Proposed Rule2022-17752
Trade Regulation Rule on Commercial Surveillance and Data Security
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
August 22, 2022
Issuing agencies
Federal Trade Commission
Abstract
The Federal Trade Commission ("FTC") is publishing this advance notice of proposed rulemaking ("ANPR") to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers. Specifically, the Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 161 (Monday, August 22, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 161 (Monday, August 22, 2022)]
[Proposed Rules]
[Pages 51273-51299]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-17752]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Chapter I
Trade Regulation Rule on Commercial Surveillance and Data
Security
AGENCY: Federal Trade Commission.
ACTION: Advance notice of proposed rulemaking; request for public
comment; public forum.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'') is publishing this
advance notice of proposed rulemaking (``ANPR'') to request public
comment on the prevalence of commercial surveillance and data security
practices that harm consumers. Specifically, the Commission invites
comment on whether it should implement new trade regulation rules or
other regulatory alternatives concerning the ways in which companies
collect, aggregate, protect, use, analyze, and retain consumer data, as
well as transfer, share, sell, or otherwise monetize that data in ways
that are unfair or deceptive.
DATES:
Comments due date: Comments must be received on or before October
21, 2022.
Meeting date: The Public Forum will be held virtually on Thursday,
September 8, 2022, from 2 p.m. until 7:30 p.m. Members of the public
are invited to attend at the website <a href="https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum">https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum</a>.
ADDRESSES: Interested parties may file a comment online or on paper by
following the instructions in the Comment Submissions part of the
SUPPLEMENTARY INFORMATION section below. Write ``Commercial
Surveillance ANPR, R111004'' on your comment, and file your comment
online at <a href="https://www.regulations.gov">https://www.regulations.gov</a>. If you prefer to file your
comment on paper, mail your comment to the following address: Federal
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW,
Suite CC-5610 (Annex B), Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: James Trilling, 202-326-3497; Peder
Magee, 202-326-3538; Olivier Sylvain, 202-326-3046; or
<a href="/cdn-cgi/l/email-protection#a9cac6c4c4ccdbcac0c8c5dadcdbdfccc0c5c5c8c7caccdbc4e9cfddca87cec6df"><span class="__cf_email__" data-cfemail="f89b9795959d8a9b9199948b8d8a8e9d91949499969b9d8a95b89e8c9bd69f978e">[email protected]</span></a>.
I. Overview
Whether they know it or not, most Americans today surrender their
personal information to engage in the most basic aspects of modern
life. When they buy groceries, do homework, or apply for car insurance,
for example, consumers today likely give a wide range of personal
information about themselves to companies, including their
movements,\1\ prayers,\2\ friends,\3\ menstrual cycles,\4\ web-
browsing,\5\ and faces,\6\ among other basic aspects of their lives.
---------------------------------------------------------------------------
\1\ See, e.g., Press Release, Fed. Trade Comm'n, Mobile
Advertising Network InMobi Settles FTC Charges It Tracked Hundreds
of Millions of Consumers' Locations Without Permission (June 22,
2016), <a href="https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked">https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked</a>.
See also Stuart A. Thompson & Charlie Warzel, Twelve Million Phones,
One Dataset, Zero Privacy, N.Y. Times (Dec. 19, 2019), <a href="https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html">https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html</a>; Jon Keegan & Alfred Ng, There's a Multibillion-
Dollar Market for Your Phone's Location Data, The Markup (Sept. 30,
2021), <a href="https://themarkup.org/privacy/2021/09/30/theres-a-multibillion-dollar-market-for-your-phones-location-data">https://themarkup.org/privacy/2021/09/30/theres-a-multibillion-dollar-market-for-your-phones-location-data</a>; Ryan
Nakashima, AP Exclusive: Google Tracks Your Movements, Like It or
Not, Associated Press (Aug. 13, 2018), <a href="https://apnews.com/article/north-america-science-technology-business-ap-top-news-828aefab64d4411bac257a07c1af0ecb">https://apnews.com/article/north-america-science-technology-business-ap-top-news-828aefab64d4411bac257a07c1af0ecb</a>.
\2\ See, e.g., Joseph Cox, How the U.S. Military Buys Location
Data from Ordinary Apps, Motherboard (Nov. 16, 2020), <a href="https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x">https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x</a>.
\3\ See, e.g., Press Release, Fed. Trade Comm'n, Path Social
Networking App Settles FTC Charges It Deceived Consumers and
Improperly Collected Personal Information from Users' Mobile Address
Books (Feb. 1, 2013), <a href="https://www.ftc.gov/news-events/press-releases/2013/02/path-social-networking-app-settles-ftc-charges-it-deceived">https://www.ftc.gov/news-events/press-releases/2013/02/path-social-networking-app-settles-ftc-charges-it-deceived</a>.
\4\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Finalizes
Order with Flo Health, a Fertility-Tracking App that Shared
Sensitive Health Data with Facebook, Google, and Others (June 22,
2021), <a href="https://www.ftc.gov/news-events/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared">https://www.ftc.gov/news-events/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared</a>.
\5\ See, e.g., Fed. Trade Comm'n, A Look at What ISPs Know About
You: Examining the Privacy Practices of Six Major internet Service
Providers: An FTC Staff Report (Oct. 21, 2021), <a href="https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf">https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf</a>.
\6\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Finalizes
Settlement with Photo App Developer Related to Misuse of Facial
Recognition Technology (May 7, 2021), <a href="https://www.ftc.gov/news-events/press-releases/2021/05/ftc-finalizes-settlement-photo-app-developer-related-misuse">https://www.ftc.gov/news-events/press-releases/2021/05/ftc-finalizes-settlement-photo-app-developer-related-misuse</a>. See also Tom Simonite, Face Recognition Is
Being Banned--but It's Still Everywhere, Wired (Dec. 22, 2021),
<a href="https://www.wired.com/story/face-recognition-banned-but-everywhere/">https://www.wired.com/story/face-recognition-banned-but-everywhere/</a>.
---------------------------------------------------------------------------
Companies, meanwhile, develop and market products and services to
collect and monetize this data. An elaborate and lucrative market for
the collection,
[[Page 51274]]
retention, aggregation, analysis, and onward disclosure of consumer
data incentivizes many of the services and products on which people
have come to rely. Businesses reportedly use this information to target
services--namely, to set prices,\7\ curate newsfeeds,\8\ serve
advertisements,\9\ and conduct research on people's behavior,\10\ among
other things. While, in theory, these personalization practices have
the potential to benefit consumers, reports note that they have
facilitated consumer harms that can be difficult if not impossible for
any one person to avoid.\11\
---------------------------------------------------------------------------
\7\ See, e.g., Casey Bond, Target Is Tracking You and Changing
Prices Based on Your Location, Huffington Post (Feb. 24, 2022),
<a href="https://www.huffpost.com/entry/target-tracking-location-changing-prices_l_603fd12bc5b6ff75ac410a38">https://www.huffpost.com/entry/target-tracking-location-changing-prices_l_603fd12bc5b6ff75ac410a38</a>; Maddy Varner & Aaron Sankin,
Suckers List: How Allstate's Secret Auto Insurance Algorithm
Squeezes Big Spenders, The MarkUp (Feb. 25, 2020), <a href="https://themarkup.org/allstates-algorithm/2020/02/25/car-insurance-suckers-list">https://themarkup.org/allstates-algorithm/2020/02/25/car-insurance-suckers-list</a>. See generally Executive Office of the President of the United
States, Big Data and Differential Pricing, at 2, 12-13 (Feb. 2015),
<a href="https://obamawhitehouse.archives.gov/sites/default/files/whitehouse_files/docs/Big_Data_Report_Nonembargo_v2.pdf">https://obamawhitehouse.archives.gov/sites/default/files/whitehouse_files/docs/Big_Data_Report_Nonembargo_v2.pdf</a>.
\8\ See, e.g., Will Oremus et al., Facebook under fire: How
Facebook shapes your feed: The evolution of what posts get top
billing on users' news feeds, and what gets obscured, Wash. Post
(Oct. 26, 2021), <a href="https://www.washingtonpost.com/technology/interactive/2021/how-facebook-algorithm-works/">https://www.washingtonpost.com/technology/interactive/2021/how-facebook-algorithm-works/</a>.
\9\ See, e.g., Nat Ives, Facebook Ad Campaign Promotes
Personalized Advertising, Wall. St. J. (Feb. 25, 2021), <a href="https://www.wsj.com/articles/facebook-ad-campaign-promotes-personalized-advertising-11614261617">https://www.wsj.com/articles/facebook-ad-campaign-promotes-personalized-advertising-11614261617</a>.
\10\ See, e.g., Elise Hu, Facebook Manipulates Our Moods for
Science and Commerce: A Roundup, NPR (June 30, 2014), <a href="https://www.npr.org/sections/alltechconsidered/2014/06/30/326929138/facebook-manipulates-our-moods-for-science-and-commerce-a-roundup">https://www.npr.org/sections/alltechconsidered/2014/06/30/326929138/facebook-manipulates-our-moods-for-science-and-commerce-a-roundup</a>.
\11\ See, e.g., Matthew Hindman et al., Facebook Has a
Superuser-Supremacy Problem, The Atlantic (Feb. 10, 2022), <a href="https://www.theatlantic.com/technology/archive/2022/02/facebook-hate-speech-misinformation-superusers/621617/">https://www.theatlantic.com/technology/archive/2022/02/facebook-hate-speech-misinformation-superusers/621617/</a>; Consumer Protection Data
Spotlight, Fed. Trade Comm'n, Social Media a Gold Mine for Scammers
in 2021 (Jan. 25, 2022), <a href="https://www.ftc.gov/news-events/blogs/data-spotlight/2022/01/social-media-gold-mine-scammers-2021">https://www.ftc.gov/news-events/blogs/data-spotlight/2022/01/social-media-gold-mine-scammers-2021</a>; Jonathan
Stempel, Facebook Sued for Age, Gender Bias in Financial Services
Ads, Reuters (Oct. 31, 2019), <a href="https://www.reuters.com/article/us-facebook-lawsuit-bias/facebook-sued-for-age-gender-bias-in-financial-services-ads-idUSKBN1XA2G8">https://www.reuters.com/article/us-facebook-lawsuit-bias/facebook-sued-for-age-gender-bias-in-financial-services-ads-idUSKBN1XA2G8</a>; Karen Hao, Facebook's Ad
Algorithms Are Still Excluding Women from Seeing Jobs, MIT Tech.
Rev. (Apr. 9, 2021), <a href="https://www.technologyreview.com/2021/04/09/1022217/facebook-ad-algorithm-sex-discrimination">https://www.technologyreview.com/2021/04/09/1022217/facebook-ad-algorithm-sex-discrimination</a>; Corin Faife &
Alfred Ng, Credit Card Ads Were Targeted by Age, Violating
Facebook's Anti-Discrimination Policy, The MarkUp (Apr. 29, 2021),
<a href="https://themarkup.org/citizen-browser/2021/04/29/credit-card-ads-were-targeted-by-age-violating-facebooks-anti-discrimination-policy">https://themarkup.org/citizen-browser/2021/04/29/credit-card-ads-were-targeted-by-age-violating-facebooks-anti-discrimination-policy</a>.
Targeted behavioral advertising is not the only way in which
internet companies automate advertising at scale. Researchers have
found that contextual advertising may be as cost-effective as
targeting, if not more so. See, e.g., Keach Hagey, Behavioral Ad
Targeting Not Paying Off for Publishers, Study Suggests, Wall St. J.
(May 29, 2019), <a href="https://www.wsj.com/articles/behavioral-ad-targeting-not-paying-off-for-publishers-study-suggests-11559167195">https://www.wsj.com/articles/behavioral-ad-targeting-not-paying-off-for-publishers-study-suggests-11559167195</a>
(discussing Veronica Marotta et al., Online Tracking and Publishers'
Revenues: An Empirical Analysis (2019), <a href="https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_38.pdf">https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_38.pdf</a>).
---------------------------------------------------------------------------
Some companies, moreover, reportedly claim to collect consumer data
for one stated purpose but then also use it for other purposes.\12\
Many such firms, for example, sell or otherwise monetize such
information or compilations of it in their dealings with advertisers,
data brokers, and other third parties.\13\ These practices also appear
to exist outside of the retail consumer setting. Some employers, for
example, reportedly collect an assortment of worker data to evaluate
productivity, among other reasons \14\--a practice that has become far
more pervasive since the onset of the COVID-19 pandemic.\15\
---------------------------------------------------------------------------
\12\ See, e.g., Drew Harvell, Is Your Pregnancy App Sharing Your
Intimate Data with Your Boss?, Wash. Post (Apr. 10, 2019), <a href="https://www.washingtonpost.com/technology/2019/04/10/tracking-your-pregnancy-an-app-may-be-more-public-than-you-think/">https://www.washingtonpost.com/technology/2019/04/10/tracking-your-pregnancy-an-app-may-be-more-public-than-you-think/</a>; Jon Keegan &
Alfred Ng, The Popular Family Safety App Life360 Is Selling Precise
Location Data on Its Tens of Millions of Users, The MarkUp (Dec. 6,
2021), <a href="https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user">https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user</a>.
\13\ See, e.g., Fed. Trade Comm'n, Data Brokers: A Call for
Transparency and Accountability (May 2014), <a href="https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf">https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf</a>. See also, e.g., Press Release, Fed.
Trade Comm'n, FTC Puts an End to Data Broker Operation that Helped
Scam More Than $7 Million from Consumers' Accounts (Nov. 30, 2016),
<a href="https://www.ftc.gov/news-events/press-releases/2016/11/ftc-puts-end-data-broker-operation-helped-scam-more-7-million">https://www.ftc.gov/news-events/press-releases/2016/11/ftc-puts-end-data-broker-operation-helped-scam-more-7-million</a>; Press Release,
Fed. Trade Comm'n, Data Broker Defendants Settle FTC Charges They
Sold Sensitive Personal Information to Scammers (Feb. 18, 2016),
<a href="https://www.ftc.gov/news-events/press-releases/2016/02/data-broker-defendants-settle-ftc-charges-they-sold-sensitive">https://www.ftc.gov/news-events/press-releases/2016/02/data-broker-defendants-settle-ftc-charges-they-sold-sensitive</a>.
\14\ See, e.g., Drew Harwell, Contract Lawyers Face a Growing
Invasion of Surveillance Programs That Monitor Their Work, Wash.
Post (Nov. 11, 2021), <a href="https://www.washingtonpost.com/technology/2021/11/11/lawyer-facial-recognition-monitoring/">https://www.washingtonpost.com/technology/2021/11/11/lawyer-facial-recognition-monitoring/</a>; Annie Palmer,
Amazon Is Rolling Out Cameras That Can Detect If Warehouse Workers
Are Following Social Distancing Rules, CNBC (June 16, 2020), <a href="https://www.cnbc.com/2020/06/16/amazon-using-cameras-to-enforce-social-distancing-rules-at-warehouses.html">https://www.cnbc.com/2020/06/16/amazon-using-cameras-to-enforce-social-distancing-rules-at-warehouses.html</a>; Sarah Krouse, How Google Spies
on Its Employees, The Information (Sept. 23, 2021), <a href="https://www.theinformation.com/articles/how-google-spies-on-its-employees">https://www.theinformation.com/articles/how-google-spies-on-its-employees</a>;
Adam Satariano, How My Boss Monitors Me While I Work From Home, N.Y.
Times (May 6, 2020), <a href="https://www.nytimes.com/2020/05/06/technology/employee-monitoring-work-from-home-virus.html">https://www.nytimes.com/2020/05/06/technology/employee-monitoring-work-from-home-virus.html</a>.
\15\ See, e.g., Danielle Abril & Drew Harwell, Keystroke
tracking, screenshots, and facial recognition: The box may be
watching long after the pandemic ends, Wash. Post (Sept. 24, 2021),
<a href="https://www.washingtonpost.com/technology/2021/09/24/remote-work-from-home-surveillance/">https://www.washingtonpost.com/technology/2021/09/24/remote-work-from-home-surveillance/</a>.
---------------------------------------------------------------------------
Many companies engage in these practices pursuant to the ostensible
consent that they obtain from their consumers.\16\ But, as networked
devices and online services become essential to navigating daily life,
consumers may have little choice but to accept the terms that firms
offer.\17\ Reports suggest that consumers have become resigned to the
ways in which companies collect and monetize their information, largely
because consumers have little to no actual control over what happens to
their information once companies collect it.\18\
---------------------------------------------------------------------------
\16\ See Tr. of FTC Hr'g, The FTC's Approach to Consumer Privacy
(Apr. 9, 2019), at 50, <a href="https://www.ftc.gov/system/files/documents/public_events/1418273/ftc_hearings_session_12_transcript_day_1_4-9-19.pdf">https://www.ftc.gov/system/files/documents/public_events/1418273/ftc_hearings_session_12_transcript_day_1_4-9-19.pdf</a> (remarks of Paul Ohm). See also Fed. Trade Comm'n, Privacy
Online: Fair Information Practices in the Electronic Marketplace: A
Report to Congress 26 (May 2000), <a href="https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission-report/privacy2000.pdf">https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission-report/privacy2000.pdf</a>.
\17\ See Tr. of FTC Hr'g, The FTC's Approach to Consumer Privacy
(Apr. 10, 2019), at 129, <a href="https://www.ftc.gov/system/files/documents/public_events/1418273/ftc_hearings_session_12_transcript_day_2_4-10-19.pdf">https://www.ftc.gov/system/files/documents/public_events/1418273/ftc_hearings_session_12_transcript_day_2_4-10-19.pdf</a> (remarks of FTC Commissioner Rebecca Kelly Slaughter,
describing privacy consent as illusory because consumers often have
no choice other than to consent in order to reach digital services
that have become necessary for participation in contemporary
society).
\18\ See Joe Nocera, How Cookie Banners Backfired, N.Y. Times
(Jan. 29, 2022), <a href="https://www.nytimes.com/2022/01/29/business/dealbook/how-cookie-banners-backfired.html">https://www.nytimes.com/2022/01/29/business/dealbook/how-cookie-banners-backfired.html</a> (discussing concept of
``digital resignation'' developed by Nora Draper and Joseph Turow).
See also Nora A. Draper & Joseph Turow, The Corporate Cultivation of
Digital Resignation, 21 New Media & Soc'y 1824-39 (2019).
---------------------------------------------------------------------------
In any event, the permissions that consumers give may not always be
meaningful or informed. Studies have shown that most people do not
generally understand the market for consumer data that operates beyond
their monitors and displays.\19\ Most consumers, for example, know
little about the data brokers and third parties who collect and trade
consumer data or build consumer profiles \20\ that can expose intimate
details about their lives and, in the wrong hands, could expose
unsuspecting people to future harm.\21\
[[Page 51275]]
Many privacy notices that acknowledge such risks are reportedly not
readable to the average consumer.\22\ Many consumers do not have the
time to review lengthy privacy notices for each of their devices,
applications, websites, or services,\23\ let alone the periodic updates
to them. If consumers do not have meaningful access to this
information, they cannot make informed decisions about the costs and
benefits of using different services.\24\
---------------------------------------------------------------------------
\19\ See Neil Richards & Woodrow Hartzog, The Pathologies of
Digital Consent, 96 Wash. U.L. Rev. 1461, 1477-78, 1498-1502 (2019);
Daniel J. Solove, Introduction: Privacy Self-Management and the
Consent Dilemma, 126 Harv. L. Rev. 1879, 1885-86 (2013) (``Solove
Privacy Article'').
\20\ See generally Fed. Trade Comm'n, Data Brokers: A Call for
Transparency and Accountability (May 2014), <a href="https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf">https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf</a>.
\21\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Puts an
End to Data Broker Operation that Helped Scam More Than $7 Million
from Consumers' Accounts (Nov. 30, 2016), <a href="https://www.ftc.gov/news-events/press-releases/2016/11/ftc-puts-end-data-broker-operation-helped-scam-more-7-million">https://www.ftc.gov/news-events/press-releases/2016/11/ftc-puts-end-data-broker-operation-helped-scam-more-7-million</a>; Press Release, Fed. Trade Comm'n, Data
Broker Defendants Settle FTC Charges They Sold Sensitive Personal
Information to Scammers (Feb. 18, 2016), <a href="https://www.ftc.gov/news-events/press-releases/2016/02/data-broker-defendants-settle-ftc-charges-they-sold-sensitive">https://www.ftc.gov/news-events/press-releases/2016/02/data-broker-defendants-settle-ftc-charges-they-sold-sensitive</a>; FTC v. Accusearch, 570 F.3d 1187, 1199
(10th Cir. 2009). See also Molly Olmstead, A Prominent Priest Was
Outed for Using Grindr. Experts Say It's a Warning Sign, Slate (July
21, 2021), <a href="https://slate.com/technology/2021/07/catholic-priest-grindr-data-privacy.html">https://slate.com/technology/2021/07/catholic-priest-grindr-data-privacy.html</a>.
