FTC Commercial Surveillance and Data Security Rulemaking

FTC Commercial Surveillance and Data Security Rulemaking
Photo by CHUTTERSNAP on Unsplash

Enjoy this week's free edition fo the Wavelength. Consider joining those who subscribe and get access to all the paywalled content.


The FTC isn’t waiting on Congress to pass data privacy and protection legislation and has started a rulemaking that could address many of the data abuses in the U.S.


Given that “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) seems stalled (although the conclusion of the mid-term elections might shake it loose), the FTC’s rulemaking may turn out to be the most significant U.S. policy development on data privacy and protection. If the agency completes the rulemaking, which would be the first such FTC proceeding in over four decades, the FTC would unlock powers under the FTC Act to fine violators for first offenses for more than $46,500 per offense (a figure adjusted upwards each year to account for inflation.) Of course, there will be the inevitable legal challenges so the agency would be wise to meet each and every procedural requirement.


In August, the United States (U.S.) Federal Trade Commission (FTC) published an advance notice of proposed rulemaking (ANPRM) “to consider the potential need for rules and requirements regarding commercial surveillance and lax data security practices.” Comments were originally due in late October, but the FTC extended the deadline until 21 November by a 4-0-1 vote with Commissioner Christine S. Wilson abstaining.

The FTC said it is publishing the ANPRM:

to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers. Specifically, the Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.

It should be noted that the FTC is not the only U.S. agency conducting a privacy rulemaking. Last week, the California Privacy Protection Agency (CPPA) released revised draft regulations to implement the “California Privacy Rights Act” (CPRA) (Proposition 24) along with explanatory materials. Also last week, Colorado Attorney General Phil Weiser published draft regulations to effectuate the “Colorado Privacy Act” (Senate Bill 21-190).

FTC Chair Lina Khan has proven to be more aggressive in using the agency’s powers than any of her recent predecessors, including chairs appointed by Democratic Presidents. Khan served as an advisor to former Commissioner Rohit Chopra who now heads the Consumer Financial Protection Bureau. During his FTC tenure, Chopra repeatedly called on his colleagues and the agency to use the broad authority granted under the FTC Act. Khan is cut from the same cloth and has proven ready to upset norms and longstanding agreements about how the agency should operate that originated in the Reagan Administration.

In fact one of the FTC’s first actions under her tenure was to revamp the Section 18 rulemaking procedures the agency will be using to promulgate a commercial surveillance and data security trade rule regulation (TRR). In a statement explaining the changes, Commissioner Rebecca Kelly Slaughter (who was joined by Khan and Chopra) claimed:

The FTC of the 1980s sought to radically reduce the agency’s rulemaking capacity. A fundamental part of that posture are the agency-promulgated Rules of Practice. Parts 0 and 1 of these Rules shape Commission behavior and process for Section 18 rulemaking. The imposition of requirements beyond what Congress provided in statute has led to the widespread belief among some commentators and policymakers that Section 18 rulemaking is too difficult to address many of the unfair and deceptive practices prevalent in the economy today.

The FTC Act requires the FTC to use the Magnuson-Moss rulemaking procedure to declare certain acts or practices as deceptive or unfair, which was originally conceived of to allow for greater public participation before subsequent amendments made it a more restrictive procedure. Nonetheless, the agency must begin with an ANPRM that

§  Contain[s] a brief description of the area of inquiry under consideration, the objectives which the Commission seeks to achieve, and possible regulatory alternatives under consideration by the Commission; and

§  Invite[s] the response of interested parties with respect to such proposed rulemaking, including any suggestions or alternative methods for achieving such objectives.

This is the document the FTC has released.

In terms of further steps, the FTC must then:

§  publish a notice of proposed rulemaking stating with particularity the text of the rule, including any alternatives, which the Commission proposes to promulgate, and the reason for the proposed rule;

§  allow interested persons to submit written data, views, and arguments, and make all such submissions publicly available;

§  provide an opportunity for an informal hearing….; and

§  promulgate, if appropriate, a final rule based on the matter in the rulemaking record…together with a statement of basis and purpose.

Regarding the NPRM, the FTC Act sets a threshold the agency must clear. The FTC can “issue a NPRM…only where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.” The statute continues that the FTC “shall make a determination that unfair or deceptive acts or practices are prevalent under this paragraph only if—

§  it has issued cease and desist orders regarding such acts or practices, or

§  any other information available to the Commission indicates a widespread pattern of unfair or deceptive acts or practices.

Throughout the ANPRM, there are a number of mentions of how prevalent commercial surveillance and lax data security standards are. Moreover, the agency discusses its many data security and privacy actions. Hence, it appears that the agency is preparing to meet both prongs of this test. However, the prevalence prong will allow the agency to address practices it has not yet punished n any significant ways, thus allowing the potential rule to be broader than it might if the agency only relied on its enforcement actions.

