Note: The FTC hosted a virtual news conference on the ANPR announcement. View the webcast.
The Federal Trade Commission today announced it is exploring rules to crack down on harmful commercial surveillance and lax data security. Commercial surveillance is the business of collecting, analyzing, and profiting from information about people. Mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation, and other abuses. The FTC’s Advance Notice of Proposed Rulemaking seeks public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.
“Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC Chair Lina M. Khan. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent. Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.”
The business of commercial surveillance can incentivize companies to collect vast troves of consumer information, only a small fraction of which consumers proactively share. Companies reportedly surveil consumers while they are connected to the internet – every aspect of their online activity, their family and friend networks, browsing and purchase histories, location and physical movements, and a wide range of other personal details.
Companies use algorithms and automated systems to analyze the information they collect. And they make money by selling information through the massive, opaque market for consumer data, using it to place behavioral ads, or leveraging it to sell more products.
The FTC is seeking comment on a wide range of concerns about commercial surveillance practices. For example, some companies fail to adequately secure the vast troves of consumer data they collect, putting that information at risk to hackers and data thieves. There is a growing body of evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms.
While very little is known about the automated systems that analyze data companies collect, research suggests that these algorithms are prone to errors, bias, and inaccuracy. As a result, commercial surveillance practices may discriminate against consumers based on legally protected characteristics like race, gender, religion, and age, harming their ability to obtain housing, credit, employment, or other critical needs.
Other concerns stem from the ways in which companies make commercial surveillance difficult to avoid. Some companies require people to sign up for surveillance as a condition for service. Consumers who do not wish to have their personal information shared with other parties may be denied service– or required to pay a premium to keep their personal information private. After consumers sign up, companies may change their privacy terms going forward to allow for more expansive surveillance. Companies increasingly employ dark patterns or marketing to influence or coerce consumers into sharing personal information.
In the last two decades, the FTC has used its existing authority under the FTC Act to bring hundreds of enforcement actions against companies for privacy and data security violations. These include cases involving the sharing of health-related data with third parties, the collection and sharing of sensitive television viewing data for targeted advertising, and the failure to implement reasonable security measures to protect sensitive personal data such as Social Security numbers.
The FTC’s past work, however, suggests that enforcement of the FTC Act alone may not be enough to protect consumers. The FTC’s ability to deter unlawful conduct is limited because the agency generally lacks authority to seek financial penalties for initial violations of the FTC Act. By contrast, rules that establish clear privacy and data security requirements across the board and provide the Commission the authority to seek financial penalties for first-time violations could incentivize all companies to invest more consistently in compliant practices.
Information about how to submit comments on the FTC’s Advance Notice of Proposed Rulemaking is included in the Federal Register notice. The deadline for submitting comments will be 60 days after the notice is published in the Federal Register in the coming days. Submitted comments will be posted to Regulations.gov.
The public will also have an opportunity to share their input on these topics during a virtual public forum on September 8, 2022.
The Commission voted 3-2 to publish the notice in the Federal Register. Chair Khan, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya issued separate statements. Commissioners Noah Joshua Phillips and Christine S. Wilson voted no and issued dissenting statements.