\22\ See Brooke Auxier et al., Americans and Privacy: Concerned,
Confused and Feeling Lack of Control Over Their Personal
Information, Pew Res. Ctr. (Nov. 15, 2019), <a href="https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/">https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/</a>. See also Solove Privacy Article, 126 Harv. L. Rev. at
1885; Aleecia M. McDonald & Lorrie Faith Cranor, The Cost of Reading
Privacy Policies, 4 I/S J. of L. & Pol'y for Info. Society 543
(2008); Irene Pollach, What's Wrong with Online Privacy Policies?,
50 Comm's ACM 103 (2007).
\23\ Kevin Litman-Navarro, We Read 150 Privacy Policies. They
Were an Incomprehensible Disaster, N.Y. Times (2019), <a href="https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html">https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html</a>; Alexis C. Madrigal, Reading the Privacy
Policies You Encounter in a Year Would Take 76 Work Days, The
Atlantic (Mar. 1, 2012), <a href="https://www.theatlantic.com/technology/archive/2012/03/reading-theprivacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/">https://www.theatlantic.com/technology/archive/2012/03/reading-theprivacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/</a>. See also FTC Comm'r Rebecca Kelly
Slaughter, Wait But Why? Rethinking Assumptions About Surveillance
Advertising: IAPP Privacy Security Risk Closing Keynote (``Slaughter
Keynote'') (Oct. 22, 2021), at 4, <a href="https://www.ftc.gov/system/files/documents/public_statements/1597998/iapp_psr_2021_102221_final2.pdf">https://www.ftc.gov/system/files/documents/public_statements/1597998/iapp_psr_2021_102221_final2.pdf</a>.
\24\ See FTC Comm'r Christine S. Wilson, A Defining Moment for
Privacy: The Time is Ripe for Federal Privacy Legislation, Remarks
at the Future of Privacy Forum (Feb. 6, 2020), <a href="https://www.ftc.gov/news-events/news/speeches/remarks-commissioner-christine-s-wilson-future-privacy-forum">https://www.ftc.gov/news-events/news/speeches/remarks-commissioner-christine-s-wilson-future-privacy-forum</a>.
---------------------------------------------------------------------------
This information asymmetry between companies and consumer runs even
deeper. Companies can use the information that they collect to direct
consumers' online experiences in ways that are rarely apparent--and in
ways that go well beyond merely providing the products or services for
which consumers believe they sign up.\25\ The Commission's enforcement
actions have targeted several pernicious dark pattern practices,
including burying privacy settings behind multiple layers of the user
interface \26\ and making misleading representations to ``trick or
trap'' consumers into providing personal information.\27\ In other
instances, firms may misrepresent or fail to communicate clearly how
they use and protect people's data.\28\ Given the reported scale and
pervasiveness of such practices, individual consumer consent may be
irrelevant.
---------------------------------------------------------------------------
\25\ See generally Ryan Calo & Alex Rosenblat, The Taking
Economy: Uber, Information, and Power, 117 Colum. L. Rev. 1623
(2017); Ryan Calo, Digital Market Manipulation, 82 Geo. Wash. L.
Rev. 995 (2014).
\26\ See Press Release, Fed. Trade Comm'n, Facebook Settles FTC
Charges That It Deceived Consumers by Failing to Keep Privacy
Promises (Nov. 29, 2011), <a href="https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep">https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep</a>.
\27\ See Press Release, Fed. Trade Comm'n, FTC Takes Action
against the Operators of Copycat Military websites (Sept. 6, 2018),
<a href="https://www.ftc.gov/news-events/press-releases/2018/09/ftc-takes-action-against-operators-copycat-military-websites">https://www.ftc.gov/news-events/press-releases/2018/09/ftc-takes-action-against-operators-copycat-military-websites</a>.
\28\ See generally infra Item III(a).
---------------------------------------------------------------------------
The material harms of these commercial surveillance practices may
be substantial, moreover, given that they may increase the risks of
cyberattack by hackers, data thieves, and other bad actors. Companies'
lax data security practices may impose enormous financial and human
costs. Fraud and identity theft cost both businesses and consumers
billions of dollars, and consumer complaints are on the rise.\29\ For
some kinds of fraud, consumers have historically spent an average of 60
hours per victim trying to resolve the issue.\30\ Even the nation's
critical infrastructure is at stake, as evidenced by the recent attacks
on the largest fuel pipeline,\31\ meatpacking plants,\32\ and water
treatment facilities \33\ in the United States.
---------------------------------------------------------------------------
\29\ Press Release, Fed. Trade Comm'n, New Data Shows FTC
Received 2.8 Million Fraud Reports from Consumers in 2021 (Feb. 22,
2022), <a href="https://www.ftc.gov/news-events/news/press-releases/2022/02/new-data-shows-ftc-received-28-million-fraud-reports-consumers-2021-0">https://www.ftc.gov/news-events/news/press-releases/2022/02/new-data-shows-ftc-received-28-million-fraud-reports-consumers-2021-0</a>.
\30\ Fed. Trade Comm'n, Identity Theft Survey Report (Sept.
2003), <a href="https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-identity-theft-program/synovatereport.pdf">https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-identity-theft-program/synovatereport.pdf</a>.
\31\ William Turton & Kartikay Mehrotra, Hackers Breached
Colonial Pipeline Using Compromised Password, Bloomberg (June 4,
2021), <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password">https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password</a>.
\32\ Dan Charles, The Food Industry May Be Finally Paying
Attention To Its Weakness To Cyberattacks, NPR (July 5, 2021),
<a href="https://www.npr.org/2021/07/05/1011700976/the-food-industry-may-be-finally-paying-attention-to-its-weakness-to-cyberattack">https://www.npr.org/2021/07/05/1011700976/the-food-industry-may-be-finally-paying-attention-to-its-weakness-to-cyberattack</a>.
\33\ Josh Margolin & Ivan Pereira, Outdated Computer System
Exploited in Florida Water Treatment Plant Hack, ABC News (Feb. 11,
2021), <a href="https://abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550">https://abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550</a>.
---------------------------------------------------------------------------
Companies' collection and use of data have significant consequences
for consumers' wallets, safety, and mental health. Sophisticated
digital advertising systems reportedly automate the targeting of
fraudulent products and services to the most vulnerable consumers.\34\
Stalking apps continue to endanger people.\35\ Children and teenagers
remain vulnerable to cyber bullying, cyberstalking, and the
distribution of child sexual abuse material.\36\ Peer-reviewed research
has linked social media use with depression, anxiety, eating disorders,
and suicidal ideation among kids and teens.\37\
---------------------------------------------------------------------------
\34\ See, e.g., Zeke Faux, How Facebook Helps Shady Advertisers
Pollute the internet, Bloomberg (Mar. 27, 2019), <a href="https://www.bloomberg.com/news/features/2018-03-27/ad-scammers-need-suckers-and-facebook-helps-find-them">https://www.bloomberg.com/news/features/2018-03-27/ad-scammers-need-suckers-and-facebook-helps-find-them</a> (noting an affiliate marketer's claim
that Facebook's ad system ``find[s] the morons for me'').
\35\ See Consumer Advice, Fed. Trade Comm'n, Stalking Apps: What
to Know (May 2021), <a href="https://consumer.ftc.gov/articles/stalking-apps-what-know">https://consumer.ftc.gov/articles/stalking-apps-what-know</a>.
\36\ See Ellen M. Selkie, Jessica L. Fales, & Megan A. Moreno,
Cyberbullying Prevalence Among U.S. Middle and High School-Aged
Adolescents: A Systematic Review and Quality Assessment, 58 J.
Adolescent Health 125 (2016); Fed. Trade Comm'n, Parental Advisory:
Dating Apps (May 6, 2019), <a href="https://consumer.ftc.gov/consumer-alerts/2019/05/parental-advisory-dating-apps">https://consumer.ftc.gov/consumer-alerts/2019/05/parental-advisory-dating-apps</a>; Subcommittee on Consumer
Protection, Product Safety, and Data Security, U.S. Senate Comm. on
Com., Sci. & Transp., Hearing, Protecting Kids Online: internet
Privacy and Manipulative Marketing (May 18, 2021), <a href="https://www.commerce.senate.gov/2021/5/protecting-kids-online-internet-privacy-and-manipulative-marketing">https://www.commerce.senate.gov/2021/5/protecting-kids-online-internet-privacy-and-manipulative-marketing</a>; Aisha Counts, Child Sexual Abuse
Is Exploding Online. Tech's Best Defenses Are No Match., Protocol
(Nov. 12, 2021), <a href="https://www.protocol.com/policy/csam-child-safety-online">https://www.protocol.com/policy/csam-child-safety-online</a>.
\37\ See, e.g., Elroy Boers et al., Association of Screen Time
and Depression in Adolescence, 173 JAMA Pediatr. 9 (2019) at 857
(``We found that high mean levels of social media over 4 years and
any further increase in social media use in the same year were
associated with increased depression.''); Hugues Sampasa-Kanyinga &
Rosamund F. Lewis, Frequent Use of Social Networking Sites Is
Associated with Poor Psychological Functioning Among Children and
Adolescents, 18 Cyberpsychology, Behavior, and Social Networking 7
(2015) at 380 (``Daily [social networking site] use of more than 2
hours was . . . independently associated with poor self-rating of
mental health and experiences of high levels of psychological
distress and suicidal ideation.''); Jean M. Twenge et al., Increases
in Depressive Symptoms, Suicide-Related Outcomes, and Suicide Rates
Among U.S. Adolescents After 2010 and Links to Increased New Media
Screen Time, 6 Clinical Psychological Sci. 1 (2018) at 11
(``[A]dolescents using social media sites every day were 13% more
likely to report high levels of depressive symptoms than those using
social media less often.''); H.C. Woods & H. Scott, #Sleepyteens:
Social Media Use in Adolescence is Associated with Poor Sleep
Quality, Anxiety, Depression, and Low Self-Esteem, 51 J. of
Adolescence 41-9 (2016) at 1 (``Adolescents who used social media
more . . . experienced poorer sleep quality, lower self-esteem and
higher levels of anxiety and depression.''); Simon M. Wilksch et
al., The relationship between social media use and disordered eating
in young adolescents, 53 Int'l J. of Eating Disorders 1 at 96 (``A
clear pattern of association was found between [social media] usage
and [disordered eating] cognitions.'').
---------------------------------------------------------------------------
Finally, companies' growing reliance on automated systems is
creating new
[[Page 51276]]
forms and mechanisms for discrimination based on statutorily protected
categories,\38\ including in critical areas such as housing,\39\
employment,\40\ and healthcare.\41\ For example, some employers'
automated systems have reportedly learned to prefer men over women.\42\
Meanwhile, a recent investigation suggested that lenders' use of
educational attainment in credit underwriting might disadvantage
students who attended historically Black colleges and universities.\43\
And the Department of Justice recently settled its first case
challenging algorithmic discrimination under the Fair Housing Act for a
social media advertising delivery system that unlawfully discriminated
based on protected categories.\44\ Critically, these kinds of disparate
outcomes may arise even when automated systems consider only
unprotected consumer traits.\45\
---------------------------------------------------------------------------
\38\ A few examples of where automated systems may have produced
disparate outcomes include inaccuracies and delays in the delivery
of child welfare services for the needy; music streaming services
that are more likely to recommend men than women; gunshot detection
software that mistakenly alerts local police when people light
fireworks in majority-minority neighborhoods; search engine results
that demean black women; and face recognition software that is more
likely to misidentify dark-skinned women than light-skinned men. See
Joy Buolamwini & Timnit Gebru, Gender Shades: Intersectional
Accuracy Disparities in Commercial Gender Classification, 81 Proc.
of Mach. Learning Res. (2018); Latanya Sweeney, Discrimination in
Online Ad Delivery: Google Ads, Black Names and White Names, Racial
Discrimination, and Click Advertising, 11 Queue 10, 29 (Mar. 2013);
Muhammad Ali et al., Discrimination Through Optimization: How
Facebook's Ad Delivery Can Lead to Skewed Outcomes, 3 Proc. ACM on
Hum.-Computer Interaction (2019); Virginia Eubanks, Automating
Inequality: How High-Tech Tools Profile, Police, and Punish the Poor
(2018); Andres Ferraro, Xavier Serra, & Christine Bauer, Break the
Loop: Gender Imbalance in Music Recommenders, CHIIR '21: Proceedings
of the 2021 Conference on Human Information Interaction and
Retrieval, 249-254 (Mar. 2021), <a href="https://dl.acm.org/doi/proceedings/10.1145/3406522">https://dl.acm.org/doi/proceedings/10.1145/3406522</a>. See generally Anita Allen, Dismantling the ``Black
Opticon'': Privacy, Race, Equity, and Online Data-Protection Reform,
131 Yale L. J. Forum 907 (2022), <a href="https://www.yalelawjournal.org/pdf/F7.AllenFinalDraftWEB_6f26iyu6.pdf">https://www.yalelawjournal.org/pdf/F7.AllenFinalDraftWEB_6f26iyu6.pdf</a>; Safiya Umoja Noble, Algorithms
of Oppression: How Search Engines Reinforce Racism (2018); Danielle
Citron, Hate Crimes in Cyberspace (2014).
\39\ See Ny Magee, Airbnb Algorithm Linked to Racial Disparities
in Pricing, The Grio (May 13, 2021), <a href="https://thegrio.com/2021/05/13/airbnb-racial-disparities-in-pricing/">https://thegrio.com/2021/05/13/airbnb-racial-disparities-in-pricing/</a>; Emmanuel Martinez & Lauren
Kirchner, The Secret Bias Hidden in Mortgage-Approval Algorithms,
ABC News & The MarkUp (Aug. 25, 2021), <a href="https://abcnews.go.com/Business/wireStory/secret-bias-hidden-mortgage-approval-algorithms-79633917">https://abcnews.go.com/Business/wireStory/secret-bias-hidden-mortgage-approval-algorithms-79633917</a>. See generally Fed. Trade Comm'n, Accuracy in Consumer
Reporting Workshop (Dec. 10, 2019), <a href="https://www.ftc.gov/news-events/events-calendar/accuracy-consumer-reporting-workshop">https://www.ftc.gov/news-events/events-calendar/accuracy-consumer-reporting-workshop</a>. See also Alex
P. Miller & Kartik Hosanagar, How Targeted Ads and Dynamic Pricing
Can Perpetuate Bias, Harv. Bus. Rev. (Nov. 8, 2019), <a href="https://hbr.org/2019/11/how-targeted-ads-and-dynamic-pricing-can-perpetuate-bias">https://hbr.org/2019/11/how-targeted-ads-and-dynamic-pricing-can-perpetuate-bias</a>.
\40\ See Ifeoma Ajunwa, The ``Black Box'' at Work, Big Data &
Society (Oct. 19, 2020), <a href="https://journals.sagepub.com/doi/full/10.1177/2053951720938093">https://journals.sagepub.com/doi/full/10.1177/2053951720938093</a>.
\41\ See Donna M. Christensen et al., Medical Algorithms are
Failing Communities of Color, Health Affs. (Sept. 9, 2021), <a href="https://www.healthaffairs.org/do/10.1377/hblog20210903.976632/full/">https://www.healthaffairs.org/do/10.1377/hblog20210903.976632/full/</a>; Heidi
Ledford, Millions of Black People Affected by Racial Bias in Health-
Care Algorithms, Nature (Oct. 24, 2019), <a href="https://www.nature.com/articles/d41586-019-03228-6/">https://www.nature.com/articles/d41586-019-03228-6/</a>.
\42\ Jeffrey Dastin, Amazon scraps secret AI recruiting tool
that showed bias against women, Reuters (Oct. 10, 2018), <a href="https://www.reuters.com/article/us-amazon-com-jobs-automation-insight/amazon-scraps-secret-ai-recruiting-tool-that-showed-bias-against-women-idUSKCN1MK08G">https://www.reuters.com/article/us-amazon-com-jobs-automation-insight/amazon-scraps-secret-ai-recruiting-tool-that-showed-bias-against-women-idUSKCN1MK08G</a>; Dave Gershgorn, Companies are on the hook if
their hiring algorithms are biased, Quartz (Oct. 22, 2018), <a href="https://qz.com/1427621/companies-are-on-the-hook-if-their-hiring-algorithms-are-biased/">https://qz.com/1427621/companies-are-on-the-hook-if-their-hiring-algorithms-are-biased/</a>.
\43\ Katherine Welbeck & Ben Kaufman, Fintech Lenders' Responses
to Senate Probe Heighten Fears of Educational Redlining, Student
Borrower Prot. Ctr. (July 31, 2020), <a href="https://protectborrowers.org/fintech-lenders-response-to-senate-probe-heightens-fears-of-educational-redlining/">https://protectborrowers.org/fintech-lenders-response-to-senate-probe-heightens-fears-of-educational-redlining/</a>. This issue is currently being investigated
by the company and outside parties. Relman Colfax, Fair Lending
Monitorship of Upstart Network's Lending Model, <a href="https://www.relmanlaw.com/cases-406">https://www.relmanlaw.com/cases-406</a>.
\44\ Compl., United States v. Meta Platforms, Inc., No. 22-05187
(S.D.N.Y. filed June 21, 2022), <a href="https://www.justice.gov/usao-sdny/press-release/file/1514051/download">https://www.justice.gov/usao-sdny/press-release/file/1514051/download</a>; Settlement Agreement, United
States v. Meta Platforms, Inc., No. 22-05187 (S.D.N.Y. filed June
21, 2022), <a href="https://www.justice.gov/crt/case-document/file/1514126/download">https://www.justice.gov/crt/case-document/file/1514126/download</a>.
\45\ Andrew Selbst, A New HUD Rule Would Effectively Encourage
Discrimination by Algorithm, Slate (Aug. 19, 2019), <a href="https://slate.com/technology/2019/08/hud-disparate-impact-discrimination-algorithm.html">https://slate.com/technology/2019/08/hud-disparate-impact-discrimination-algorithm.html</a>. See also Rebecca Kelly Slaughter, Algorithms and
Economic Justice, 23 Yale J. L. & Tech. 1, 11-14 (2021) (``Slaughter
Algorithms Paper''); Anupam Chander, The Racist Algorithm?, 115
Mich. L. Rev. 1023, 1029-30, 1037-39 (2017); Solon Barocas & Andrew
D. Selbst, Big Data's Disparate Impact, 104 Calif. L. Rev. 671, 677-
87 (2016).
---------------------------------------------------------------------------
The Commission is issuing this ANPR pursuant to Section 18 of the
Federal Trade Commission Act (``FTC Act'') and the Commission's Rules
of Practice \46\ because recent Commission actions, news reporting, and
public research suggest that harmful commercial surveillance and lax
data security practices may be prevalent and increasingly
unavoidable.\47\ These developments suggest that trade regulation rules
reflecting these current realities may be needed to ensure Americans
are protected from unfair or deceptive acts or practices. New rules
could also foster a greater sense of predictability for companies and
consumers and minimize the uncertainty that case-by-case enforcement
may engender.
---------------------------------------------------------------------------
\46\ 15 U.S.C. 57a; 16 CFR parts 0 and 1.
\47\ In May 2022, three consumer advocacy groups urged the
Commission to commence a rulemaking proceeding to protect ``privacy
and civil rights.'' See Letter of Free Press, Access Now, and
UltraViolet to Chair Lina M. Khan (May 12, 2022), <a href="https://act.freepress.net/sign/protect_privacy_civil_rights">https://act.freepress.net/sign/protect_privacy_civil_rights</a>. Late in 2021,
moreover, the Commission received a petition that calls on it to
promulgate rules pursuant to its authority to protect against unfair
methods of competition in the market for consumer data. See Press
Release, Accountable Tech, Accountable Tech Petitions FTC to Ban
Surveillance Advertising as an `Unfair Method of Competition' (Sept.
28, 2021), <a href="https://accountabletech.org/media/accountable-tech-petitions-ftc-to-ban-surveillance-advertising-as-an-unfair-method-of-competition/">https://accountabletech.org/media/accountable-tech-petitions-ftc-to-ban-surveillance-advertising-as-an-unfair-method-of-competition/</a>. In accordance with the provision of its Rules of
Practice concerning public petitions, 16 CFR 1.31, the Commission
published a notice about the petition, 86 FR 73206 (Dec. 23, 2021),
and accepted public comments, which are compiled at <a href="https://www.regulations.gov/docket/FTC-2021-0070/comments">https://www.regulations.gov/docket/FTC-2021-0070/comments</a>. The petitioner
urges new rules that address the way in which certain dominant
companies exploit their access to and control of consumer data.
