While bipartisan legislation to establish a federal privacy law in the United States – the American Data Privacy and Protection Act – moves through Congress, the Federal Trade Commission (FTC) has now taken steps to address existing and emerging issues related to commercial data and to consider the possibility of updating requirements.
On August 11, 2022, the FTC announced (link to: https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial-surveillance-data-security-rulemaking) that it seeks public comment regarding its Advance Notice of Proposed Rulemaking (“ANPR”), which asks a series of questions related to commercial surveillance and data security. An ANPR signals to the public that the FTC is considering an area for rulemaking and requests written comments on its appropriate scope or on specific topics. It provides an opportunity for concerned stakeholders to weigh in on which questions deserve the FTC’s consideration and which direction they believe the FTC should take.
For purposes of this ANPR, the FTC defines “commercial surveillance” as the business of collecting, analyzing and profiting from consumer data.
The FTC seeks comment on whether the Commission should implement new rules governing the ways in which companies (1) collect, aggregate, protect, use, analyze and retain consumer data, as well as (2) transfer, share, sell or otherwise monetize consumer data in ways that are unfair or deceptive.
On Thursday, September 8, 2022, the FTC will host a virtual public forum to discuss the ANPR. On the agenda are topics such as:
• To what extent do commercial surveillance practices or weak security measures harm consumers, including children and teenagers?
• How should the FTC balance the costs and benefits of existing or emerging commercial surveillance and data security practices? What would be the costs and benefits of establishing and enforcing rules to address them?
• Should the FTC regulate harmful commercial surveillance or data security practices? If it acts to do so, what would those regulations entail?
The discussion at the September 8 meeting will also cover more specific topics such as:
• Are new rules are needed to address the collection, use, retention, and transfer of consumer data – for example, should data be used only to the extent necessary to deliver a good or service a consumer has requested?
• What is the role of consent in commercial surveillance? Are consumers able to provide such consent?
• What notice and transparency should be required regarding commercial surveillance practices?
• Is it time to establish requirements for businesses with respect to the implementation of security measures - whether administrative, technical, or physical – to protect consumer data?
• What issues are raised by automated decision-making systems, e.g., their reliability, their impact on pricing, their propensity for errors?
• Are new rules needed to specify relief or damages not set out in the FTC Act?
The FTC’s announcement highlights that everyday technologies enable “near constant surveillance of people’s private lives,” and that such surveillance exposes individuals to identity thieves and hackers, as well as heightens the risks and stakes of errors, deception, manipulation, and other abuses.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.