Data privacy and security are again taking center stage in Washington, DC. On the heels of Congress’s introduction of the American Data Privacy and Protection Act (ADPPA), the Federal Trade Commission (FTC) announced on August 11, 2022, that it was seeking public comments on 95 questions in an Advance Notice on Proposed Rulemaking for a Trade Regulation Rule on Commercial Surveillance and Data Security (ANPR). While members of the FTC have supported the ADPPA, they continue to express an interest in rulemaking that ultimately complements any legislation that may pass.
For the FTC, any final rule would be promulgated under its power to regulate unfair and deceptive trade practices. Public comments provided in response to this ANPR will help direct the FTC as to which topics, if any, warrant inclusion in a final rule. While this ANPR does not bind the FTC to include certain topics in a final rule or even bind the FTC to finalize any rule at all, it seems likely that the FTC will try to finalize some privacy regulations before the end of the Biden administration. In fact, one of the primary drivers for regulating privacy appears to be the FTC’s desire to be able to penalize first-time offenders without first providing a warning as would be required following a Section 5 investigation.
HIGHLIGHTING FTC PRIORITIES
The ANPR provides valuable insight into what members of the FTC ultimately hope to include in a final rule and indicates that the FTC may be interested in addressing a wide array of activities, practices and potential enforcement authority. Specifically, input has been requested related to “data security” and “commercial surveillance.” “Data Security” includes breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices. “Commercial surveillance” includes the collection, aggregation, analysis, retention, transfer or monetization of consumer data and direct derivatives of that information, including information actively provided by and passively collected from consumers.
The FTC’s 95 questions invite discussion on a range of topics—from the effectiveness of current privacy and data security requirements and balancing the costs and benefits of regulation, to the harm to children and teenagers that potential commentators believe results from current business practices. Several strategies appear under consideration to address these practices. This ANPR requests input on data minimization; stronger consumer consent; and principles of notice, transparency and disclosure. Perhaps one of the more interesting aspects of the ANPR is the FTC’s floating of a trial balloon to enlist non-FTC, private entity assistance to administer and enforce any new regulations. Where standards for data practices, commercial surveillance and automated decision-making are considered, the FTC also requests input on whether the FTC or a third-party entity would be better suited for certifying compliance.
Through the series of questions and an introduction setting the stage for this rulemaking, one key theme emerges: Despite questions regarding its authority to regulate in the manner it proposes and resource restraints potentially hindering the FTC’s enforcement activities, the FTC wants to establish clear requirements or benchmarks to incentivize companies to invest in compliance and privacy-protective measures. Here are the things we are keeping a close eye on as this rulemaking continues:
The FTC’s definitions of “data security” and “surveillance” are very broad, encompassing practices that are outside of the traditional understanding of those phrases. This could mean that the FTC’s rules could dictate appropriate practices for a company’s entire privacy program.
These questions provide the opportunity for companies and other stakeholders to comment on how they use information and how an FTC rule could impact their operations.
The FTC is considering the impact of existing laws, like the Children’s Online Privacy and Protection Act and the Gramm-Leach-Bliley Act, and the forthcoming regime of state privacy laws taking effect in 2023. These are smart and important questions, as the FTC’s rules should not be adopted in a vacuum lest they serve little more than to complicate an already challenging and growing mosaic of privacy laws applicable to companies in the United States.
The ANPR will soon be published in the Federal Register; stakeholders will then have 60 days to submit their comments. The FTC is also hosting a virtual public forum for the issues raised in its ANPR on September 8, 2022. The plans for and, ultimately, contents of a potential final rule remain a mystery for now, but this ANPR invites all stakeholders to weigh in and provide valuable insights for the FTC in shaping this rule.
If you have questions about this ANPR or need any assistance with privacy program compliance, please reach out to your McDermott lawyer or contact Amy Pimentel.