Those unfair-competition concerns overlap with some of the concerns
in this ANPR about unfair or deceptive acts or practices, and
several comments in support of the petition also urged the
Commission to pursue a rulemaking using its authority to regulate
unfair or deceptive practices. See, e.g., Cmt. of Consumer Reports &
Elec. Privacy Info. Ctr., at 2 (Jan. 27, 2022), <a href="https://downloads.regulations.gov/FTC-2021-0070-0009/attachment_1.pdf">https://downloads.regulations.gov/FTC-2021-0070-0009/attachment_1.pdf</a>.
Accordingly, Item IV, below, invites comment on the ways in which
existing and emergent commercial surveillance practices harm
competition and on any new trade regulation rules that would address
such practices. Such rules could arise from the Commission's
authority to protect against unfair methods of competition, so they
may be proposed directly without first being subject of an advance
notice of proposed rulemaking. See 15 U.S.C. 57a(a)(2) (Section 18's
procedural requirements, including an ANPR, apply to rules defining
unfair or deceptive acts or practices but expressly do not apply to
rules ``with respect to unfair methods of competition'').
---------------------------------------------------------------------------
Countries around the world and states across the nation have been
alert to these concerns. Many accordingly have enacted laws and
regulations that impose restrictions on companies' collection, use,
analysis, retention, transfer, sharing, and sale or other monetization
of consumer data. In recognition of the complexity and opacity of
commercial surveillance practices today, such laws have reduced the
emphasis on providing notice and obtaining consent and have instead
stressed additional privacy ``defaults'' as well as increased
accountability for businesses and restrictions on certain practices.
For example, European Union (``EU'') member countries enforce the
EU's General Data Protection Regulation (``GDPR''),\48\ which, among
other things, limits the processing of personal data to six lawful
bases and provides consumers with certain rights to access, delete,
correct, and port such data. Canada's Personal Information Protection
and Electronic Documents Act \49\ and Brazil's General Law for the
[[Page 51277]]
Protection of Personal Data \50\ contain some similar rights.\51\ Laws
in California,\52\ Virginia, \53\ Colorado,\54\ Utah,\55\ and
Connecticut,\56\ moreover, include some comparable rights, and numerous
state legislatures are considering similar laws. Alabama,\57\
Colorado,\58\ and Illinois,\59\ meanwhile, have enacted laws related to
the development and use of artificial intelligence. Other states,
including Illinois,\60\ Texas,\61\ and Washington,\62\ have enacted
laws governing the use of biometric data. All fifty U.S. states have
laws that require businesses to notify consumers of certain breaches of
consumers' data.\63\ And numerous states require businesses to take
reasonable steps to secure consumers' data.\64\
---------------------------------------------------------------------------
\48\ See Data Protection in the EU, Eur. Comm'n, <a href="https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en">https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en</a>.
\49\ See Personal Information Protection and Electronic
Documents Act (PIPEDA), Off. of the Privacy Comm'r of Can., <a href="https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/">https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/</a>
(last modified Dec. 8, 2021).
\50\ Brazilian General Data Protection Law (Law No. 13,709, of
Aug. 14, 2018), <a href="https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/">https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/</a>.
\51\ In 2021, the European Commission also announced proposed
legislation to create additional rules for artificial intelligence
that would, among other things, impose particular documentation,
transparency, data management, recordkeeping, security, assessment,
notification, and registration requirements for certain artificial
intelligence systems that pose high risks of causing consumer
injury. See Proposal for a Regulation of the European Parliament and
of the Council Laying Down Harmonised Rules on Artificial
Intelligence (Artificial Intelligence Act) and Amending Certain
Union Legislative Acts, COM (2021) 206 final (Apr. 21, 2021),
<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206">https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206</a>.
\52\ See California Privacy Rights Act of 2020, Proposition 24
(Cal. 2020) (codified at Cal. Civ. Code 1798.100-199.100); State of
Cal. Dep't of Just., California Consumer Privacy Act (CCPA):
Frequently Asked Questions (FAQs), <a href="https://oag.ca.gov/privacy/ccpa">https://oag.ca.gov/privacy/ccpa</a>.
\53\ See Consumer Data Protection Act, S.B. 1392, 161st Gen.
Assem. (Va. 2021) (codified at Va. Code Ann. 59.1-575 through 59.1-
585 (2021)).
\54\ See Protect Personal Data Privacy Act, 21 S.B. 190, 73 Gen.
Assem. (Colo. 2021).
\55\ See Utah Consumer Privacy Act, 2022 Utah Laws 462 (codified
at Utah Code Ann. 13-61-1 through 13-61-4).
\56\ See An Act Concerning Personal Data Privacy and Online
Monitoring, 2022 Conn. Acts P.A. 22-15 (Reg. Sess.).
\57\ See Act. No. 2021-344, S.B. 78, 2021 Leg., Reg. Sess.,
(Ala. 2021).
\58\ See Restrict Insurers' Use of External Consumer Data Act,
21 S.B. 169, 73rd Gen. Assem., 1st Reg. Sess. (Colo. 2021).
\59\ See Artificial Intelligence Video Interview Act, H.B. 53,
102nd Gen. Assem., Reg. Sess. (Ill. 2021) (codified at 820 Ill.
Comp. Stat. Ann. 42/1 et seq.).
\60\ See Biometric Information Privacy Act, S.B. 2400, 2008 Gen.
Assem., Reg. Sess. (Ill. 2021) (codified at 740 Ill. Comp. Stat.
Ann. 14/1 et seq.).
\61\ See Tex. Bus. & Com. Code 503.001.
\62\ See Wash. Rev. Code Ann. 19.375.010 through 19.375.900.
\63\ See Nat'l Conf. of State Leg., Security Breach Notification
Laws (Jan. 17, 2022), <a href="https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx">https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx</a>.
\64\ See Nat'l Conf. of State Leg., Data Security Laws, Private
Sector (May 29, 2019), <a href="https://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx">https://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx</a>.
---------------------------------------------------------------------------
Through this ANPR, the Commission is beginning to consider the
potential need for rules and requirements regarding commercial
surveillance and lax data security practices. Section 18 of the FTC Act
authorizes the Commission to promulgate, modify, and repeal trade
regulation rules that define with specificity acts or practices that
are unfair or deceptive in or affecting commerce within the meaning of
Section 5(a)(1) of the FTC Act.\65\ Through this ANPR, the Commission
aims to generate a public record about prevalent commercial
surveillance practices or lax data security practices that are unfair
or deceptive, as well as about efficient, effective, and adaptive
regulatory responses. These comments will help to sharpen the
Commission's enforcement work and may inform reform by Congress or
other policymakers, even if the Commission does not ultimately
promulgate new trade regulation rules.\66\
---------------------------------------------------------------------------
\65\ 15 U.S.C. 45(a)(1).
\66\ Cf. Slaughter Keynote at 4; Oral Statement of Comm'r
Christine S. Wilson, Strengthening the Federal Trade Commission's
Authority to Protect Consumers: Hearing before the Senate Comm. on
Com., Sci. & Transp. (Apr. 20, 2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1589180/opening_statement_final_for_postingrevd.pdf">https://www.ftc.gov/system/files/documents/public_statements/1589180/opening_statement_final_for_postingrevd.pdf</a>.
---------------------------------------------------------------------------
The term ``data security'' in this ANPR refers to breach risk
mitigation, data management and retention, data minimization, and
breach notification and disclosure practices.
For the purposes of this ANPR, ``commercial surveillance'' refers
to the collection, aggregation, analysis, retention, transfer, or
monetization of consumer data and the direct derivatives of that
information. These data include both information that consumers
actively provide--say, when they affirmatively register for a service
or make a purchase--as well as personal identifiers and other
information that companies collect, for example, when a consumer
casually browses the web or opens an app. This latter category is far
broader than the first.
The term ``consumer'' as used in this ANPR includes businesses and
workers, not just individuals who buy or exchange data for retail goods
and services. This approach is consistent with the Commission's
longstanding practice of bringing enforcement actions against firms
that harm companies \67\ as well as workers of all kinds.\68\ The FTC
has frequently used Section 5 of the FTC Act to protect small
businesses or individuals in contexts involving their employment or
independent contractor status.\69\
---------------------------------------------------------------------------
\67\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Obtains
Contempt Ruling Against `Yellow Pages' Scam (Nov. 25, 2015), <a href="https://www.ftc.gov/news-events/press-releases/2015/11/ftc-obtains-contempt-ruling-against-yellow-pages-scam">https://www.ftc.gov/news-events/press-releases/2015/11/ftc-obtains-contempt-ruling-against-yellow-pages-scam</a>; Press Release, Fed. Trade
Comm'n, FTC and Florida Halt internet `Yellow Pages' Scammers (July
17, 2014), <a href="https://www.ftc.gov/news-events/press-releases/2014/07/ftc-florida-halt-internet-yellow-pages-scammers">https://www.ftc.gov/news-events/press-releases/2014/07/ftc-florida-halt-internet-yellow-pages-scammers</a>; In re Spiegel,
Inc., 86 F.T.C. 425, 439 (1975). See also FTC v. Sperry & Hutchinson
Co., 405 U.S. 233, 244 (1972); FTC v. Bunte Bros., Inc., 312 U.S.
349, 353 (1941); In re Orkin Exterminating Co., Inc., 108 F.T.C. 263
(1986), aff'd, Orkin Exterminating Co., Inc. v. FTC, 849 F.2d 1354
(11th Cir. 1988); FTC v. Datacom Mktg., Inc., No. 06-c-2574, 2006 WL
1472644, at *2 (N.D. Ill. May 24, 2006). Previously, the Commission
included ``businessmen'' among those Congress charged it to protect
under the statute. See Fed. Trade Comm'n, FTC Policy Statement on
Unfairness (Dec. 17, 1980), appended to In re Int'l Harvester Co.,
104 F.T.C. 949, 1072 n.8 (1984), <a href="https://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness">https://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness</a>.
\68\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Settles
Charges Against Two Companies That Allegedly Failed to Protect
Sensitive Employee Data (May 3, 2011), <a href="https://www.ftc.gov/news-events/press-releases/2011/05/ftc-settles-charges-against-two-companies-allegedly-failed">https://www.ftc.gov/news-events/press-releases/2011/05/ftc-settles-charges-against-two-companies-allegedly-failed</a>; Press Release, Fed. Trade Comm'n, Rite
Aid Settles FTC Charges That It Failed to Protect Medical and
Financial Privacy of Customers and Employees (July 27, 2010),
<a href="https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-financial">https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-financial</a>; Press
Release, Fed. Trade Comm'n, CVS Caremark Settles FTC Charges: Failed
to Protect Medical and Financial Privacy of Customers and Employees;
CVS Pharmacy Also Pays $2.25 Million to Settle Allegations of HIPAA
Violations (Feb. 18, 2009), <a href="https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial">https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial</a>. See also Press Release, Fed. Trade Comm'n, Amazon
To Pay $61.7 Million to Settle FTC Charges It Withheld Some Customer
Tips from Amazon Flex Drivers (Feb. 2, 2021), <a href="https://www.ftc.gov/news-events/press-releases/2021/02/amazon-pay-617-million-settle-ftc-charges-it-withheld-some">https://www.ftc.gov/news-events/press-releases/2021/02/amazon-pay-617-million-settle-ftc-charges-it-withheld-some</a>.
\69\ See, e.g., FTC v. IFC Credit Corp., 543 F. Supp. 2d 925,
934-41 (N.D. Ill. 2008) (holding that the FTC's construction of the
term ``consumer'' to include businesses as well as individuals is
reasonable and is supported by the text and history of the FTC Act).
---------------------------------------------------------------------------
This ANPR proceeds as follows. Item II outlines the Commission's
existing authority to bring enforcement actions and promulgate trade
regulation rules under the FTC Act. Item III sets out the wide range of
actions against commercial surveillance and data security acts or
practices that the Commission has pursued in recent years as well as
the benefits and shortcomings of this case-by-case approach. Item IV
sets out the questions on which the Commission seeks public comment.
Finally, Item V provides instructions on the comment submission
process, and Item VI describes a public forum that is scheduled to take
place to facilitate public involvement in this rulemaking proceeding.
II. The Commission's Authority
Congress authorized the Commission to propose a rule defining
unfair or
[[Page 51278]]
deceptive acts or practices with specificity when the Commission ``has
reason to believe that the unfair or deceptive acts or practices which
are the subject of the proposed rulemaking are prevalent.'' \70\ A
determination about prevalence can be made either on the basis of
``cease-and-desist'' orders regarding such acts or practices that the
Commission has previously issued, or when it has ``any other
information'' that ``indicates a widespread pattern of unfair or
deceptive acts or practices.'' \71\
---------------------------------------------------------------------------
\70\ 15 U.S.C. 57a(b)(3).
\71\ Id.
---------------------------------------------------------------------------
Generally, a practice is unfair under Section 5 if (1) it causes or
is likely to cause substantial injury, (2) the injury is not reasonably
avoidable by consumers, and (3) the injury is not outweighed by
benefits to consumers or competition.\72\ A representation, omission,
or practice is deceptive under Section 5 if it is likely to mislead
consumers acting reasonably under the circumstances and is material to
consumers--that is, it would likely affect the consumer's conduct or
decision with regard to a product or service.\73\ Under the statute,
this broad language is applied to specific commercial practices through
Commission enforcement actions and the promulgation of trade regulation
rules.
---------------------------------------------------------------------------
\72\ 15 U.S.C. 45(n).
\73\ See FTC Policy Statement on Deception (Oct. 14, 1983),
appended to In re Cliffdale Assocs., Inc., 103 F.T.C. 110, 174
(1984), <a href="https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf">https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf</a>.
---------------------------------------------------------------------------
In addition to the FTC Act, the Commission enforces a number of
sector-specific laws that relate to commercial surveillance practices,
including: the Fair Credit Reporting Act,\74\ which protects the
privacy of consumer information collected by consumer reporting
agencies; the Children's Online Privacy Protection Act (``COPPA''),\75\
which protects information collected online from children under the age
of 13; the Gramm-Leach-Bliley Act (``GLBA''),\76\ which protects the
privacy of customer information collected by financial institutions;
the Controlling the Assault of Non-Solicited Pornography and Marketing
(``CAN-SPAM'') Act,\77\ which allows consumers to opt out of receiving
commercial email messages; the Fair Debt Collection Practices Act,\78\
which protects individuals from harassment by debt collectors and
imposes disclosure requirements on related third-parties; the
Telemarketing and Consumer Fraud and Abuse Prevention Act,\79\ under
which the Commission implemented the Do Not Call Registry; \80\ the
Health Breach Notification Rule,\81\ which applies to certain health
information; and the Equal Credit Opportunity Act,\82\ which protects
individuals from discrimination on the basis of race, color, religion,
national origin, sex, marital status, receipt of public assistance, or
good faith exercise of rights under the Consumer Credit Protection Act
and requires creditors to provide to applicants, upon request, the
reasons underlying decisions to deny credit.
---------------------------------------------------------------------------
\74\ 15 U.S.C. 1681 through 1681x.
\75\ 15 U.S.C. 6501 through 6506.
\76\ Public Law 106-102, 113 Stat. 1338 (1999) (codified as
amended in scattered sections of 12 and 15 U.S.C.).
\77\ 15 U.S.C. 7701 through 7713.
\78\ 15 U.S.C. 1692 through 1692p.
\79\ 15 U.S.C. 6101 through 6108.
\80\ 16 CFR part 310.
\81\ 16 CFR part 318.
\82\ 15 U.S.C. 1691 through 1691f.
---------------------------------------------------------------------------
III. The Commission's Current Approach to Privacy and Data Security
a. Case-By-Case Enforcement and General Policy Work
For more than two decades, the Commission has been the nation's
privacy agency, engaging in policy work and bringing scores of
enforcement actions concerning data privacy and security.\83\ These
actions have alleged that certain practices violate Section 5 of the
FTC Act or other statutes to the extent they pose risks to physical
security, cause economic or reputational injury, or involve unwanted
intrusions into consumers' daily lives.\84\ For example, the Commission
has brought actions for:
---------------------------------------------------------------------------
\83\ ``Since 1995, the Commission has been at the forefront of
the public debate on online privacy.'' Fed. Trade Comm'n, Privacy
Online: Fair Information Practices in the Electronic Marketplace--A
Report to Congress 3 (2000), <a href="http://www.ftc.gov/reports/privacy2000/privacy2000.pdf">http://www.ftc.gov/reports/privacy2000/privacy2000.pdf</a> (third consecutive annual report to Congress after
it urged the Commission to take on a greater role in policing
privacy practices using Section 5 as the internet grew from a niche
service to a mainstream utility). The first online privacy
enforcement action came in 1998 against GeoCities, ``one of the most
popular sites on the World Wide Web.'' Press Release, Fed. Trade
Comm'n, internet Site Agrees to Settle FTC Charges of Deceptively
Collecting Personal Information in Agency's First internet Privacy
Case (Aug. 13, 1998), <a href="http://www.ftc.gov/news-events/press-releases/1998/08/internet-site-agrees-settle-ftc-charges-deceptively-collecting">http://www.ftc.gov/news-events/press-releases/1998/08/internet-site-agrees-settle-ftc-charges-deceptively-collecting</a>.
\84\ See Fed. Trade Comm'n, Comment to the National
Telecommunications & Information Administration on Developing the
Administration's Approach to Consumer Privacy, No. 180821780-8780-
01, 8-9 (Nov. 9, 2018), <a href="https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-staff-comment-ntia-developingadministrations-approach-consumer-privacy/p195400_ftc_comment_to_ntia_112018.pdf">https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-staff-comment-ntia-developingadministrations-approach-consumer-privacy/p195400_ftc_comment_to_ntia_112018.pdf</a>;
FTC Comm'r Christine S. Wilson, A Defining Moment for Privacy: The
Time Is Ripe for Federal Privacy Legislation: Remarks at the Future
of Privacy Forum 11, n.39 (Feb. 6, 2020), <a href="https://www.ftc.gov/system/files/documents/public_statements/1566337/commissioner_wilson_privacy_forum_speech_02-06-2020.pdf">https://www.ftc.gov/system/files/documents/public_statements/1566337/commissioner_wilson_privacy_forum_speech_02-06-2020.pdf</a>.
---------------------------------------------------------------------------
<bullet> the surreptitious collection and sale of consumer phone
records obtained through false pretenses; \85\
---------------------------------------------------------------------------
\85\ See, e.g., Compl. for Injunctive and Other Equitable
Relief, United States v. Accusearch, Inc., No. 06-cv-105 (D. Wyo.
filed May 1, 2006), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2006/05/060501accusearchcomplaint.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2006/05/060501accusearchcomplaint.pdf</a>.
---------------------------------------------------------------------------
<bullet> the public posting of private health-related data online;
\86\
---------------------------------------------------------------------------
\86\ See, e.g., Compl., In re Practice Fusion, Inc., F.T.C. File
No. 142-3039 (Aug. 16, 2016), <a href="https://www.ftc.gov/system/files/documents/cases/160816practicefusioncmpt.pdf">https://www.ftc.gov/system/files/documents/cases/160816practicefusioncmpt.pdf</a>.
---------------------------------------------------------------------------
<bullet> the sharing of private health-related data with third
parties; \87\
---------------------------------------------------------------------------
\87\ See, e.g., Decision and Order, In re Flo Health, Inc., FTC
File No. 1923133 (June 22, 2021), <a href="http://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf">www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf</a>.
---------------------------------------------------------------------------
<bullet> inaccurate tenant screening; \88\
---------------------------------------------------------------------------
\88\ See, e.g., Compl. for Civ. Penalties, Permanent Injunction,
and Other Equitable Relief, United States v. AppFolio, Inc., No.
1:20-cv-03563 (D.D.C. filed Dec. 8, 2020), <a href="https://www.ftc.gov/system/files/documents/cases/ecf_1_-_us_v_appfolio_complaint.pdf">https://www.ftc.gov/system/files/documents/cases/ecf_1_-_us_v_appfolio_complaint.pdf</a>.
---------------------------------------------------------------------------
<bullet> public disclosure of consumers' financial information in
responses to consumers' critical online reviews of the publisher's
services; \89\
---------------------------------------------------------------------------
\89\ See, e.g., Compl., United States v. Mortg. Sols. FCS, Inc.,
No. 4:20-cv-00110 (N.D. Cal. filed Jan. 6, 2020), <a href="https://www.ftc.gov/system/files/documents/cases/mortgage_solutions_complaint.pdf">https://www.ftc.gov/system/files/documents/cases/mortgage_solutions_complaint.pdf</a>.
---------------------------------------------------------------------------
<bullet> pre-installation of ad-injecting software that acted as a
man-in-the-middle between consumers and all websites with which they
communicated and collected and transmitted to the software developer
consumers' internet browsing data; \90\
---------------------------------------------------------------------------
\90\ See, e.g., Decision and Order, In re Lenovo (United States)
Inc., FTC File No. 152 3134 (Dec. 20, 2017), <a href="https://www.ftc.gov/system/files/documents/cases/152_3134_c4636_lenovo_united_states_decision_and_order.pdf">https://www.ftc.gov/system/files/documents/cases/152_3134_c4636_lenovo_united_states_decision_and_order.pdf</a>.
