Federal Trade Commission Targets Customer Data Privacy

August 19, 2022 | by Andrew Regitsky

Federal Trade Commission Targets Customer Data Privacy

Normally we concentrate on the FCC and the actions it takes that affect our industry. Today, however, we turn to the increasingly aggressive Federal Trade Commission (FTC), which is now encroaching on ISPs more each day. Its latest efforts include an “Advanced Notice of Proposed Rulemaking” (Notice) released August 11, 2022, in which it intends to crack down on potentially harmful commercial surveillance and lax data security by large tech companies including ISPs. The agency also intends to develop general rules for utilization of customer data rather than the case-by-case enforcement used today

The FTC defines commercial surveillance as the business of collecting, analyzing, and profiting from information about people. It claims that this practice has heightened the risks and stakes of data breaches, deception, manipulation, and other abuses. Therefore, the Notice seeks public comment on the harms stemming from commercial surveillance and what new rules are needed to protect people’s privacy and information.

Section 18 of the FTC Act authorizes the Commission to promulgate, modify, and repeal trade regulation rules that define with specificity acts or practices that are unfair or deceptive in or affecting commerce within the meaning of Section 5(a)(1) of the FTC Act. Through this [Notice], the Commission aims to generate a public record about prevalent commercial surveillance practices or lax data security practices that are unfair or deceptive, as well as about efficient, effective, and adaptive regulatory responses. These comments will help to sharpen the Commission’s enforcement work and may inform reform by Congress or other policymakers, even if the Commission does not ultimately promulgate new trade regulation rules. (Notice, at p. 12).

Industry comments are due 60 days after the Notice appears in the Federal Register. The Commission encourages but does not require commenters to (1) submit a short Executive Summary of no more than three single-spaced pages at the beginning of all comments, (2) provide supporting material, including empirical data, findings, and analysis in published reports or studies by established news organizations and research institutions, (3) consistent with the questions below, describe the relative benefits and costs of their recommended approach, (4) refer to the numbered question(s) to which the comment is addressed, and (5) tie their recommendations to specific commercial surveillance and lax data security practices. The proceeding is docketed under Commercial Surveillance ANPR R111004”. Here are some of the questions the FTC seeks the industry to respond to:

To What Extent Do Commercial Surveillance Practices or Lax Security Measures Harm Consumers?

Which practices do companies use to surveil consumers?

Which measures do companies use to protect consumer data?

Which of these measures or practices are prevalent? Are some practices more prevalent in some sectors than in others?

How, if at all, do these commercial surveillance practices harm consumers or increase the risk of harm to consumers?

Are there some harms that consumers may not easily discern or identify? Which are they?

Are there some harms that consumers may not easily quantify or measure? Which are they?

How should the Commission identify and evaluate these commercial surveillance harms or potential harms? On which evidence or measures should the Commission rely to substantiate its claims of harm or risk of harm?

Which areas or kinds of harm, if any, has the Commission failed to address through its enforcement actions?

To What Extent Do Commercial Surveillance Practices or Lax Data Security Measures Harm Children, including Teenagers?

Are there practices or measures to which children or teenagers are particularly vulnerable or susceptible? For instance, are children and teenagers more likely than adults to be manipulated by practices designed to encourage the sharing of personal information?

How Should the Commission Balance Costs and Benefits?

How should the Commission engage in this balancing in the context of commercial surveillance and data security? Which variables or outcomes should it consider in such an accounting? Which variables or outcomes are salient but hard to quantify as a material cost or benefit? How should the Commission ensure adequate weight is given to costs and benefits that are hard to quantify?

How, if at All, Should the Commission Regulate Harmful Commercial Surveillance or Data Security Practices that Are Prevalent?

Should the Commission pursue a Section 18 rulemaking on commercial surveillance and data security? To what extent are existing legal authorities and extralegal measures, including self-regulation, sufficient? To what extent, if at all, are self-regulatory principles effective?

Consumer Consent

The Commission invites comments on the effectiveness and administrability of consumer consent to companies’ commercial surveillance and data security practices. Given the reported scale, opacity, and pervasiveness of existing commercial surveillance today, to what extent is consumer consent an effective way of evaluating whether a practice is unfair or deceptive? How should the Commission evaluate its effectiveness?

Notice, Transparency, and Disclosure

To what extent should the Commission consider rules that require companies to make information available about their commercial surveillance practices? What kinds of information should new trade regulation rules require companies to make available and in what form?