such surveillance increased risks of data breaches and manipulation.
The agency said it wants public comment regarding alleged harm and damage attributed to data collection about people, citing the tracking of browser histories, online shopping, and physical location through devices, apps, and software. The FTC called out the failure of some companies to sufficiently secure the massive amounts of consumer data they have collected, as well as the potential for discrimination against consumers because of biases or inaccuracies in algorithms.
The public comment period is just an early step in a process that might take several years, says Cobun Zweifel-Keegan, managing director with the International Association of Privacy Professionals. “It’s fairly rare for them to engage in this process, partially because it takes so long,” he says. “It’s not the focus of what they do they as an agency. They’re much more focused on enforcement.”
Zweifel-Keegan sees this as a continuation of a broader conversation needed with various regulators who examine data, privacy, and how companies handle this space. The questions posed by the FTC, he says, are not terribly new. “There’s nothing in there that’s coming completely out of left field. It’s definitely in alignment with the direction that other regulators have been going.”
More Accountability Needed
The FTC, Zweifel-Keegan says, is making it clear it wants to move away from a notice- and choice-focused regime for online privacy, to one with more accountability, more bright-line restrictions on data processing, and more protective default settings.
The steps for FTC rulemaking, which include considering alternatives to new rulemaking, could take years, Zweifel-Keegan says, but establishing a final rule is not the only goal of the agency. “It’s also interested in shaping the policy conversation including in Congress,” he says.
The 60-day comment period for this matter begins when printed in the Federal Register with an expected mid-October deadline for comments for the initial step, Zweifel-Keegan says. Given the steps and years this can take, the process has only been completed a handful of times since 1980, he says, and has never taken less than five years to complete a rulemaking from scratch. “There’s a lot of moving pieces in a five-year-timeframe that could change the course of this,” Zweifel-Keegan says.
As the FTC publishes more material on proposed rulemaking, there may be more clarity, he says, on what the possible rules might be and how they might align with other regulatory changes. States such as California and Colorado already have data privacy rules in the works or active, and Zweifel-Keegan sees the FTC tracking along those policies. “The best thing for organizations to do, in reality, at this stage would be to comment,” he says.
FTC and Learning About Business Realities
That could help the FTC better understand business realities, Zweifel-Keegan says, including risks and benefits of their business models. For example, the FTC is exploring how to establish rules to encourage companies to minimize the amount of data collected to only what is necessary and shortening how long it is kept. “Figuring out how that balancing will work is going to be an interesting exercise,” Zweifel-Keegan says. “The more information the FTC has to understand how that economic and ethical balancing works in practice would be really beneficial.”
The FTC’s possible rulemaking comes at a time when state and federal legislation on data privacy is already in play. The American Data Privacy and Protection Act is working its way through Congress. In January 2023, the California Privacy Rights Act (CPRA) is set to take effect. Other states including Virginia, Utah, Colorado, and Connecticut also have data privacy legislation due to go into effect next year.
The announcement from the FTC may be a curveball in an already complex landscape but not an unexpected one, says Mary Hildebrand, partner with Lowenstein Sandler and founder and chair of the law firm’s privacy and cybersecurity group. “The new commissioner was signaling almost as soon as she was soon in that she would be taking a much firmer stance in privacy and cybersecurity.”
The FTC must go through a variety of steps and measures before it can fully establish its regulatory stance on data privacy, she says. “The FTC needs to create a public record that there’s almost a pattern of deception, unfair and deceptive practices, in order for them to proceed and even prepare regulations,” Hildebrand says. “We are a ways away from the FTC actually issuing any regulations.”
The language in the FTC’s announcement did draw special notice, particularly references to cracking down on commercial surveillance. “That, I think, is intended to, and did successfully get, a lot of attention,” she says. The FTC’s description of commercial surveillance, Hildebrand says, may put a wide spectrum of companies in the agency’s sights. “Commercial surveillance, the way that’s defined, I’d be hard-pressed to think of any data collection and processing done online that wouldn’t fit somehow in that broad description,” she says. “We’re talking here about very common, commercial business practices.”
‘Lax Data Security’
The FTC’s reference to “lax data security” includes more than prevention and notices data breaches, Hildebrand says. “This encompasses data governance, data minimization, data management, and data retention policies.”
There is a tonal difference, she says, between what the FTC seems to propose versus the way states approach data privacy. While the FTC discusses protecting consumers when it comes to data privacy, Hildebrand says examples of state legislation use language that speak to empowering consumers to have more control when it comes to data privacy. “CPRA and a number of the other state laws have pretty extensive opt-out rights,” she says.
Navigating policies that the FTC might introduce may be a challenge for businesses. Hildebrand compares the situation to building a house while also living in it while the building codes keep changing. “This is not a welcome development because we have so many federal and state authorities involved in not only enforcing whatever laws apply but in developing them.”
For example, if a company takes steps to comply with CPRA, it will still have to reconcile compliance with other states’ data privacy laws as well as whatever rules the FTC comes up with. “It’s going to raise all kinds of interesting issues regarding which laws control, what are the best practices, and how best to comply,” Hildebrand says. “It creates more confusion.”
Should federal legislation on data privacy become law, she says it might clear up some of this as it would likely supersede most state laws on this. “If Congress passes a new law, then the FTC would be working with that, to provide rules and regulations that explicate it,” Hildebrand says. Federal legislation on data protection will likely designate the agency that will enforce the law, which could fall to the FTC, she says.
“I would be a huge proponent of a national data protection law. I think it’s way past time,” Hildebrand says. “We just want to know what the rules are.”