---------------------------------------------------------------------------
<bullet> solicitation and online publication of ``revenge porn''--
intimate pictures and videos of ex-partners, along with their personal
information--and the collection of fees to take down such information;
\91\
---------------------------------------------------------------------------
\91\ See, e.g., Compl. for Permanent Injunction and Other
Equitable Relief, FTC and State of Nevada v. EMP Media, Inc., No.
2:18-cv-00035 (D. Nev. filed Jan. 9, 2018), <a href="https://www.ftc.gov/system/files/documents/cases/1623052_myex_complaint_1-9-18.pdf">https://www.ftc.gov/system/files/documents/cases/1623052_myex_complaint_1-9-18.pdf</a>;
Compl., In re Craig Brittain, F.T.C. File No. 132-3120 (Dec. 28,
2015), <a href="https://www.ftc.gov/system/files/documents/cases/160108craigbrittaincmpt.pdf">https://www.ftc.gov/system/files/documents/cases/160108craigbrittaincmpt.pdf</a>.
---------------------------------------------------------------------------
<bullet> development and marketing of ``stalkerware'' that
purchasers surreptitiously installed on others' phones or computers in
order to monitor them; \92\
---------------------------------------------------------------------------
\92\ See, e.g., Compl., In re Support King, LLC, F.T.C. File No.
192-3003 (Dec. 20, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/1923003c4756spyfonecomplaint_0.pdf">https://www.ftc.gov/system/files/documents/cases/1923003c4756spyfonecomplaint_0.pdf</a>; Compl., In re
Retina-X Studios, LLC, F.T.C. File No. 172-3118 (Mar. 26, 2020),
<a href="https://www.ftc.gov/system/files/documents/cases/172_3118_retina-x_studios_complaint_0.pdf">https://www.ftc.gov/system/files/documents/cases/172_3118_retina-x_studios_complaint_0.pdf</a>; Compl. for Permanent Injunction and Other
Equitable Relief, FTC v. CyberSpy Software, LLC., No. 6:08-cv-01872
(M.D. Fla. filed Nov. 5, 2008), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2008/11/081105cyberspycmplt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2008/11/081105cyberspycmplt.pdf</a>.
---------------------------------------------------------------------------
[[Page 51279]]
<bullet> retroactive application of material privacy policy changes
to personal information that businesses previously collected from
users; \93\
---------------------------------------------------------------------------
\93\ See, e.g., Compl., In re Facebook, Inc., F.T.C. File No.
092-3184 (July 27, 2012), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookcmpt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookcmpt.pdf</a>; Compl., In re
Gateway Learning Corp., F.T.C. File No. 042-3047 (Sept. 10, 2004),
<a href="https://www.ftc.gov/sites/default/files/documents/cases/2004/09/040917comp0423047.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2004/09/040917comp0423047.pdf</a>.
---------------------------------------------------------------------------
<bullet> distribution of software that caused or was likely to
cause consumers to unwittingly share their files publicly; \94\
---------------------------------------------------------------------------
\94\ See, e.g., Compl. for Permanent Injunction and Other
Equitable Relief, FTC v. FrostWire LLC, No. 1:11-cv-23643 (S.D. Fla.
filed Oct. 7, 2011), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2011/10/111011frostwirecmpt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2011/10/111011frostwirecmpt.pdf</a>.
---------------------------------------------------------------------------
<bullet> surreptitious activation of webcams in leased computers
placed in consumers' homes; \95\
---------------------------------------------------------------------------
\95\ See, e.g., Compl., In re DesignerWare, LLC, F.T.C. File No.
112-3151 (Apr. 11, 2013), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2013/04/130415designerwarecmpt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2013/04/130415designerwarecmpt.pdf</a>; Compl., In re
Aaron's, Inc., F.T.C. File No. 122-3264 (Mar. 10, 2014), <a href="https://www.ftc.gov/system/files/documents/cases/140311aaronscmpt.pdf">https://www.ftc.gov/system/files/documents/cases/140311aaronscmpt.pdf</a>.
---------------------------------------------------------------------------
<bullet> sale of sensitive data such as Social Security numbers to
third parties who did not have a legitimate business need for the
information,\96\ including known fraudsters; \97\
---------------------------------------------------------------------------
\96\ See, e.g., Compl. for Permanent Injunction and Other
Equitable Relief, FTC v. Blue Global & Christopher Kay, 2:17-cv-
02117 (D. Ariz. filed July 3, 2017), <a href="https://www.ftc.gov/system/files/documents/cases/ftc_v_blue_global_de01.pdf">https://www.ftc.gov/system/files/documents/cases/ftc_v_blue_global_de01.pdf</a>.
\97\ See, e.g., Compl. for Permanent Injunction and Other
Equitable Relief, FTC v. Sequoia One, LLC, Case No. 2:15-cv-01512
(D. Nev. filed Aug. 7, 2015), <a href="https://www.ftc.gov/system/files/documents/cases/150812sequoiaonecmpt.pdf">https://www.ftc.gov/system/files/documents/cases/150812sequoiaonecmpt.pdf</a>; Compl. for Permanent
Injunction and Other Equitable Relief, FTC v. Sitesearch Corp., No.
CV-14-02750-PHX-NVW (D. Ariz. filed Dec. 22, 2014), <a href="https://www.ftc.gov/system/files/documents/cases/141223leaplabcmpt.pdf">https://www.ftc.gov/system/files/documents/cases/141223leaplabcmpt.pdf</a>.
---------------------------------------------------------------------------
<bullet> collection and sharing of sensitive television-viewing
information to target advertising contrary to reasonable expectations;
\98\
---------------------------------------------------------------------------
\98\ See, e.g., Compl. for Permanent Injunction and Other
Equitable and Monetary Relief, FTC v. Vizio, Inc., No. 2:17-cv-00758
(D.N.J. filed Feb 6, 2017), <a href="https://www.ftc.gov/system/files/documents/cases/170206_vizio_2017.02.06_complaint.pdf">https://www.ftc.gov/system/files/documents/cases/170206_vizio_2017.02.06_complaint.pdf</a>.
---------------------------------------------------------------------------
<bullet> collection of phone numbers and email addresses to improve
social media account security, but then deceptively using that data to
allow companies to target advertisements in violation of an existing
consent order; \99\
---------------------------------------------------------------------------
\99\ See, e.g., Compl. for Civil Penalties, Permanent
Injunction, Monetary Relief, and other Equitable Relief, United
States v. Twitter, Inc., Case No. 3:22-cv-3070 (N.D. Cal. filed May
25, 2022), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/2023062TwitterFiledComplaint.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/2023062TwitterFiledComplaint.pdf</a>.
---------------------------------------------------------------------------
<bullet> failure to implement reasonable measures to protect
consumers' personal information,\100\ including Social Security numbers
and answers to password reset questions,\101\ and later covering up an
ensuing breach; \102\ and
---------------------------------------------------------------------------
\100\ See, e.g., Compl., In re InfoTrax Sys., L.C., F.T.C. File
No. 162-3130 (Dec. 30, 2019), <a href="https://www.ftc.gov/system/files/documents/cases/c-4696_162_3130_infotrax_complaint_clean.pdf">https://www.ftc.gov/system/files/documents/cases/c-4696_162_3130_infotrax_complaint_clean.pdf</a>; Compl.
for Permanent Injunction & Other Relief, FTC v. Equifax, Inc., No.
1:19-mi-99999-UNA (N.D. Ga. filed July 22, 2019), <a href="https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_complaint_7-22-19.pdf">https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_complaint_7-22-19.pdf</a>; First Amended Compl. for
Injunctive and Other Relief, FTC v. Wyndham Worldwide Corp., No.
2:12-01365 (D. Ariz. filed Aug. 9, 2012), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120809wyndhamcmpt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120809wyndhamcmpt.pdf</a>.
\101\ See, e.g., Compl., In re Residual Pumpkin Entity, LLC,
F.T.C. File No. 1923209 (June 23, 2022), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/1923209CafePressComplaint.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/1923209CafePressComplaint.pdf</a>.
\102\ Id.
---------------------------------------------------------------------------
<bullet> misrepresentations of the safeguards employed to protect
data.\103\
---------------------------------------------------------------------------
\103\ See, e.g., Compl., In re MoviePass, Inc., F.T.C. File No.
192-3000 (Oct. 1, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/1923000_-_moviepass_complaint_final.pdf">https://www.ftc.gov/system/files/documents/cases/1923000_-_moviepass_complaint_final.pdf</a>; Compl., In re SkyMed
Int'l, Inc., F.T.C. File No. 192-3140 (Jan. 26, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/c-4732_skymed_final_complaint.pdf">https://www.ftc.gov/system/files/documents/cases/c-4732_skymed_final_complaint.pdf</a>; Compl., In re HTC Am., Inc., F.T.C.
File No. 122-3049 (June 25, 2013), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2013/07/130702htccmpt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2013/07/130702htccmpt.pdf</a>.
---------------------------------------------------------------------------
This is just a sample of the Commission's enforcement work in data
privacy and security.\104\
---------------------------------------------------------------------------
\104\ See also, e.g., Compl., In re Turn Inc., F.T.C. File No.
152-3099 (Apr. 6, 2017) (alleging that Respondent deceptively
tracked consumers online and through their mobile applications for
advertising purposes even after consumers took steps to opt out of
such tracking), <a href="https://www.ftc.gov/system/files/documents/cases/152_3099_c4612_turn_complaint.pdf">https://www.ftc.gov/system/files/documents/cases/152_3099_c4612_turn_complaint.pdf</a>; Compl., In re Epic Marketplace,
Inc., F.T.C. File No. 112-3182 (Mar. 13, 2013) (alleging the
Respondents deceptively collected for advertising purposes
information about consumers' interest in sensitive medical and
financial and other issues), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2013/03/130315epicmarketplacecmpt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2013/03/130315epicmarketplacecmpt.pdf</a>; Compl.,
In re ScanScout, Inc., F.T.C. File No. 102-3185 (Dec. 14, 2011)
(alleging that Respondent deceptively used flash cookies to collect
for advertising purposes the data of consumers who changed their web
browser settings to block cookies), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2011/12/111221scanscoutcmpt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2011/12/111221scanscoutcmpt.pdf</a>;
Compl., In re Chitika, Inc., F.T.C. File No. 102-3087 (June 7, 2011)
(alleging that Respondent deceptively tracked consumers online for
advertising purposes even after they opted out of online tracking on
Respondent's website), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2011/06/110617chitikacmpt.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2011/06/110617chitikacmpt.pdf</a>.
---------------------------------------------------------------------------
The orders that the Commission has obtained in these actions impose
a variety of remedies, including prohibiting licensing, marketing, or
selling of surveillance products,\105\ requiring companies under order
to implement comprehensive privacy and security programs and obtain
periodic assessments of those programs by independent third
parties,\106\ requiring deletion of illegally obtained consumer
information \107\ or work product derived from that data,\108\
requiring companies to provide notice to consumers affected by harmful
practices that led to the action,\109\ and mandating that companies
improve the transparency of their data management practices.\110\ The
Commission may rely on these orders to seek to impose further sanctions
on firms that repeat their unlawful practices.\111\
---------------------------------------------------------------------------
\105\ Decision and Order, In re Support King, LLC, F.T.C. File
No. 192-3003 (Dec. 20, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/1923003c4756spyfoneorder.pdf">https://www.ftc.gov/system/files/documents/cases/1923003c4756spyfoneorder.pdf</a>.
\106\ See, e.g., Decision and Order, In re Zoom Video Commc'ns,
Inc., F.T.C. File No. 192-3167 (Jan. 19, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/1923167_c-4731_zoom_final_order.pdf">https://www.ftc.gov/system/files/documents/cases/1923167_c-4731_zoom_final_order.pdf</a>;
Decision and Order, In re Tapplock, F.T.C. File No. 192-3011 (May
18, 2020), <a href="https://www.ftc.gov/system/files/documents/cases/1923011c4718tapplockorder.pdf">https://www.ftc.gov/system/files/documents/cases/1923011c4718tapplockorder.pdf</a>; Decision and Order, In re Uber
Techs., Inc., F.T.C. File No. 152-3054 (Oct. 25, 2018), <a href="https://www.ftc.gov/system/files/documents/cases/152_3054_c-4662_uber_technologies_revised_decision_and_order.pdf">https://www.ftc.gov/system/files/documents/cases/152_3054_c-4662_uber_technologies_revised_decision_and_order.pdf</a>.
\107\ Decision and Order, In re Retina-X Studios, F.T.C. File
No. 172-3118 (Mar. 26, 2020), <a href="https://www.ftc.gov/system/files/documents/cases/1723118retinaxorder_0.pdf">https://www.ftc.gov/system/files/documents/cases/1723118retinaxorder_0.pdf</a>; Decision and Order, In re
PaymentsMD, LLC, F.T.C. File No. 132-3088 (Jan. 27, 2015), <a href="https://www.ftc.gov/system/files/documents/cases/150206paymentsmddo.pdf">https://www.ftc.gov/system/files/documents/cases/150206paymentsmddo.pdf</a>.
\108\ See, e.g., Decision and Order, In re Everalbum, Inc.,
F.T.C. File No. 192-3172 (May 6, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/1923172_-_everalbum_decision_final.pdf">https://www.ftc.gov/system/files/documents/cases/1923172_-_everalbum_decision_final.pdf</a>; Final
Order, In re Cambridge Analytica, LLC, F.T.C. File No. 182-3107
(Nov. 25, 2019), <a href="https://www.ftc.gov/system/files/documents/cases/d09389_comm_final_orderpublic.pdf">https://www.ftc.gov/system/files/documents/cases/d09389_comm_final_orderpublic.pdf</a>. See generally Slaughter
Algorithms Paper, 23 Yale J. L. & Tech. at 38-41 (discussing
algorithmic disgorgement).
\109\ See, e.g., Decision and Order, In re Flo Health, Inc.,
F.T.C. File No. 192-3133 (June 17, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf">https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf</a>.
\110\ See, e.g., Decision and Order, In re Everalbum, Inc.,
F.T.C. File No. 192-3172 (May 6, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/1923172_-_everalbum_decision_final.pdf">https://www.ftc.gov/system/files/documents/cases/1923172_-_everalbum_decision_final.pdf</a>.
\111\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Charges
Twitter with Deceptively Using Account Security Data to Sell
Targeted Ads (May 25, 2022), <a href="https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-charges-twitter-deceptively-using-account-security-data-sell-targeted-ads">https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-charges-twitter-deceptively-using-account-security-data-sell-targeted-ads</a>; Press Release, Fed. Trade
Comm'n, FTC Imposes $5 Billion Penalty and Sweeping New Privacy
Restrictions on Facebook (July 24, 2019), <a href="https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions">https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions</a>; Press Release, Fed. Trade Comm'n,
LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it
Violated 2010 Order (Dec. 17, 2015), <a href="https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated">https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated</a>; Press Release, Fed. Trade Comm'n,
Google Will Pay $22.5 Million to Settle FTC Charges it
Misrepresented Privacy Assurances to Users of Apple's Safari
internet Browser (Aug. 9, 2012), <a href="https://www.ftc.gov/news-events/press-releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-misrepresented">https://www.ftc.gov/news-events/press-releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-misrepresented</a>; Press Release, Fed. Trade Comm'n,
Consumer Data Broker ChoicePoint Failed to Protect Consumers'
Personal Data, Left Key Electronic Monitoring Tool Turned Off for
Four Months (Oct. 19, 2009), <a href="https://www.ftc.gov/news-events/press-releases/2009/10/consumer-data-broker-choicepoint-failed-protect-consumers">https://www.ftc.gov/news-events/press-releases/2009/10/consumer-data-broker-choicepoint-failed-protect-consumers</a>.
---------------------------------------------------------------------------
[[Page 51280]]
The Commission has also engaged in broader policy work concerning
data privacy and security. For example, it has promulgated rules
pursuant to the sector-specific statutes enumerated above.\112\ It also
has published reports and closely monitored existing and emergent
practices, including data brokers' activities,\113\ ``dark patterns,''
\114\ facial recognition,\115\ Internet of Things,\116\ big data,\117\
cross-device tracking,\118\ and mobile privacy disclosures.\119\ The
Commission, furthermore, has invoked its authority under Section 6(b)
to require companies to prepare written reports or answer specific
questions about their commercial practices.\120\
---------------------------------------------------------------------------
\112\ See, e.g., 16 CFR part 312 (COPPA Rule); 16 CFR part 314
(GLBA Safeguards Rule). The Commission recently updated the GLBA
rules. See Press Release, Fed. Trade Comm'n, FTC Strengthens
Security Safeguards for Consumer Financial Information Following
Widespread Data Breaches (Oct. 27, 2021), <a href="https://www.ftc.gov/news-events/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial">https://www.ftc.gov/news-events/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial</a>.
\113\ See, e.g., Fed. Trade Comm'n, Data Brokers: A Call for
Transparency and Accountability (May 2014), <a href="https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf">https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf</a>.
\114\ See Fed. Trade Comm'n, Bringing Dark Patterns to Light: An
FTC Workshop (Apr. 29, 2021), <a href="https://www.ftc.gov/news-events/events-calendar/bringing-dark-patterns-light-ftc-workshop">https://www.ftc.gov/news-events/events-calendar/bringing-dark-patterns-light-ftc-workshop</a>. See also
Press Release, Fed. Trade Comm'n, FTC to Ramp up Enforcement against
Illegal Dark Patterns that Trick or Trap Consumers into
Subscriptions (Oct. 28, 2021), <a href="https://www.ftc.gov/news-events/press-releases/2021/10/ftc-ramp-enforcement-against-illegal-dark-patterns-trick-or-trap">https://www.ftc.gov/news-events/press-releases/2021/10/ftc-ramp-enforcement-against-illegal-dark-patterns-trick-or-trap</a>. The Commission's recent policy statement on
``negative option marketing,'' moreover, takes up overlapping
concerns about the ways in which companies dupe consumers into
purchasing products or subscriptions by using terms or conditions
that enable sellers to interpret a consumer's failure to assertively
reject the service or cancel the agreement as consent. See Fed.
Trade Comm'n, Enforcement Policy Statement Regarding Negative Option
Marketing (Oct. 28, 2021), <a href="https://www.ftc.gov/public-statements/2021/10/enforcement-policy-statement-regarding-negative-option-marketing">https://www.ftc.gov/public-statements/2021/10/enforcement-policy-statement-regarding-negative-option-marketing</a>. Those practices do not always entail the collection and
use of consumer data, and do not always count as ``commercial
surveillance'' as we mean the term in this ANPR.
\115\ See Fed. Trade Comm'n, Facing Facts: Best Practices for
Common Uses of Facial Recognition Technologies (Oct. 2012), <a href="https://www.ftc.gov/sites/default/files/documents/reports/facing-facts-best-practices-common-uses-facial-recognition-technologies/121022facialtechrpt.pdf">https://www.ftc.gov/sites/default/files/documents/reports/facing-facts-best-practices-common-uses-facial-recognition-technologies/121022facialtechrpt.pdf</a>.
\116\ See Fed. Trade Comm'n, Internet of Things: Privacy &
Security in a Connected World (Jan. 2015), <a href="https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf">https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</a>.
\117\ See Fed. Trade Comm'n, Big Data: A Tool for Inclusion or
Exclusion? (Jan. 2016), <a href="https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf">https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf</a>.
\118\ See Fed. Trade Comm'n, Cross-Device Tracking: An FTC Staff
Report (Jan. 2017), <a href="https://www.ftc.gov/system/files/documents/reports/cross-device-tracking-federal-trade-commission-staff-report-january-2017/ftc_cross-device_tracking_report_1-23-17.pdf">https://www.ftc.gov/system/files/documents/reports/cross-device-tracking-federal-trade-commission-staff-report-january-2017/ftc_cross-device_tracking_report_1-23-17.pdf</a>.
\119\ See Fed. Trade Comm'n, Mobile Privacy Disclosures:
Building Trust Through Transparency: FTC Staff Report (Feb. 2013),
<a href="https://www.ftc.gov/sites/default/files/documents/reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff-report/130201mobileprivacyreport.pdf">https://www.ftc.gov/sites/default/files/documents/reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff-report/130201mobileprivacyreport.pdf</a>.
\120\ See 15 U.S.C. 46(b). The Commission's recent report on
broadband service providers is an example. Press Release, Fed. Trade
Comm'n, FTC Staff Report Finds Many internet Service Providers
Collect Troves of Personal Data, Users Have Few Options to Restrict
Use (Oct 21, 2021), <a href="https://www.ftc.gov/news-events/press-releases/2021/10/ftc-staff-report-finds-many-internet-service-providers-collect">https://www.ftc.gov/news-events/press-releases/2021/10/ftc-staff-report-finds-many-internet-service-providers-collect</a>. The Commission also recently commenced a Section 6(b)
inquiry into social media companies. See Business Blog, Fed. Trade
Comm'n, FTC issues 6(b) orders to social media and video streaming
services (Dec. 14, 2020), <a href="https://www.ftc.gov/news-events/blogs/business-blog/2020/12/ftc-issues-6b-orders-social-media-video-streaming-services">https://www.ftc.gov/news-events/blogs/business-blog/2020/12/ftc-issues-6b-orders-social-media-video-streaming-services</a>. Past Section 6(b) inquiries related to data
privacy or security issues include those involving mobile security
updates and the practices of data brokers. See Press Release, FTC
Recommends Steps to Improve Mobile Device Security Update Practices
(Feb. 28, 2018), <a href="https://www.ftc.gov/news-events/press-releases/2018/02/ftc-recommends-steps-improve-mobile-device-security-update">https://www.ftc.gov/news-events/press-releases/2018/02/ftc-recommends-steps-improve-mobile-device-security-update</a>;
Press Release, FTC Recommends Congress Require the Data Broker
Industry to be More Transparent and Give Consumers Greater Control
Over Their Personal Information (May 27, 2014), <a href="https://www.ftc.gov/news-events/press-releases/2014/05/ftc-recommends-congress-require-data-broker-industry-be-more">https://www.ftc.gov/news-events/press-releases/2014/05/ftc-recommends-congress-require-data-broker-industry-be-more</a>.
---------------------------------------------------------------------------
b. Reasons for Rulemaking
The Commission's extensive enforcement and policy work over the
last couple of decades on consumer data privacy and security has raised
important questions about the prevalence of harmful commercial
surveillance and lax data security practices. This experience suggests
that enforcement alone without rulemaking may be insufficient to
protect consumers from significant harms. First, the FTC Act limits the
remedies that the Commission may impose in enforcement actions on
companies for violations of Section 5.\121\ Specifically, the statute
generally does not allow the Commission to seek civil penalties for
first-time violations of that provision.\122\ The fact that the
Commission does not have authority to seek penalties for first-time
violators may insufficiently deter future law violations. This may put
firms that are careful to follow the law, including those that
implement reasonable privacy-protective measures, at a competitive
disadvantage. New trade regulation rules could, by contrast, set clear
legal requirements or benchmarks by which to evaluate covered
companies. They also would incentivize all companies to invest in
compliance more consistently because, pursuant to the FTC Act, the
Commission may impose civil penalties for first-time violations of duly
promulgated trade regulation rules.\123\
---------------------------------------------------------------------------
\121\ See, e.g., 15 U.S.C. 53, 57b. See also Rohit Chopra &
Samuel A.A. Levine, The Case for Resurrecting the FTC Act's Penalty
Offense Authority, 170 U. Pa. L. Rev. 71 (2021) (arguing that the
Commission should provide whole industries notice of practices that
the FTC has declared unfair or deceptive in litigated cease-and-
desist orders in order to increase deterrence by creating a basis
for the Commission to seek civil penalties pursuant to section
5(m)(1)(B) of the FTC Act against those that engage in such
practices with knowledge that they are unfair or deceptive).
\122\ Typically, in order to obtain civil monetary penalties
under the FTC Act, the Commission must find that a respondent has
violated a previously entered cease-and-desist order and then must
bring a subsequent enforcement action for a violation of that order.
See 15 U.S.C. 45(l).
\123\ See 15 U.S.C. 45(m).
---------------------------------------------------------------------------
Second, while the Commission can enjoin conduct that violates
Section 5, as a matter of law and policy enforcement, such relief may
be inadequate in the context of commercial surveillance and lax data
security practices. For instance, after a hacker steals personal
consumer data from an inadequately secured database, an injunction
stopping the conduct and requiring the business to take affirmative
steps to improve its security going forward can help prevent future
breaches but does not remediate the harm that has already occurred or
is likely to occur.\124\
---------------------------------------------------------------------------
\124\ The Supreme Court recently held, in AMG Capital
Management, LLC v. FTC, 141 S. Ct. 1341 (2021), that Section 13(b)
of the FTC Act, 15 U.S.C. 53(b), does not allow the FTC to obtain
equitable monetary relief in federal court for violations of Section
5. This has left Section 19, 15 U.S.C. 57b--which requires evidence
of fraudulent or dishonest conduct--as the only avenue for the
Commission to obtain financial redress for consumers.
---------------------------------------------------------------------------
Third, even in those instances in which the Commission can obtain
monetary relief for violations of Section 5, such relief may be
difficult to apply to some harmful commercial surveillance or lax data
security practices that may not cause direct financial injury or, in
any given individual case, do not lend themselves to broadly accepted
ways of quantifying harm.\125\ This is a problem that is underscored by
commercial surveillance practices involving automated decision-making
systems where the harm to any given individual or small group of
individuals might affect other consumers in ways that are opaque or
[[Page 51281]]
hard to discern in the near term,\126\ but are potentially no less
unfair or deceptive.
---------------------------------------------------------------------------
\125\ See generally Danielle Keats Citron & Daniel J. Solove,
Privacy Harms, 102 B.U. L. Rev. 793 (2022).
\126\ See generally Alicia Solow-Niederman, Information Privacy
and the Inference Economy, 117 Nw. U. L. Rev. 1, 27-38 (forthcoming
2022; cited with permission from author) (currently available at
<a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3921003">https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3921003</a>).
---------------------------------------------------------------------------
Finally, the Commission's limited resources today can make it
challenging to investigate and act on the extensive public reporting on
data security practices that may violate Section 5, especially given
how digitized and networked all aspects of the economy are becoming. A
trade regulation rule could provide clarity and predictability about
the statute's application to existing and emergent commercial
surveillance and data security practices that, given institutional
constraints, may be hard to equal or keep up with, case-by-case.\127\
---------------------------------------------------------------------------
\127\ The Commission is wary of committing now, even
preliminarily, to any regulatory approach without public comment
given the reported scope of commercial surveillance practices. The
FTC Act, however, requires the Commission to identify ``possible
regulatory alternatives under consideration'' in this ANPR. 15
U.S.C. 57a(b)(2)(A)(i). Thus, in Item IV below, this ANPR touches on
a variety of potential regulatory interventions, including, among
others, restrictions on certain practices in certain industries,
disclosure, and notice requirements.
---------------------------------------------------------------------------
IV. Questions
The commercial surveillance and lax data security practices that
this ANPR describes above are only a sample of what the Commission's
enforcement actions, news reporting, and published research have
revealed. Here, in this Item, the Commission invites public comment on
(a) the nature and prevalence of harmful commercial surveillance and
lax data security practices, (b) the balance of costs and
countervailing benefits of such practices for consumers and
competition, as well as the costs and benefits of any given potential
trade regulation rule, and (c) proposals for protecting consumers from
harmful and prevalent commercial surveillance and lax data security
practices.
This ANPR does not identify the full scope of potential approaches
the Commission might ultimately undertake by rule or otherwise. It does
not delineate a boundary on the issues on which the public may submit
comments. Nor does it constrain the actions the Commission might pursue
in an NPRM or final rule. The Commission invites comment on all
potential rules, including those currently in force in foreign
jurisdictions, individual U.S. states, and other legal
jurisdictions.\128\
---------------------------------------------------------------------------
\128\ The Commission is currently undertaking its regular
periodic review of current COPPA enforcement and rules. See Fed.
Trade Comm'n, Request for Public Comment on the Federal Trade
Commission's Implementation of the Children's Online Privacy
Protection Rule, 84 FR 35842 (July 25, 2019), <a href="https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online">https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online</a>. Nothing in this ANPR displaces or supersedes
that proceeding.
---------------------------------------------------------------------------
Given the significant interest this proceeding is likely to
generate, and in order to facilitate an efficient review of
submissions, the Commission encourages but does not require commenters
to (1) submit a short Executive Summary of no more than three single-
spaced pages at the beginning of all comments, (2) provide supporting
material, including empirical data, findings, and analysis in published
reports or studies by established news organizations and research
institutions, (3) consistent with the questions below, describe the
relative benefits and costs of their recommended approach, (4) refer to
the numbered question(s) to which the comment is addressed, and (5) tie
their recommendations to specific commercial surveillance and lax data
security practices.
a. To what extent do commercial surveillance practices or lax security
measures harm consumers?
This ANPR has alluded to only a fraction of the potential consumer
harms arising from lax data security or commercial surveillance
practices, including those concerning physical security, economic
injury, psychological harm, reputational injury, and unwanted
intrusion.
1. Which practices do companies use to surveil consumers?
2. Which measures do companies use to protect consumer data?
3. Which of these measures or practices are prevalent? Are some
practices more prevalent in some sectors than in others?
4. How, if at all, do these commercial surveillance practices harm
consumers or increase the risk of harm to consumers?
5. Are there some harms that consumers may not easily discern or
identify? Which are they?
6. Are there some harms that consumers may not easily quantify or
measure? Which are they?
7. How should the Commission identify and evaluate these commercial
surveillance harms or potential harms? On which evidence or measures
should the Commission rely to substantiate its claims of harm or risk
of harm?
8. Which areas or kinds of harm, if any, has the Commission failed
to address through its enforcement actions?
9. Has the Commission adequately addressed indirect pecuniary
harms, including potential physical harms, psychological harms,
reputational injuries, and unwanted intrusions?
10. Which kinds of data should be subject to a potential trade
regulation rule? Should it be limited to, for example, personally
identifiable data, sensitive data, data about protected categories and
their proxies, data that is linkable to a device, or non-aggregated
data? Or should a potential rule be agnostic about kinds of data?
11. Which, if any, commercial incentives and business models lead
to lax data security measures or harmful commercial surveillance
practices? Are some commercial incentives and business models more
likely to protect consumers than others? On which checks, if any, do
companies rely to ensure that they do not cause harm to consumers?
12. Lax data security measures and harmful commercial surveillance
injure different kinds of consumers (e.g., young people, workers,
franchisees, small businesses, women, victims of stalking or domestic
violence, racial minorities, the elderly) in different sectors (e.g.,
health, finance, employment) or in different segments or ``stacks'' of
the internet economy. For example, harms arising from data security
breaches in finance or healthcare may be different from those
concerning discriminatory advertising on social media which may be
different from those involving education technology. How, if at all,
should potential new trade regulation rules address harms to different
consumers across different sectors? Which commercial surveillance
practices, if any, are unlawful such that new trade regulation rules
should set out clear limitations or prohibitions on them? To what
extent, if any, is a comprehensive regulatory approach better than a
sectoral one for any given harm?
b. To what extent do commercial surveillance practices or lax data
security measures harm children, including teenagers?
13. The Commission here invites comment on commercial surveillance
practices or lax data security measures that affect children, including
teenagers. Are there practices or measures to which children or
teenagers are particularly vulnerable or susceptible? For instance, are
children and teenagers more likely than adults to be manipulated by
practices designed to
[[Page 51282]]
encourage the sharing of personal information?
14. What types of commercial surveillance practices involving
children and teens' data are most concerning? For instance, given the
reputational harms that teenagers may be characteristically less
capable of anticipating than adults, to what extent should new trade
regulation rules provide teenagers with an erasure mechanism in a
similar way that COPPA provides for children under 13? Which measures
beyond those required under COPPA would best protect children,
including teenagers, from harmful commercial surveillance practices?
15. In what circumstances, if any, is a company's failure to
provide children and teenagers with privacy protections, such as not
providing privacy-protective settings by default, an unfair practice,
even if the site or service is not targeted to minors? For example,
should services that collect information from large numbers of children
be required to provide them enhanced privacy protections regardless of
whether the services are directed to them? Should services that do not
target children and teenagers be required to take steps to determine
the age of their users and provide additional protections for minors?
16. Which sites or services, if any, implement child-protective
measures or settings even if they do not direct their content to
children and teenagers?
17. Do techniques that manipulate consumers into prolonging online
activity (e.g., video autoplay, infinite or endless scroll, quantified
public popularity) facilitate commercial surveillance of children and
teenagers? If so, how? In which circumstances, if any, are a company's
use of those techniques on children and teenagers an unfair practice?
For example, is it an unfair or deceptive practice when a company uses
these techniques despite evidence or research linking them to clinical
depression, anxiety, eating disorders, or suicidal ideation among
children and teenagers?
18. To what extent should trade regulation rules distinguish
between different age groups among children (e.g., 13 to 15, 16 to 17,
etc.)?
19. Given the lack of clarity about the workings of commercial
surveillance behind the screen or display, is parental consent an
efficacious way of ensuring child online privacy? Which other
protections or mechanisms, if any, should the Commission consider?
20. How extensive is the business-to-business market for children
and teens' data? In this vein, should new trade regulation rules set
out clear limits on transferring, sharing, or monetizing children and
teens' personal information?
21. Should companies limit their uses of the information that they
collect to the specific services for which children and teenagers or
their parents sign up? Should new rules set out clear limits on
personalized advertising to children and teenagers irrespective of
parental consent? If so, on what basis? What harms stem from
personalized advertising to children? What, if any, are the prevalent
unfair or deceptive practices that result from personalized advertising
to children and teenagers?
22. Should new rules impose differing obligations to protect
information collected from children depending on the risks of the
particular collection practices?
23. How would potential rules that block or otherwise help to stem
the spread of child sexual abuse material, including content-matching
techniques, otherwise affect consumer privacy?
c. How should the Commission balance costs and benefits?
24. The Commission invites comment on the relative costs and
benefits of any current practice, as well as those for any responsive
regulation. How should the Commission engage in this balancing in the
context of commercial surveillance and data security? Which variables
or outcomes should it consider in such an accounting? Which variables
or outcomes are salient but hard to quantify as a material cost or
benefit? How should the Commission ensure adequate weight is given to
costs and benefits that are hard to quantify?
25. What is the right time horizon for evaluating the relative
costs and benefits of existing or emergent commercial surveillance and
data security practices? What is the right time horizon for evaluating
the relative benefits and costs of regulation?
26. To what extent would any given new trade regulation rule on
data security or commercial surveillance impede or enhance innovation?
To what extent would such rules enhance or impede the development of
certain kinds of products, services, and applications over others?
27. Would any given new trade regulation rule on data security or
commercial surveillance impede or enhance competition? Would any given
rule entrench the potential dominance of one company or set of
companies in ways that impede competition? If so, how and to what
extent?
28. Should the analysis of cost and benefits differ in the context
of information about children? If so, how?
29. What are the benefits or costs of refraining from promulgating
new rules on commercial surveillance or data security?
d. How, if at all, should the Commission regulate harmful commercial
surveillance or data security practices that are prevalent?
i. Rulemaking Generally
30. Should the Commission pursue a Section 18 rulemaking on
commercial surveillance and data security? To what extent are existing
legal authorities and extralegal measures, including self-regulation,
sufficient? To what extent, if at all, are self-regulatory principles
effective?
ii. Data Security
31. Should the Commission commence a Section 18 rulemaking on data
security? The Commission specifically seeks comment on how potential
new trade regulation rules could require or help incentivize reasonable
data security.
32. Should, for example, new rules require businesses to implement
administrative, technical, and physical data security measures,
including encryption techniques, to protect against risks to the
security, confidentiality, or integrity of covered data? If so, which
measures? How granular should such measures be? Is there evidence of
any impediments to implementing such measures?
33. Should new rules codify the prohibition on deceptive claims
about consumer data security, accordingly authorizing the Commission to
seek civil penalties for first-time violations?
34. Do the data security requirements under COPPA or the GLBA
Safeguards Rule offer any constructive guidance for a more general
trade regulation rule on data security across sectors or in other
specific sectors?
35. Should the Commission take into account other laws at the state
and federal level (e.g., COPPA) that already include data security
requirements. If so, how? Should the Commission take into account other
governments' requirements as to data security (e.g., GDPR). If so, how?
36. To what extent, if at all, should the Commission require firms
to certify that their data practices meet clear security standards? If
so, who should set those standards, the FTC or a third-party entity?
[[Page 51283]]
iii. Collection, Use, Retention, and Transfer of Consumer Data
37. How do companies collect consumers' biometric information? What
kinds of biometric information do companies collect? For what purposes
do they collect and use it? Are consumers typically aware of that
collection and use? What are the benefits and harms of these practices?
38. Should the Commission consider limiting commercial surveillance
practices that use or facilitate the use of facial recognition,
fingerprinting, or other biometric technologies? If so, how?
39. To what extent, if at all, should the Commission limit
companies that provide any specifically enumerated services (e.g.,
finance, healthcare, search, or social media) from owning or operating
a business that engages in any specific commercial surveillance
practices like personalized or targeted advertising? If so, how? What
would the relative costs and benefits of such a rule be, given that
consumers generally pay zero dollars for services that are financed
through advertising?
40. How accurate are the metrics on which internet companies rely
to justify the rates that they charge to third-party advertisers? To
what extent, if at all, should new rules limit targeted advertising and
other commercial surveillance practices beyond the limitations already
imposed by civil rights laws? If so, how? To what extent would such
rules harm consumers, burden companies, stifle innovation or
competition, or chill the distribution of lawful content?
41. To what alternative advertising practices, if any, would
companies turn in the event new rules somehow limit first- or third-
party targeting?
42. How cost-effective is contextual advertising as compared to
targeted advertising?
43. To what extent, if at all, should new trade regulation rules
impose limitations on companies' collection, use, and retention of
consumer data? Should they, for example, institute data minimization
requirements or purpose limitations, i.e., limit companies from
collecting, retaining, using, or transferring consumer data beyond a
certain predefined point? Or, similarly, should they require companies
to collect, retain, use, or transfer consumer data only to the extent
necessary to deliver the specific service that a given individual
consumer explicitly seeks or those that are compatible with that
specific service? If so, how? How should it determine or define which
uses are compatible? How, moreover, could the Commission discern which
data are relevant to achieving certain purposes and no more?
44. By contrast, should new trade regulation rules restrict the
period of time that companies collect or retain consumer data,
irrespective of the different purposes to which it puts that data? If
so, how should such rules define the relevant period?
45. Pursuant to a purpose limitation rule, how, if at all, should
the Commission discern whether data that consumers give for one purpose
has been only used for that specified purpose? To what extent,
moreover, should the Commission permit use of consumer data that is
compatible with, but distinct from, the purpose for which consumers
explicitly give their data?
46. Or should new rules impose data minimization or purpose
limitations only for certain designated practices or services? Should,
for example, the Commission impose limits on data use for essential
services such as finance, healthcare, or search--that is, should it
restrict companies that provide these services from using, retaining,
or transferring consumer data for any other service or commercial
endeavor? If so, how?
47. To what extent would data minimization requirements or purpose
limitations protect consumer data security?
48. To what extent would data minimization requirements or purpose
limitations unduly hamper algorithmic decision-making or other
algorithmic learning-based processes or techniques? To what extent
would the benefits of a data minimization or purpose limitation rule be
out of proportion to the potential harms to consumers and companies of
such a rule?
49. How administrable are data minimization requirements or purpose
limitations given the scale of commercial surveillance practices,
information asymmetries, and the institutional resources such rules
would require the Commission to deploy to ensure compliance? What do
other jurisdictions have to teach about their relative effectiveness?
50. What would be the effect of data minimization or purpose
limitations on consumers' ability to access services or content for
which they are not currently charged out of pocket? Conversely, which
costs, if any, would consumers bear if the Commission does not impose
any such restrictions?
51. To what extent, if at all, should the Commission require firms
to certify that their commercial surveillance practices meet clear
standards concerning collection, use, retention, transfer, or
monetization of consumer data? If promulgated, who should set those
standards: the FTC, a third-party organization, or some other entity?
52. To what extent, if at all, do firms that now, by default,
enable consumers to block other firms' use of cookies and other
persistent identifiers impede competition? To what extent do such
measures protect consumer privacy, if at all? Should new trade
regulation rules forbid the practice by, for example, requiring a form
of interoperability or access to consumer data? Or should they permit
or incentivize companies to limit other firms' access to their
consumers' data? How would such rules interact with general concerns
and potential remedies discussed elsewhere in this ANPR?
iv. Automated Decision-Making Systems
53. How prevalent is algorithmic error? To what extent is
algorithmic error inevitable? If it is inevitable, what are the
benefits and costs of allowing companies to employ automated decision-
making systems in critical areas, such as housing, credit, and
employment? To what extent can companies mitigate algorithmic error in
the absence of new trade regulation rules?
54. What are the best ways to measure algorithmic error? Is it more
pronounced or happening with more frequency in some sectors than
others?
55. Does the weight that companies give to the outputs of automated
decision-making systems overstate their reliability? If so, does that
have the potential to lead to greater consumer harm when there are
algorithmic errors?
56. To what extent, if at all, should new rules require companies
to take specific steps to prevent algorithmic errors? If so, which
steps? To what extent, if at all, should the Commission require firms
to evaluate and certify that their reliance on automated decision-
making meets clear standards concerning accuracy, validity,
reliability, or error? If so, how? Who should set those standards, the
FTC or a third-party entity? Or should new rules require businesses to
evaluate and certify that the accuracy, validity, or reliability of
their commercial surveillance practices are in accordance with their
own published business policies?
57. To what extent, if at all, do consumers benefit from automated
decision-making systems? Who is most likely to benefit? Who is most
likely to be harmed or disadvantaged? To what extent do such practices
violate Section 5 of the FTC Act?
[[Page 51284]]
58. Could new rules help ensure that firms' automated decision-
making practices better protect non-English speaking communities from
fraud and abusive data practices? If so, how?
59. If new rules restrict certain automated decision-making
practices, which alternatives, if any, would take their place? Would
these alternative techniques be less prone to error than the automated
decision-making they replace?
60. To what extent, if at all, should new rules forbid or limit the
development, design, and use of automated decision-making systems that
generate or otherwise facilitate outcomes that violate Section 5 of the
FTC Act? Should such rules apply economy-wide or only in some sectors?
If the latter, which ones? Should these rules be structured differently
depending on the sector? If so, how?
61. What would be the effect of restrictions on automated decision-
making in product access, product features, product quality, or
pricing? To what alternative forms of pricing would companies turn, if
any?
62. Which, if any, legal theories would support limits on the use
of automated systems in targeted advertising given potential
constitutional or other legal challenges?
63. To what extent, if at all, does the First Amendment bar or not
bar the Commission from promulgating or enforcing rules concerning the
ways in which companies personalize services or deliver targeted
advertisements?
64. To what extent, if at all, does Section 230 of the
Communications Act, 47 U.S.C. 230, bar the Commission from promulgating
or enforcing rules concerning the ways in which companies use automated
decision-making systems to, among other things, personalize services or
deliver targeted advertisements?
v. Discrimination Based on Protected Categories
65. How prevalent is algorithmic discrimination based on protected
categories such as race, sex, and age? Is such discrimination more
pronounced in some sectors than others? If so, which ones?
66. How should the Commission evaluate or measure algorithmic
discrimination? How does algorithmic discrimination affect consumers,
directly and indirectly? To what extent, if at all, does algorithmic
discrimination stifle innovation or competition?
67. How should the Commission address such algorithmic
discrimination? Should it consider new trade regulation rules that bar
or somehow limit the deployment of any system that produces
discrimination, irrespective of the data or processes on which those
outcomes are based? If so, which standards should the Commission use to
measure or evaluate disparate outcomes? How should the Commission
analyze discrimination based on proxies for protected categories? How
should the Commission analyze discrimination when more than one
protected category is implicated (e.g., pregnant veteran or Black
woman)?
68. Should the Commission focus on harms based on protected
classes? Should the Commission consider harms to other underserved
groups that current law does not recognize as protected from
discrimination (e.g., unhoused people or residents of rural
communities)?
69. Should the Commission consider new rules on algorithmic
discrimination in areas where Congress has already explicitly
legislated, such as housing, employment, labor, and consumer finance?
Or should the Commission consider such rules addressing all sectors?
70. How, if at all, would restrictions on discrimination by
automated decision-making systems based on protected categories affect
all consumers?
71. To what extent, if at all, may the Commission rely on its
unfairness authority under Section 5 to promulgate antidiscrimination
rules? Should it? How, if at all, should antidiscrimination doctrine in
other sectors or federal statutes relate to new rules?
72. How can the Commission's expertise and authorities complement
those of other civil rights agencies? How might a new rule ensure space
for interagency collaboration?
vi. Consumer Consent
73. The Commission invites comment on the effectiveness and
administrability of consumer consent to companies' commercial
surveillance and data security practices. Given the reported scale,
opacity, and pervasiveness of existing commercial surveillance today,
to what extent is consumer consent an effective way of evaluating
whether a practice is unfair or deceptive? How should the Commission
evaluate its effectiveness?
74. In which circumstances, if any, is consumer consent likely to
be effective? Which factors, if any, determine whether consumer consent
is effective?
75. To what extent does current law prohibit commercial
surveillance practices, irrespective of whether consumers consent to
them?
76. To what extent should new trade regulation rules prohibit
certain specific commercial surveillance practices, irrespective of
whether consumers consent to them?
77. To what extent should new trade regulation rules require firms
to give consumers the choice of whether to be subject to commercial
surveillance? To what extent should new trade regulation rules give
consumers the choice of withdrawing their duly given prior consent? How
demonstrable or substantial must consumer consent be if it is to remain
a useful way of evaluating whether a commercial surveillance practice
is unfair or deceptive? How should the Commission evaluate whether
consumer consent is meaningful enough?
78. What would be the effects on consumers of a rule that required
firms to give consumers the choice of being subject to commercial
surveillance or withdrawing that consent? When or how often should any
given company offer consumers the choice? And for which practices
should companies provide these options, if not all?
79. Should the Commission require different consent standards for
different consumer groups (e.g., parents of teenagers (as opposed to
parents of pre-teens), elderly individuals, individuals in crisis or
otherwise especially vulnerable to deception)?
80. Have opt-out choices proved effective in protecting against
commercial surveillance? If so, how and in what contexts?
81. Should new trade regulation rules require companies to give
consumers the choice of opting out of all or certain limited commercial
surveillance practices? If so, for which practices or purposes should
the provision of an opt-out choice be required? For example, to what
extent should new rules require that consumers have the choice of
opting out of all personalized or targeted advertising?
82. How, if at all, should the Commission require companies to
recognize or abide by each consumer's respective choice about opting
out of commercial surveillance practices--whether it be for all
commercial surveillance practices or just some? How would any such rule
affect consumers, given that they do not all have the same preference
for the amount or kinds of personal information that they share?
vii. Notice, Transparency, and Disclosure
83. To what extent should the Commission consider rules that
require companies to make information
[[Page 51285]]
available about their commercial surveillance practices? What kinds of
information should new trade regulation rules require companies to make
available and in what form?
84. In which contexts are transparency or disclosure requirements
effective? In which contexts are they less effective?
85. Which, if any, mechanisms should the Commission use to require
or incentivize companies to be forthcoming? Which, if any, mechanisms
should the Commission use to verify the sufficiency, accuracy, or
authenticity of the information that companies provide?
a. What are the mechanisms for opacity?
86. The Commission invites comment on the nature of the opacity of
different forms of commercial surveillance practices. On which
technological or legal mechanisms do companies rely to shield their
commercial surveillance practices from public scrutiny? Intellectual
property protections, including trade secrets, for example, limit the
involuntary public disclosure of the assets on which companies rely to
deliver products, services, content, or advertisements. How should the
Commission address, if at all, these potential limitations?
b. Who should administer notice or disclosure requirements?
87. To what extent should the Commission rely on third-party
intermediaries (e.g., government officials, journalists, academics, or
auditors) to help facilitate new disclosure rules?
88. To what extent, moreover, should the Commission consider the
proprietary or competitive interests of covered companies in deciding
what role such third-party auditors or researchers should play in
administering disclosure requirements?
c. What should companies provide notice of or disclose?
89. To what extent should trade regulation rules, if at all,
require companies to explain (1) the data they use, (2) how they
collect, retain, disclose, or transfer that data, (3) how they choose
to implement any given automated decision-making system or process to
analyze or process the data, including the consideration of alternative
methods, (4) how they process or use that data to reach a decision, (5)
whether they rely on a third-party vendor to make such decisions, (6)
the impacts of their commercial surveillance practices, including
disparities or other distributional outcomes among consumers, and (7)
risk mitigation measures to address potential consumer harms?
90. Disclosures such as these might not be comprehensible to many
audiences. Should new rules, if promulgated, require plain-spoken
explanations? How effective could such explanations be, no matter how
plain? To what extent, if at all, should new rules detail such
requirements?
91. Disclosure requirements could vary depending on the nature of
the service or potential for harm. A potential new trade regulation
rule could, for example, require different kinds of disclosure tools
depending on the nature of the data or practices at issue (e.g.,
collection, retention, or transfer) or the sector (e.g., consumer
credit, housing, or work). Or the agency could impose transparency
measures that require in-depth accounting (e.g., impact assessments) or
evaluation against externally developed standards (e.g., third-party
auditing). How, if at all, should the Commission implement and enforce
such rules?
92. To what extent should the Commission, if at all, make regular
self-reporting, third-party audits or assessments, or self-administered
impact assessments about commercial surveillance practices a standing
obligation? How frequently, if at all, should the Commission require
companies to disclose such materials publicly? If it is not a standing
obligation, what should trigger the publication of such materials?
93. To what extent do companies have the capacity to provide any of
the above information? Given the potential cost of such disclosure
requirements, should trade regulation rules exempt certain companies
due to their size or the nature of the consumer data at issue?
viii. Remedies
94. How should the FTC's authority to implement remedies under the
Act determine the form or substance of any potential new trade
regulation rules on commercial surveillance? Should new rules enumerate
specific forms of relief or damages that are not explicit in the FTC
Act but that are within the Commission's authority? For example, should
a potential new trade regulation rule on commercial surveillance
explicitly identify algorithmic disgorgement, a remedy that forbids
companies from profiting from unlawful practices related to their use
of automated systems, as a potential remedy? Which, if any, other
remedial tools should new trade regulation rules on commercial
surveillance explicitly identify? Is there a limit to the Commission's
authority to implement remedies by regulation?
ix. Obsolescence
95. The Commission is alert to the potential obsolescence of any
rulemaking. As important as targeted advertising is to today's internet
economy, for example, it is possible that its role may wane. Companies
and other stakeholders are exploring new business models.\129\ Such
changes would have notable collateral consequences for companies that
have come to rely on the third-party advertising model, including and
especially news publishing. These developments in online advertising
marketplace are just one example. How should the Commission account for
changes in business models in advertising as well as other commercial
surveillance practices?
---------------------------------------------------------------------------
\129\ See, e.g., Brian X. Chen, The Battle for Digital Privacy
Is Reshaping the internet, N.Y. Times (Sept. 16, 2021), <a href="https://www.nytimes.com/2021/09/16/technology/digital-privacy.html">https://www.nytimes.com/2021/09/16/technology/digital-privacy.html</a>.
---------------------------------------------------------------------------
V. Comment Submissions
You can file a comment online or on paper. For the Commission to
consider your comment, it must receive it on or before October 21,
2022. Write ``Commercial Surveillance ANPR, R111004'' on your comment.
Your comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website. The Commission strongly
encourages you to submit your comments online through the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website. To ensure the Commission considers your
online comment, please follow the instructions on the web-based form.
If you file your comment on paper, write ``Commercial Surveillance
ANPR, R111004'' on your comment and on the envelope, and mail your
comment to the following address: Federal Trade Commission, Office of
the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B),
Washington, DC 20580.
Because your comment will be placed on the public record, you are
solely responsible for making sure that your comment does not include
any sensitive or confidential information. In particular, your comment
should not contain sensitive personal information, such as your or
anyone else's Social Security number; date of birth; driver's license
number or other state identification number or foreign country
equivalent; passport number; financial
[[Page 51286]]
account number; or credit or debit card number. You are also solely
responsible for making sure your comment does not include any sensitive
health information, such as medical records or other individually
identifiable health information. In addition, your comment should not
include any ``[t]rade secret or any commercial or financial information
which . . . is privileged or confidential''--as provided in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2)--including in particular competitively sensitive information
such as costs, sales statistics, inventories, formulas, patterns,
devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted publicly at <a href="https://www.regulations.gov">https://www.regulations.gov</a>-as legally required
by FTC Rule 4.9(b)--we cannot redact or remove your comment, unless you
submit a confidentiality request that meets the requirements for such
treatment under FTC Rule 4.9(c), and the General Counsel grants that
request.
Visit the FTC website to read this document and the news release
describing it. The FTC Act and other laws that the Commission
administers permit the collection of public comments to consider and
use in this proceeding as appropriate. The Commission will consider all
timely and responsive public comments it receives on or before October
21, 2022. For information on the Commission's privacy policy, including
routine uses permitted by the Privacy Act, see <a href="https://www.ftc.gov/site-information/privacy-policy">https://www.ftc.gov/site-information/privacy-policy</a>.
VI. The Public Forum
The Commission will hold a public forum on Thursday, September 8,
2022, from 2 p.m. until 7:30 p.m. eastern time. In light of the ongoing
COVID-19 pandemic, the forum will be held virtually, and members of the
public are encouraged to attend virtually by visiting <a href="https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum">https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum</a>. The public forum will address in greater
depth the topics that are the subject of this document as well as the
rulemaking process with a goal of facilitating broad public
participation in response to this ANPR and any future rulemaking
proceedings the Commission undertakes. A complete agenda will be posted
at the aforementioned website and announced in a press release at a
future date. Individuals or entities that would like to participate in
the public forum by offering two-minute public remarks, should email
<a href="/cdn-cgi/l/email-protection#b4e7d1c4c08cc0d1c7c0ddd9dbdacdf4d2c0d79ad3dbc2"><span class="__cf_email__" data-cfemail="77241207034f031204031e1a18190e3711031459101801">[email protected]</span></a>. Please note that this email is only for
requests to participate in the public forum and is not a means of
submitting comments in response to this ANPR. Please see Item V above
for instructions on submitting public comments.
Forum panelists will be selected by FTC staff, and public remarks
are first come, first serve. The Commission will place a recording of
the proceeding on the public record. Requests to participate in the
public remarks must be received on or before August 31, 2022.
Individuals or entities selected to participate will be notified on or
before September 2, 2022. Because disclosing sources of funding
promotes transparency, ensures objectivity, and maintains the public's
trust, prospective participants, if chosen, will be required to
disclose the source of any support they received in connection with
participation at the forum. This funding information will be included
in the published biographies as part of the forum record.
By direction of the Commission.
Joel Christie,
Acting Secretary.
Note: The following statements will not appear in the Code of
Federal Regulations:
Statement of Chair Lina M. Khan
Today, the Federal Trade Commission initiated a proceeding to
examine whether we should implement new rules addressing data practices
that are unfair or deceptive.
The Commission brought its first internet privacy case 24 years ago
against GeoCities, one of the most popular websites at the time.\1\ In
the near quarter-century since, digital technologies and online
services have rapidly evolved, with transformations in business models,
technical capabilities, and social practices. These changes have
yielded striking advancements and dazzling conveniences--but also tools
that enable entirely new forms of persistent tracking and routinized
surveillance. Firms now collect personal data on individuals on a
massive scale and in a stunning array of contexts, resulting in an
economy that, as one scholar put it, ``represents probably the most
highly surveilled environment in the history of humanity.'' \2\ This
explosion in data collection and retention, meanwhile, has heightened
the risks and costs of breaches--with Americans paying the price.\3\
---------------------------------------------------------------------------
\1\ Press Release, Fed. Trade Comm'n, internet Site Agrees to
Settle FTC Charges of Deceptively Collecting Personal Information in
Agency's First Internet Privacy Case (Aug. 13, 1998), <a href="https://www.ftc.gov/news-events/news/press-releases/1998/08/internet-site-agrees-settle-ftc-charges-deceptively-collecting-personal-information-agencys-first">https://www.ftc.gov/news-events/news/press-releases/1998/08/internet-site-agrees-settle-ftc-charges-deceptively-collecting-personal-information-agencys-first</a>.
\2\ Neil Richards, Why Privacy Matters 84 (2021). See also Oscar
Gandy, The Panoptic Sort: A Political Economy of Personal
Information (2021).
\3\ See, e.g., Press Release, Fed. Trade Comm'n, Equifax to Pay
$575 Million as Part of Settlement with FTC, CFPB, and States
Related to 2017 Data Breach (July 22, 2019), <a href="https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach">https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach</a>.
See also Eamon Javers, The Extortion Economy: Inside the Shadowy
World of Ransomware Payouts, CNBC (Apr. 6, 2021), <a href="https://www.cnbc.com/2021/04/06/the-extortion-economy-inside-the-shadowy-world-of-ransomware-payouts.html">https://www.cnbc.com/2021/04/06/the-extortion-economy-inside-the-shadowy-world-of-ransomware-payouts.html</a>; Dan Charles, The Food Industry May
Be Finally Paying Attention To Its Weakness To Cyberattacks, NPR
(July 5, 2021), <a href="https://www.npr.org/2021/07/05/1011700976/the-food-industry-may-be-finally-paying-attention-to-its-weakness-to-cyberattack">https://www.npr.org/2021/07/05/1011700976/the-food-industry-may-be-finally-paying-attention-to-its-weakness-to-cyberattack</a>; William Turton & Kartikay Mehrotra, Hackers Breached
Colonial Pipeline Using Compromised Password, Bloomberg (June 4,
2021), <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password">https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password</a>.
---------------------------------------------------------------------------
As the country's de facto law enforcer in this domain, the FTC is
charged with ensuring that our approach to enforcement and policy keeps
pace with these new market realities. The agency has built a wealth of
experience in the decades since the GeoCities case, applying our
century-old tools to new products in order to protect Americans from
evolving forms of data abuses.\4\ Yet the growing digitization of our
economy--coupled with business models that can incentivize endless
hoovering up of sensitive user data and a vast expansion of how this
data is used \5\--means potentially unlawful practices may be
prevalent, with case-by-case enforcement failing to adequately deter
lawbreaking or remedy the resulting harms.
---------------------------------------------------------------------------
\4\ See Advanced Notice of Proposed Rulemaking, Trade Regulation
Rule on Commercial Surveillance and Data Security, _FR_Sec. III(a)
[hereinafter ``ANPR'']. See also Daniel J. Solove & Woodrow Hartzog,
The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583
(2014).
\5\ Remarks of Chair Lina M. Khan, IAPP Global Privacy Summit
2022 (Apr. 11, 2022), <a href="https://www.ftc.gov/news-events/news/speeches/remarks-chair-lina-m-khan-prepared-delivery-iapp-global-privacy-summit-2022">https://www.ftc.gov/news-events/news/speeches/remarks-chair-lina-m-khan-prepared-delivery-iapp-global-privacy-summit-2022</a>.
---------------------------------------------------------------------------
[[Page 51287]]
Indeed, a significant majority of Americans today feel they have
scant control over the data collected on them and believe the risks of
data collection by commercial entities outweigh the benefits.\6\
Evidence also suggests the current configuration of commercial data
practices do not actually reveal how much users value privacy or
security.\7\ For one, the use of dark patterns and other conduct that
seeks to manipulate users underscores the limits of treating present
market outcomes as reflecting what users desire or value.\8\ More
fundamentally, users often seem to lack a real set of alternatives and
cannot reasonably forego using technologies that are increasingly
critical for navigating modern life.\9\
---------------------------------------------------------------------------
\6\ Brooke Auxier et al., Americans and Privacy: Concerned,
Confused and Feeling Lack of Control Over Their Personal
Information, Pew Res. Center (Nov. 15, 2019), <a href="https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/">https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/</a> (noting that 81% of Americans believe that they ``have
very little/no control over the data companies collect'' and that
``the potential risks of companies collecting data about them
outweigh the benefits'').
\7\ See, e.g., Daniel Solove, The Myth of the Privacy Paradox,
89 Geo. Wash. L. Rev. 1, 22-32 (2021).
\8\ The FTC recently brought a case against Age of Learning,
Inc., an educational subscription service that allegedly utilized
dark patterns to scam millions of dollars from families. See
Stipulated Order for Permanent Injunction and Monetary Judgement,
FTC v. Age of Learning, Inc., No. 2:20-cv-7996 (C.D. Cal. Sept. 8,
2020). See also Zeynep Tufekci, The Latest Data Privacy Debacle,
N.Y. Times (Jan. 30, 2018), <a href="http://www.nytimes.com/2018/01/30/opinion/strava-privacy.html">http://www.nytimes.com/2018/01/30/opinion/strava-privacy.html</a> (``Data privacy is more like air quality
or safe drinking water, a public good that cannot be effectively
regulated by trusting in the wisdom of millions of individual
choices.'').
\9\ Bhaskar Chakravorti, Why It's So Hard for Users to Control
Their Data, Harv. Bus. Rev. (Jan. 30, 2020), <a href="https://hbr.org/2020/01/why-companies-make-it-so-hard-for-users-to-control-their-data">https://hbr.org/2020/01/why-companies-make-it-so-hard-for-users-to-control-their-data</a>
(noting that ``even if users wanted to negotiate more data agency,
they have little leverage. Normally, in well-functioning markets,
customers can choose from a range of competing providers. But this
is not the case if the service is a widely used digital
platform.''); see also Solove, supra note 7, at 29 (``In one survey,
81% of respondents said that they had at least once 'submitted
information online when they wished that they did not have to do
so.' People often are not afforded much choice or face a choice
between two very bad options.'').
---------------------------------------------------------------------------
The data practices of today's surveillance economy can create and
exacerbate deep asymmetries of information--exacerbating, in turn,
imbalances of power. And the expanding contexts in which users'
personal data is used--from health care and housing to employment and
education--mean what's at stake with unlawful collection, use,
retention, or disclosure is not just one's subjective preference for
privacy, but one's access to opportunities in our economy and society,
as well as core civil liberties and civil rights.
The fact that current data practices can have such consequential
effects heightens both the importance of wielding the full set of tools
Congress has given us, as well as the responsibility we have to do so.
In particular, Section 18 of the FTC Act grants us clear authority to
issue rules that identify specific business practices that are unlawful
by virtue of being ``unfair'' or ``deceptive.'' \10\ Doing so could
provide firms with greater clarity about the scope of their legal
obligations. It could also strengthen our ability to deter lawbreaking,
given that first-time violators of duly promulgated trade regulation
rules--unlike most first-time violators of the FTC Act \11\--are
subject to civil penalties. This would also help dispense with
competitive advantages enjoyed by firms that break the law: all
companies would be on the hook for civil penalties for law violations,
not just repeat offenders.
---------------------------------------------------------------------------
\10\ 15 U.S.C. 57a. Commissioner Slaughter's statement cogently
lays out why our authority here is unambiguous. See Statement of
Commissioner Rebecca Kelly Slaughter Regarding the Commercial
Surveillance and Data Security Advance Notice of Proposed Rulemaking
(Aug. 11, 2022), at 5-6. See also Kurt Walters, Reassessing the
Mythology of Magnuson-Moss: A Call to Revive Section 18 Rulemaking
at the FTC, 16 Harv. L. & Pol'y Rev. (forthcoming 2022).
\11\ 15 U.S.C. 53, 57b, 45(l). The FTC's penalty offense
authority also provides a basis for seeking civil penalties from
some first-time violators. 15 U.S.C. 45(m)(1)(B).
---------------------------------------------------------------------------
Today's action marks the beginning of the rulemaking proceeding. In
issuing an Advance notice of proposed rulemaking (ANPR), the Commission
is seeking comments from the public on the extent and effects of
various commercial surveillance and data security practices, as well as
on various approaches to crafting rules to govern these practices and
the attendant tradeoffs. Our goal at this stage is to begin building a
rich public record to inform whether rulemaking is worthwhile and the
form potential proposed rules should take. Robust public engagement
will be critical--particularly for documenting specific harmful
business practices and their prevalence, the magnitude and extent of
the resulting consumer harm, the efficacy or shortcomings of rules
pursued in other jurisdictions, and how to assess which areas are or
are not fruitful for FTC rulemaking.
Because Section 18 lays out an extensive series of procedural
steps, we will have ample opportunity to review our efforts in light of
any new developments. If Congress passes strong federal privacy
legislation--as I hope it does--or if there is any other significant
change in applicable law, then the Commission would be able to reassess
the value-add of this effort and whether continuing it is a sound use
of resources. The recent steps taken by lawmakers to advance federal
privacy legislation are highly encouraging, and our agency stands ready
to continue aiding that process through technical assistance or
otherwise sharing our staff's expertise.\12\ At minimum, the record we
will build through issuing this ANPR and seeking public comment can
serve as a resource to policymakers across the board as legislative
efforts continue.
---------------------------------------------------------------------------
\12\ Maria Curi, Landmark Tech Privacy Protection Bill Approved
by House Panel, Bloomberg (July 20, 2022), <a href="https://news.bloomberglaw.com/privacy-and-data-security/landmark-tech-privacy-protection-bill-approved-by-house-panel">https://news.bloomberglaw.com/privacy-and-data-security/landmark-tech-privacy-protection-bill-approved-by-house-panel</a>.
---------------------------------------------------------------------------
The ANPR poses scores of broad and specific questions to help
elicit and encourage responses from a diverse range of stakeholders. I
look forward to engaging with and learning from the record we develop
on the wide range of issues covered. Highlighted below are a few topics
from the ANPR on which I am especially eager for us to build a record:
<bullet> Procedural protections versus substantive limits: Growing
recognition of the limits of the ``notice and consent'' framework
prompts us to reconsider more generally the adequacy of procedural
protections, which tend to create process requirements while
sidestepping more fundamental questions about whether certain types of
data collection and processing should be permitted in the first
place.\13\ Are there contexts in which our unfairness authority reaches
a greater set of substantive limits on data collection? \14\ When might
bans and prohibitions on certain data practices be most appropriate?
\15\
---------------------------------------------------------------------------
\13\ Woodrow Hartzog & Neil Richards, Privacy's Constitutional
Moment and the Limits of Data Protection, 61 B.C. L. Rev. 1687, 1693
(2020) (``[D]ata protection regimes seek to permit more ethical
surveillance and data processing at the expense of foundational
questions about whether that surveillance and processing should be
allowed in the first place.''); Solove, supra note 7, at 29 (``The
fact that people trade their privacy for products or services does
not mean that these transactions are desirable in their current
form. . . [T]he mere fact that people make a tradeoff doesn't mean
that the tradeoff is fair, legitimate, or justifiable. For example,
suppose people could trade away food safety regulation in exchange
for cheaper food. There would be a price at which some people would
accept greater risks of tainted food. The fact that there is such a
price doesn't mean that the law should allow the transaction.'').
\14\ ANPR at section IV(b) Q.21; ANPR at section IV(d) Q.43;
ANPR at section IV(d) Q.48.
\15\ ANPR at section IV(d) Q.76.
---------------------------------------------------------------------------
<bullet> Administrability: Information asymmetries between
enforcers and market participants can be especially stark in the
digital economy. How can
[[Page 51288]]
we best ensure that any rules we pursue can be easily and efficiently
administered and that these rules do not rest on determinations we are
not well positioned to make or commitments we are not well positioned
to police? How have jurisdictions successfully managed to police
obligations such as ``data minimization''? \16\
---------------------------------------------------------------------------
\16\ ANPR at section IV(d) Q.49.
---------------------------------------------------------------------------
<bullet> Business models and incentives: How should we approach
business models that are premised on or incentivize persistent tracking
and surveillance, especially for products or services consumers may not
be able to reasonably avoid? \17\
---------------------------------------------------------------------------
\17\ ANPR at section IV(a) Q.11.
---------------------------------------------------------------------------
<bullet> Discrimination based on protected categories: Automated
systems used by firms sometimes discriminate based on protected
categories--such as race, color, religion, national origin, or sex--
including in contexts where this discrimination is unlawful.\18\ How
should we consider whether new rules should limit or forbid
discrimination based on protected categories under our Section 5
unfairness authority? \19\
---------------------------------------------------------------------------
\18\ ANPR at section I nn.38-45. See also Fed. Trade Comm 'n,
Serving Communities of Color: A Staff Report on the Federal Trade
Commission's Efforts to Address Fraud and Consumer Issues Affecting
Communities of Color, at 1-3 (Oct. 2021), <a href="https://www.ftc.gov/system/files/documents/reports/serving-communities-color-staff-report-federal-trade-commissions-efforts-address-fraud-consumer/ftc-communities-color-report_oct_2021-508-v2.pdf">https://www.ftc.gov/system/files/documents/reports/serving-communities-color-staff-report-federal-trade-commissions-efforts-address-fraud-consumer/ftc-communities-color-report_oct_2021-508-v2.pdf</a>; Latanya Sweeney,
Discrimination in Online Ad Delivery: Google Ads, Black Names and
White Names, Racial Discrimination, and Click Advertising, 11 Queue
10, 29 (Mar. 2013); Muhammad Ali et al., Discrimination Through
Optimization: How Facebook's Ad Delivery Can Lead to Skewed
Outcomes, 3 Proc. ACM on Hum.-Computer Interaction (2019).
\19\ ANPR at section IV(d) Q.65-72. See 15 U.S.C. 45(n) (``In
determining whether an act or practice is unfair, the Commission may
consider established public policies as evidence to be considered
with all other evidence. Such public policy considerations may not
serve as a primary basis for such determination.''). Cf. Joint
Statement of Chair Lina M. Khan and Commissioner Rebecca Kelly
Slaughter In the Matter of Napleton Automotive Group (Mar. 31,
2022), <a href="https://www.ftc.gov/news-events/news/speeches/joint-statement-chair-lina-m-khan-commissioner-rebecca-kelly-slaughter-matter-napleton-automotive">https://www.ftc.gov/news-events/news/speeches/joint-statement-chair-lina-m-khan-commissioner-rebecca-kelly-slaughter-matter-napleton-automotive</a>. Other agencies are also examining these
practices. See Assistant Attorney General Kristen Clark, Keynote
Address on AI and Civil Rights for the Department of Commerce's
National Telecommunications and Information Administration's Virtual
Listening Session (Dec. 14, 2021), <a href="https://www.justice.gov/opa/speech/assistant-attorney-general-kristen-clarke-delivers-keynote-ai-and-civil-rights-department">https://www.justice.gov/opa/speech/assistant-attorney-general-kristen-clarke-delivers-keynote-ai-and-civil-rights-department</a>; Dep't of Lab., Off. of Fed. Contract
Compliance Programs, internet Applicant Recordkeeping Rule, FAQ,
<a href="https://www.dol.gov/agencies/ofccp/faqs/internet-applicants">https://www.dol.gov/agencies/ofccp/faqs/internet-applicants</a>; Press
Release, Equal Emp. Opportunity Comm'n, EEOC Launches Initiative on
Artificial Intelligence and Algorithmic Fairness (Oct. 28, 2021),
<a href="https://www.eeoc.gov/newsroom/eeoc-launches-initiative-artificial-intelligence-and-algorithmic-fairness">https://www.eeoc.gov/newsroom/eeoc-launches-initiative-artificial-intelligence-and-algorithmic-fairness</a>.
---------------------------------------------------------------------------
<bullet> Workplace surveillance: Reports suggest extensive
tracking, collection, and analysis of consumer data in the workplace
has expanded exponentially.\20\ Are there particular considerations
that should govern how we consider whether data abuses in the workplace
may be deceptive or unfair? \21\
---------------------------------------------------------------------------
\20\ ANPR at section I nn.14-15. See, e.g., Danielle Abril &
Drew Harwell, Keystroke Tracking, Screenshots, and Facial
Recognition: The Box May Be Watching Long After the Pandemic Ends,
Wash. Post (Sept. 24, 2021), <a href="https://www.washingtonpost.com/technology/2021/09/24/remote-work-from-home-surveillance/">https://www.washingtonpost.com/technology/2021/09/24/remote-work-from-home-surveillance/</a>; Adam
Satariano, How My Boss Monitors Me While I Work From Home, N.Y.
Times (May 6, 2020), <a href="https://www.nytimes.com/2020/05/06/technology/employee-monitoring-work-from-home-virus.html">https://www.nytimes.com/2020/05/06/technology/employee-monitoring-work-from-home-virus.html</a>.
\21\ ANPR at sections I, IV(a) Q.12.
---------------------------------------------------------------------------
To facilitate wide-ranging participation, we are seeking to make
this process widely accessible. Our staff has published a ``frequently
asked questions'' resource to demystify the rulemaking process and
identify opportunities for the public to engage.\22\ We will also host
a virtual public forum on September 8, where people will be able to
provide oral remarks that will be part of the ANPR record.\23\
---------------------------------------------------------------------------
\22\ The FAQ can be found both in English, available at <a href="https://www.ftc.gov/enforcement/rulemaking/public-participation-section-18-rulemaking-process">https://www.ftc.gov/enforcement/rulemaking/public-participation-section-18-rulemaking-process</a>, as well as in Spanish, available at <a href="https://www.ftc.gov/es/participacion-publica-en-el-proceso-de-reglamentacion-de-la-ftc-conforme-la-seccion-18">https://www.ftc.gov/es/participacion-publica-en-el-proceso-de-reglamentacion-de-la-ftc-conforme-la-seccion-18</a>.
\23\ The public forum will include a brief presentation on the
rulemaking process and this ANPR comment period, panel discussions,
and a public remarks section. More information can be found at
<a href="https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum">https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum</a>.
---------------------------------------------------------------------------
I am grateful to our agency staff for their work on this ANPR and
my colleagues on the Commission for their engagement and input.
Protecting Americans from unlawful commercial surveillance and data
security practices is critical work, and I look forward to undertaking
this effort with both the necessary urgency and rigor.
Statement of Commissioner Rebecca Kelly Slaughter
Three years ago, I gave a speech outlining: why I believed that
case-by-case enforcement in the space of data abuses was not effective;
how I hoped to see Congress pass a long-overdue federal privacy law;
and that, until such a law is signed, the Commission should use its
authority under Section 18 to initiate a rulemaking process.\1\ I am
delighted that Congress appears to be making substantial and
unprecedented progress toward a meaningful privacy law, which I am
eager to see pass.\2\ Nonetheless, given the uncertainty of the
legislative process and the time a Section 18 rulemaking necessarily
takes, the Commission should not wait any longer than it already has to
develop a public record that could support enforceable rules. So I am
equally delighted that we are now beginning the Section 18 process by
issuing this advance notice of proposed rulemaking (``ANPR'') on
commercial surveillance and data security.\3\
---------------------------------------------------------------------------
\1\ See Rebecca Kelly Slaughter, The Near Future of U.S. Privacy
Law, Silicon Flatirons-University of Colorado Law School (Sept. 6,
2019), <a href="https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf">https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf</a>.
\2\ See Rebecca Klar, House Panel Advances Landmark Federal Data
Privacy Bill, The Hill (July 20, 2022), <a href="https://thehill.com/policy/technology/3567822-house-panel-advances-landmark-federal-data-privacy-bill/">https://thehill.com/policy/technology/3567822-house-panel-advances-landmark-federal-data-privacy-bill/</a>.
\3\ Fed. Trade Comm'n, Trade Regulation Rule on Commercial
Surveillance and Data Security, 87 FR (forthcoming 2022)
[hereinafter ``ANPR''].
---------------------------------------------------------------------------
It is indisputable that the Federal Trade Commission has expertise
in regulating this sector; it is widely recognized as the nation's
premier ``privacy enforcer.'' \4\ I commend agency staff for their
dogged application of our nearly 100-year-old consumer-protection
statute (and handful of sector-specific privacy laws) to build that
reputation.
---------------------------------------------------------------------------
\4\ When Congress passed the Children's Online Privacy
Protection Act (``COPPA'') in 1998 it assigned sector-specific
privacy enforcement and rulemaking powers to the FTC on top of our
UDAP authority. Bills being debated in both House and Senate
Commerce Committees build on our ``comparative expertise'' in this
field and seek to streamline and enhance our privacy enforcement and
rulemaking processes. See West Virginia v. EPA, 142 S. Ct. 2587,
2613 (2022) (`` 'When an agency has no comparative expertise' in
making certain policy judgments, we have said, `Congress presumably
would not' task it with doing so.'' (quoting Kisor v. Wilkie, 139 S.
Ct. 2400, 2417 (2019))).
---------------------------------------------------------------------------
Historically, much of that work operated through the
straightforward application of those basic consumer-protection
principles to privacy. The FTC ensured that companies told users what
they were doing with the users' data, insisted that they secure users'
consent, and policed companies' promises. But case-by-case enforcement
has not systemically deterred unlawful behavior in this market. As our
own reports make clear, the prevailing notice-and-choice regime has
failed to protect users,\5\ and the modes by which sensitive
information can be discovered,
[[Page 51289]]
derived, and disclosed have only grown in number and complexity.\6\
---------------------------------------------------------------------------
\5\ An FTC staff 6(b) study on ISP privacy uncovered that
companies routinely bury important disclosures in endless terms-of-
service and that choice, even when purportedly offered, is
``illusory.'' Fed. Trade Comm'n, A Look at What ISPs Know About You:
Examining the Privacy Practices of Six Major internet Service
Providers 27 (Oct. 21, 2021), <a href="https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-youexamining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf">https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-youexamining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf</a>.
\6\ See Kristin Cohen, Location, Health, and Other Sensitive
Information: FTC Committed to Fully Enforcing the Law Against
Illegal Use and Sharing of Highly Sensitive Data, Fed. Trade Comm'n
(July 11, 2022), <a href="https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal-use">https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal-use</a> (``Smartphones, connected cars,
wearable fitness trackers, ``smart home'' products, and even the
browser you're reading this on are capable of directly observing or
deriving sensitive information about users.'').
---------------------------------------------------------------------------
Data abuses such as surreptitious biometric or location
tracking,\7\ unaccountable and discriminatory algorithmic decision-
making,\8\ or lax data security practices \9\ have been either caused
by, exacerbated by, or are in service of nearly unfettered commercial
data collection, retention, use, and sharing. It is up to the
Commission to use the tools Congress explicitly gave us, however rusty
we are at wielding them, to prevent these unlawful practices. That is
why I have consistently, for years, called for the Commission to begin
the process to consider clear, bright-line rules against unfair or
deceptive data practices pursuant to our Section 18 authority.\10\
---------------------------------------------------------------------------
\7\ See, e.g., Mobile Advertising Network InMobi Settles FTC
Charges It Tracked Hundreds of Millions of Consumers' Locations
Without Permission, FTC (June 22, 2016), <a href="https://www.ftc.gov/newsevents/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked">https://www.ftc.gov/newsevents/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked</a>.
\8\ See, e.g., Elisa Jillson, Aiming for Truth, Fairness, and
Equity in Your Company's Use of AI (Apr. 19, 2021), <a href="https://www.ftc.gov/business-guidance/blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai">https://www.ftc.gov/business-guidance/blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai</a>.
\9\ See, e.g., Press Release, FTC Finalizes Action Against
CafePress for Covering Up Data Breach, Lax Security (June 24, 2022),
<a href="https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-finalizes-action-against-cafepress-covering-data-breach-lax-security-0">https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-finalizes-action-against-cafepress-covering-data-breach-lax-security-0</a>.
\10\ See, e.g., Rebecca Kelly Slaughter, The Near Future of U.S.
Privacy Law, Silicon Flatirons-University of Colorado Law School,
(Sept. 6, 2019) <a href="https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf">https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf</a>; Remarks of Commissioner Rebecca Kelly Slaughter on
Algorithms and Economic Justice, UCLA School of Law (Jan. 24, 2020),
<a href="https://www.ftc.gov/system/files/documents/public_statements/1564883/remarks_of_commissioner_rebecca_kelly_slaughter_on_algorithmic_and_economic_justice_01-24-2020.pdf">https://www.ftc.gov/system/files/documents/public_statements/1564883/remarks_of_commissioner_rebecca_kelly_slaughter_on_algorithmic_and_economic_justice_01-24-2020.pdf</a>; Opening Statement of
Commissioner Rebecca Kelly Slaughter, United States Senate Committee
on Commerce, Science, and Transportation Hearing on Oversight of the
Federal Trade Commission (Aug. 5, 2020), <a href="https://www.ftc.gov/system/files/documents/public_statements/1578979/opening_statement_of_commissioner_rebecca_slaughter_senate_commerce_oversight_hearing.pdf">https://www.ftc.gov/system/files/documents/public_statements/1578979/opening_statement_of_commissioner_rebecca_slaughter_senate_commerce_oversight_hearing.pdf</a>; FTC Data Privacy Enforcement: A Time of
Change, N.Y.U. School of Law (Oct. 16, 2020), <a href="https://www.ftc.gov/system/files/documents/public_statements/1581786/slaughter_-_remarks_on_ftc_data_privacy_enforcement_-_a_time_of_change.pdf">https://www.ftc.gov/system/files/documents/public_statements/1581786/slaughter_-_remarks_on_ftc_data_privacy_enforcement_-_a_time_of_change.pdf</a>;
Protecting Consumer Privacy in a Time of Crisis, Future of Privacy
Forum, (Feb. 10, 2021) <a href="https://www.ftc.gov/system/files/documents/public_statements/1587283/fpf_opening_remarks_210_.pdf">https://www.ftc.gov/system/files/documents/public_statements/1587283/fpf_opening_remarks_210_.pdf</a>; Keynote
Remarks of FTC Acting Chairwoman Rebecca Kelly Slaughter, Consumer
Federation of America's Virtual Consumer Assembly (May 4, 2021),
<a href="https://www.ftc.gov/system/files/documents/public_statements/1589607/keynote-remarks-acting-chairwoman-rebecca-kelly-slaughte-cfa-virtual-consumer-assembly.pdf">https://www.ftc.gov/system/files/documents/public_statements/1589607/keynote-remarks-acting-chairwoman-rebecca-kelly-slaughte-cfa-virtual-consumer-assembly.pdf</a>; Rebecca Kelly Slaughter,
Algorithms and Economic Justice: A Taxonomy of Harms and a Path
Forward for the Federal Trade Commission, Yale J. L. & Tech. (Aug.
2021), <a href="https://yjolt.org/sites/default/files/23_yale_j.l._tech._special_issue_1.pdf">https://yjolt.org/sites/default/files/23_yale_j.l._tech._special_issue_1.pdf</a>; Statement of Rebecca Kelly
Slaughter Regarding the Report to Congress on Privacy and Security
(Oct. 1, 2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1597012/rks_statement_on_privacy_report_final.pdf">https://www.ftc.gov/system/files/documents/public_statements/1597012/rks_statement_on_privacy_report_final.pdf</a>;
Disputing the Dogmas of Surveillance Advertising, National
Advertising Division (Oct. 1, 2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1597050/commissioner_slaughter_national_advertising_division_10-1-2021_keynote_address.pdf">https://www.ftc.gov/system/files/documents/public_statements/1597050/commissioner_slaughter_national_advertising_division_10-1-2021_keynote_address.pdf</a>; Wait But Why? Rethinking Assumptions About
Surveillance Advertising, IAPP Privacy Security Risk Keynote (Oct.
22, 2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1597998/iapp_psr_2021_102221_final2.pdf">https://www.ftc.gov/system/files/documents/public_statements/1597998/iapp_psr_2021_102221_final2.pdf</a>; NTIA
Listening Session on Privacy, Equity, and Civil Rights Keynote
Address of Commissioner Rebecca Kelly Slaughter, NTIA, (Dec. 14,
2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1599831/slaughter-ntia-keynote.pdf">https://www.ftc.gov/system/files/documents/public_statements/1599831/slaughter-ntia-keynote.pdf</a>.
---------------------------------------------------------------------------
Section 18 rulemaking's virtue lies in being open, iterative, and
public. By the same token it is, by congressional design, laborious and
time-consuming. But we intend to follow the record where it leads and,
if appropriate, issue Trade Regulation Rules to proscribe unlawful
conduct. The Commission has proactively taken steps to use this
authority as Congress directed. During my time as Acting Chair, we
created a Rulemaking Group within the Office of General Counsel, which
has already been indispensable in building the agency's capacity during
this process.\11\ Working with that Group, the Commission updated our
Rules of Practice to enhance transparency and shed self-imposed
roadblocks to avoid unnecessary and costly delay in these
proceedings.\12\
---------------------------------------------------------------------------
\11\ Press Release, FTC Acting Chairwoman Slaughter Announces
New Rulemaking Group (Mar. 25, 2021), <a href="https://www.ftc.gov/news-events/news/press-releases/2021/03/ftc-acting-chairwoman-slaughter-announces-new-rulemaking-group">https://www.ftc.gov/news-events/news/press-releases/2021/03/ftc-acting-chairwoman-slaughter-announces-new-rulemaking-group</a>.
\12\ Statement of Commissioner Rebecca Kelly Slaughter joined by
Chair Lina Khan and Commissioner Rohit Chopra Regarding the Adoption
of Revised Section 18 Rulemaking Procedures (July 1, 2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1591522/joint_rules_of_practice_statement_final_7121_1131am.pdf">https://www.ftc.gov/system/files/documents/public_statements/1591522/joint_rules_of_practice_statement_final_7121_1131am.pdf</a>.
---------------------------------------------------------------------------
As happy as I am to see us finally take this first step of opening
this record, it is not something I take lightly. An initiative like
this entails some risk, though I believe further inaction does as well.
I have heard arguments, including from my fellow Commissioners, that
conducting a rulemaking in the data space is inappropriate, either
because Congress is currently debating privacy legislation or even
because the topic is simply too consequential or the issues too vast
for the Commission to appropriately address. In this statement, I
challenge some of these assumptions and then raise some of the issues
in which I am especially interested.
On Timing
The best time to initiate this lengthy process was years ago, but
the second-best time is now. Effective nationwide rules governing the
collection and use of data are long overdue. As the nation's principal
consumer-protection agency, we have a responsibility to act.
Restoring Effective Deterrence
The question of effective enforcement is central to this
proceeding. Case-by-case enforcement, while once considered a prudent
expression of our statutory authority, has not proved effective at
deterring illegal conduct in the data space. Trade Regulation Rules can
help remedy this problem by providing clear and specific guidance about
what conduct the law proscribes and attaching financial consequences to
violations of the law.
Providing a financial penalty for first-time lawbreaking is now, in
the wake of the loss of our Section 13(b) authority, a particular
necessity. Last year, the Supreme Court ruled that we can no longer
seek monetary relief in federal court for violations of the FTC Act
under our 13(b) authority.\13\ I have testified in Congress that the
loss of this authority is devastating for consumers who now face a
significantly steeper uphill battle to be made whole after suffering a
financial injury stemming from illegal conduct.\14\ But the loss of
13(b) also hampers our ability to deter unlawful conduct in the first
place. In its absence, and without a statutory fix, first-time
violators of the FTC Act are unlikely to face monetary consequences for
their unlawful practices.\15\ Trade Regulation Rules enforced under
[[Page 51290]]
Section 19 can enable such consequences.\16\
---------------------------------------------------------------------------
\13\ AMG Cap. Mgmt., LLC v. FTC, 141 S. Ct. 1341, 1347 (2021).
\14\ Rebecca Kelly Slaughter, Opening Statement of Acting
Chairwoman Rebecca Kelly Slaughter [on] The Urgent Need to Fix
Section 13(b) of the FTC Act, United States House Committee on
Energy and Commerce
Subcommittee on Consumer Protection and Commerce (Apr. 27,
2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1589456/opening_statement_april_27_house_13b_hearing_427.pdf">https://www.ftc.gov/system/files/documents/public_statements/1589456/opening_statement_april_27_house_13b_hearing_427.pdf</a>.
\15\ See ANPR at 23 (``For instance, after a hacker steals
personal consumer data from an inadequately secured database, an
injunction stopping the conduct and requiring the business to take
affirmative steps to improve its security going forward can help
prevent future breaches but does not remediate the harm that has
already occurred or is likely to occur.'').
\16\ In the course of removing our 13(b) equitable monetary
relief authority, the Supreme Court admonished the Commission to
stop complaining about the ``cumbersome'' Section 19 process and
either use our authority in earnest, ask Congress for a fix, or
both. AMG Cap. Mgmt., 141 S. Ct. at 1352 (``Nothing we say today,
however, prohibits the Commission from using its authority under
Sec. 5 and Sec. 19 to obtain restitution on behalf of consumers.
If the Commission believes that authority too cumbersome or
otherwise inadequate, it is, of course, free to ask Congress to
grant it further remedial authority.'').
---------------------------------------------------------------------------
Rulemaking in the Time of ADPPA
For years, Congress has nibbled around the edges of comprehensive
federal privacy legislation; it is now engaged in the advanced stages
of consideration of such legislation. All members of the Commission
have repeatedly called on Congress to act in this space. I have
advocated for legislation that sets clear rules regarding data
minimization, use restrictions, and secondary uses; that gives us the
ability to seek civil penalties for law violations; that gives us
flexible APA rulemaking authority so we can act swiftly to address new
conduct; and most importantly gives the agency the resources to
meaningfully enforce the law.
The House may be the closest it has been in years to seeing
legislation like this reach the finish line.\17\ I not only welcome
it--I prefer Congressional action to strengthen our authority. But I
know from personal experience that the road for a bill to become a law
is not a straight or easy one.\18\ In the absence of that legislation,
and while Congress deliberates, we cannot sit idly by or press pause
indefinitely on doing our jobs to the best of our ability. As I
mentioned above, I believe that we have a duty to use the authorities
Congress has already given us to prevent and address these unfair or
deceptive practices how we best see fit.
---------------------------------------------------------------------------
\17\ Gilad Eldman, Don't Look Now, but Congress Might Pass an
Actually Good Privacy Bill, Wired (July 21, 2022), <a href="https://www.wired.com/story/american-data-privacy-protection-act-adppa/">https://www.wired.com/story/american-data-privacy-protection-act-adppa/</a>.
\18\ See Margaret Harding McGill, Online Privacy Bill Faces
Daunting Roadblocks, Axios (Aug. 4, 2022), <a href="https://www.axios.com/2022/08/04/online-privacy-bill-roadblocks-congress">https://www.axios.com/2022/08/04/online-privacy-bill-roadblocks-congress</a>.
---------------------------------------------------------------------------
I am certain that action by the Federal Trade Commission will not
clip the wings of Congressional ambition. Our work here is
complementary to Congress' efforts.\19\ The bills supported by the
leaders of both Commerce Committees empower the FTC to be a more
effective privacy regulator,\20\ as will the record we develop pursuant
to this ANPR. Section 18 rulemaking, even more so than more common APA
rulemaking, gives members of the public the opportunity to be active
participants in the policy process. The open record will allow us to
hear from ordinary people about the data economy harms they have
experienced. We can begin to flex our regulatory muscle by evaluating
which of those harms meet the statutory prohibitions on unfair or
deceptive conduct and which of those are prevalent in the market. The
study, public commentary, and dialogue this proceeding will launch can
meaningfully inform any superseding rulemaking Congress eventually
directs us to take as well as the Congressional debate should the
current legislative progress stall.
---------------------------------------------------------------------------
\19\ A group of nine Senators wrote that these are ``parallel''
efforts and encouraged the Commission to ``take advantage of every
took in its toolkit to protect consumers' privacy.'' Notably, a
majority of these members have either introduced or cosponsored FTC-
empowering privacy legislation. Senators Booker, Blumenthal, Coons,
Luj[aacute]n, Markey, Klobuchar, Schatz, Warren, and Wyden,
2021.09.20 FTC Privacy Rulemaking (Sept. 20, 2021), <a href="https://www.blumenthal.senate.gov/imo/media/doc/2021.09.20%20-%20FTC%20-%20Privacy%20Rulemaking.pdf">https://www.blumenthal.senate.gov/imo/media/doc/2021.09.20%20-%20FTC%20-%20Privacy%20Rulemaking.pdf</a>.
\20\ See, e.g., American Data Privacy and Protection Act,
H.R.8152, 117th Congress (2022); See Consumer Online Privacy Rights
Act, S.3195, 117th Congress (2021).
---------------------------------------------------------------------------
Our Authority and the Scope of This Proceeding
Some have balked at this ANPR as overly ambitious for an agency
that has not previously issued rules in this area, or as coloring
outside the lines of our statute in the topics it addresses, especially
in light of the Supreme Court decision in West Virginia v. EPA. But our
authority is as unambiguous as it is limited, and so our regulatory
ambit is rightfully constrained--the questions we ask in the ANPR and
the rules we are empowered to issue may be consequential, but they do
not implicate the ``major questions doctrine.'' \21\
---------------------------------------------------------------------------
\21\ West Virginia, 142 S. Ct. at 2614 (2022) (``Given these
circumstances [of a novel claim of authority by an agency] . . . the
Government must--under the major questions doctrine--point to `clear
congressional authorization' to regulate in that manner.''). The FTC
is exercising here, however, its central authority: to define unfair
or deceptive acts or practices, as it has done in enforcement
matters for nearly 100 years under Section 5 and in rulemaking under
Section 18 for nearly 50.
---------------------------------------------------------------------------
Section 18 Rulemaking
In its grant of Section 18 rulemaking authority to the Commission
in 1975 under the Magnuson-Moss Warranty--Federal Trade Commission
Improvement Act, Congress explicitly empowered the FTC to ``define with
specificity acts or practices which are unfair or deceptive acts or
practices in or affecting commerce . . . .'' \22\ Those terms, and
therefore our delegated authority, are not defined by ``modest words,''
``vague terms,'' ``subtle devices,'' or ``oblique or elliptical
language.'' \23\ Determining what acts ``in commerce'' are unfair or
deceptive is central to our statutory mission and their meaning is
prescribed by our statutes and nearly 100 years of judicial
interpretation.
---------------------------------------------------------------------------
\22\ 15 U.S.C. 57a(a)(1)(B).
\23\ West Virginia, 142 S. Ct. at 2609 (internal quotation marks
omitted).
---------------------------------------------------------------------------
It is worth reiterating these standards, both as a matter of legal
principle and as a note for those participating in this process. A
``deceptive'' act is one that (1) makes a ``representation, omission,
or practice that is likely to mislead the consumer'' (2) who is
``acting reasonably in the circumstances'' and (3) is ``material,''
meaning it would ``affect the consumer's conduct or decision with
regard to a product or service.'' \24\
---------------------------------------------------------------------------
\24\ FTC Policy Statement on Deception (Oct. 14, 1983), appended
to In re Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984),
<a href="https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf">https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf</a>.
---------------------------------------------------------------------------
Congress updated the FTC Act in 1994, adopting into statute the
Commission's policy statement on ``unfairness.'' An act may be
``unfair'' and in violation of the FTC Act if that act (1) ``causes or
is likely to cause substantial injury to consumers,'' (2) ``is not
reasonably avoidable by consumers themselves,'' and (3) is not ``not
outweighed by countervailing benefits to consumers or to competition.''
\25\
---------------------------------------------------------------------------
\25\ 15 U.S.C. 45(n).
---------------------------------------------------------------------------
Even after finding that a practice is unfair or deceptive we face
an additional hurdle to issuing a Notice of proposed rulemaking leading
to a possible Trade Regulation Rule. We may issue proposed rules to
prevent unfair or deceptive practices only if we find that such
practices are ``prevalent.'' We can find a practice prevalent if the
FTC has ``issued cease and desist orders regarding such acts or
practices,'' or we can determine prevalence through ``any other
information available to the Commission'' that ``indicates a widespread
pattern of unfair or deceptive acts or practices.'' \26\
---------------------------------------------------------------------------
\26\ 15 U.S.C. 57a(b)(3).
---------------------------------------------------------------------------
We cannot invent the law here. I want to underscore this. In this
rulemaking we can address only unfair or deceptive practices that we
could have otherwise found unlawful in the ordinary enforcement of our
Section 5 authority on a case-by-case basis. But the purpose of Section
18 rulemaking is not merely to memorialize unlawful activity that we
have already fully adjudicated.\27\
[[Page 51291]]
The ANPR allows us to look at harms systematically and address the root
of that unlawful activity. The limiting principle for the scope of
conduct we may regulate is the contours of the law itself: acts that
are both deceptive or unfair and prevalent.
---------------------------------------------------------------------------
\27\ In fact, we have a different statute for that process: our
penalty offense authority. See Fed. Trade Comm'n, Notices of Penalty
Offenses, <a href="https://www.ftc.gov/enforcement/penalty-offenses">https://www.ftc.gov/enforcement/penalty-offenses</a>.
---------------------------------------------------------------------------
Scope of the ANPR
The scope of the ANPR is reflective of the broad set of issues that
arise from unfettered commercial data collection and use. That a public
inquiry into this market asks a wide range of questions--inquiring
about issues like collection and consent, algorithms, ad-delivery,
demographic data, engagement, and the ecosystem's effects on kids and
teens--should not be surprising. This is broadly the same scope of
issues the Commission is currently examining in our social media and
video streaming study initiated under Chair Simons in 2020.\28\
---------------------------------------------------------------------------
\28\ See Lesley Fair, FTC issues 6(b) orders to social media and
video streaming services (Dec. 14, 2020), <a href="https://www.ftc.gov/business-guidance/blog/2020/12/ftc-issues-6b-orders-social-media-and-video-streaming-services">https://www.ftc.gov/business-guidance/blog/2020/12/ftc-issues-6b-orders-social-media-and-video-streaming-services</a>.
---------------------------------------------------------------------------
I believe it is appropriate ask those questions, and more, in this
ANPR. I expect that the record will alert us, and Congress, to
widespread harms that may otherwise have not reached our attention.
Some of those harms may be better addressed under our other sector-
specific privacy authorities or under our competition authority. A
holistic look at the data economy allows us to better understand the
interplay between our consumer protection and competition missions and,
should we get to that stage, propose better and more effective rules.
Are data abuse rules different?
Some have argued that this exercise of our rulemaking authority is
permissible to address some unfair or deceptive practices in some other
sector of the market but not this one.\29\ The rules the agency has
historically issued already touch hundreds of millions of Americans'
lives. FTC rules cover business conduct in funerals,\30\ the marketing
of new opportunities to consumers,\31\ the eyeglasses market,\32\ and
unfair credit practices.\33\ These rules cover sectors with hundreds of
billions in economic output. The Franchise Rule,\34\ for example, helps
govern the business conduct of a sector that employs over 8 million
people and contributes over 3% to the country's GDP.\35\ This is all to
say that the ``bigness'' of an industry, or the potential significance
of rulemaking in that industry, should have little bearing on the legal
question about the scope of our authority.\36\ As a policy matter,
``bigness,'' if anything, should compel extra scrutiny of business
practices on our part, not a free pass, kid gloves, or a punt to
Congress. Though their products and services touch all our lives,
technology companies are not exempt from generally applicable laws. If
we have the authority to police their business practices by case-by-
case enforcement to protect the public from potentially unfair or
deceptive practices, and we do, then we have the authority to examine
how ex ante rules may also govern those practices.
---------------------------------------------------------------------------
\29\ See Jordan Crenshaw, Congress Should Write Privacy Rules,
Not the FTC, U.S. Chamber of Commerce (Sept. 17, 2021), <a href="https://www.uschamber.com/technology/data-privacy/congress-should-write-privacy-rules-not-the-ftc">https://www.uschamber.com/technology/data-privacy/congress-should-write-privacy-rules-not-the-ftc</a>.
\30\ 16 CFR part 453.
\31\ 16 CFR part 437.
\32\ 16 CFR part 456.
\33\ 16 CFR part 444.
\34\ 16 CFR part 436.
\35\ See Int'l Francise Ass'n, 2022 Franchising Economic Outlook
(Feb. 15, 2022) <a href="https://www.franchise.org/franchise-information/franchise-business-outlook/2022franchising-economic-outlook">https://www.franchise.org/franchise-information/franchise-business-outlook/2022franchising-economic-outlook</a>.
\36\ West Virginia, 142 S. Ct. at 2628 (Kagan, J., dissenting)
(``A key reason Congress makes broad delegations . . . is so an
agency can respond, appropriately and commensurately, to new and big
problems. Congress knows what it doesn't and can't know when it
drafts a statute; and Congress therefore gives an expert agency the
power to address issues--even significant ones--as and when they
arise.'').
---------------------------------------------------------------------------
Issues of Particular Interest
I want to encourage public participation in this comment period,
especially from the voices we hear from less at the Commission. Having
information in the record from a diverse set of communities and
commenters will strengthen the record and help lay a firm foundation
for potential agency action. I encourage the public to engage with all
the issues we have teed up in the ANPR and to think about how
commercial surveillance and abusive data practices affect them not only
as consumers of products and services but also as workers, small
business owners, and potential competitors to dominant firms.\37\ I'm
eager to see and evaluate the record in its entirety, but there are
some issues I have had a particular interest in during my time at the
Commission. I've highlighted some of them below.
---------------------------------------------------------------------------
\37\ People are far more than simply consumers of products and
services. Effective consumer protection has to think about people as
workers and potential entrepreneurs too. See Statement of
Commissioner Rebecca Kelly Slaughter Regarding Advance Notice of
Proposed Rulemaking on the Use of Earnings Claims (Feb. 17, 2022),
<a href="https://www.ftc.gov/system/files/ftc_gov/pdf/RKS%20Earnings%20Claim%20Statement.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/RKS%20Earnings%20Claim%20Statement.pdf</a>.
---------------------------------------------------------------------------
Minimization and Purpose and Use Specifications
I have spoken at length about my interest in ideas around data
minimization.\38\ The ANPR asks several questions related to the
concept, and I am eager to see comments about potentially unlawful
practices in this area, the state of data collection in the industry,
and how that relates to user expectations of the products or services
on offer.\39\
---------------------------------------------------------------------------
\38\ See Rebecca Kelly Slaughter, Keynote Closing Remarks of
Commissioner Rebecca Slaughter at IAPP 2021, IAPP (Oct. 22, 2021),
<a href="https://www.ftc.gov/system/files/documents/public_statements/1597998/iapp_psr_2021_102221_final2.pdf">https://www.ftc.gov/system/files/documents/public_statements/1597998/iapp_psr_2021_102221_final2.pdf</a>.
\39\ See ANPR at 31.
---------------------------------------------------------------------------
Civil Rights, Vulnerable Populations, and Discriminatory Algorithms
Data abuses are a civil rights issue, and commercial surveillance
can be especially harmful from a civil rights and equity perspective.
The FTC's own reports have explored these issues for years.\40\ The
FTC's mission to protect consumers from unfair or deceptive practices
in commerce must include examining how commercial practices affect the
marginalized and vulnerable. Discrimination based on protected-class
status is obviously unfair in the colloquial sense and may sometimes be
unfair in Section 5 terms as well.\41\ As I have written, failure to
closely scrutinize the impact of data-driven decision-making tools can
create discriminatory outcomes.\42\ The ANPR
[[Page 51292]]
asks several questions about the prevalence of such practices, the
extent of our authority in this area, and how the FTC, working with
[…truncated; see source link]Indexed from Federal Register on August 22, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.