Finally, as noted earlier, violations of TRRs allow the FTC to seek in court fines of over $46,500 per violation and a range of injunctive and equitable relief. If the FTC finishes this TRR rulemaking, the agency will be poised to wield its most potent powers against commercial surveillance and lax data security standards.

The FTC discussed its many data security and surveillance actions brought under Section 5 that “have alleged that certain practices violate Section 5 of the FTC Act or other statutes to the extent they pose risks to physical security, cause economic or reputational injury, or involve unwanted intrusions into consumers' daily lives.” The agency listed just some of the actions, which include:

§  public disclosure of consumers' financial information in responses to consumers' critical online reviews of the publisher's services; [89]

§  pre-installation of ad-injecting software that acted as a man-in-the-middle between consumers and all websites with which they communicated and collected and transmitted to the software developer consumers' internet browsing data; [90]

§  solicitation and online publication of “revenge porn”—intimate pictures and videos of ex-partners, along with their personal information—and the collection of fees to take down such information; [91]

§  development and marketing of “stalkerware” that purchasers surreptitiously installed on others' phones or computers in order to monitor them; [92]

§  retroactive application of material privacy policy changes to personal information that businesses previously collected from users; [93]

§  distribution of software that caused or was likely to cause consumers to unwittingly share their files publicly; [94]

§  collection of phone numbers and email addresses to improve social media account security, but then deceptively using that data to allow companies to target advertisements in violation of an existing consent order; [99]

In listing its reasons for the rulemaking, the FTC stated that “extensive enforcement and policy work over the last couple of decades on consumer data privacy and security has raised important questions about the prevalence of harmful commercial surveillance and lax data security practices.” Again, as noted above, showing the prevalence of practices can permit the FTC to proceed with a rulemaking. The agency claimed that “[t]his experience suggests that enforcement alone without rulemaking may be insufficient to protect consumers from significant harms.” The FTC pointed to its lack of authority generally to fine offenders for first violations, which “may insufficiently deter future law violations” and “put firms that are careful to follow the law, including those that implement reasonable privacy-protective measures, at a competitive disadvantage.” Hence, a TRR would put all parties on notice and would lead to an increase in data security.

Additionally, the FTC argued that injunctive relief is of limited value in many actions related to data privacy and protection because the personal data may have already been spread far and wide by the time the wrongdoer is enjoined by a court. The agency also pointed to the difficulty of quantifying financial harm tangibly enough to calculate appropriate damages to seek from a court. Moreover, harm may be so attenuated with respect to time that it is impossible to calculate today the damages of tomorrow. For example, revenge porn could have repercussions that are not foreseeable when an offender is prosecuted.

As for what the FTC wants to learn from stakeholders and others, the agency “invites public comment on:

(a) the nature and prevalence of harmful commercial surveillance and lax data security practices,

(b) the balance of costs and countervailing benefits of such practices for consumers and competition, as well as the costs and benefits of any given potential trade regulation rule, and

(c) proposals for protecting consumers from harmful and prevalent commercial surveillance and lax data security practices.

However, the FTC was careful in explaining the above questions do not define the scope of the potential rulemaking:

This ANPR does not identify the full scope of potential approaches the Commission might ultimately undertake by rule or otherwise. It does not delineate a boundary on the issues on which the public may submit comments. Nor does it constrain the actions the Commission might pursue in an NPRM or final rule. The Commission invites comment on all potential rules, including those currently in force in foreign jurisdictions, individual U.S. states, and other legal jurisdictions.

One of the FTC Commissioners took issue with this passage as explained below.

Nonetheless, the FTC explained that the ANPRM “has alluded to only a fraction of the potential consumer harms arising from lax data security or commercial surveillance practices, including those concerning physical security, economic injury, psychological harm, reputational injury, and unwanted intrusion.” The agency posed a series of questions for interested parties to answer grouped under these headings:

§ To what extent do commercial surveillance practices or lax security measures harm consumers?

§ To what extent do commercial surveillance practices or lax data security measures harm children, including teenagers?

§ How should the Commission balance costs and benefits?

§ How, if at all, should the Commission regulate harmful commercial surveillance or data security practices that are prevalent?

In her statement for the ANPRM, Khan exhibited flexibility regarding the possibility of the enactment of ADPPA sidelining the FTC’s data privacy and protection rulemaking:

If Congress passes strong federal privacy legislation—as I hope it does—or if there is any other significant change in applicable law, then the Commission would be able to reassess the value-add of this effort and whether continuing it is a sound use of resources. The recent steps taken by lawmakers to advance federal privacy legislation are highly encouraging, and our agency stands ready to continue aiding that process through technical assistance or otherwise sharing our staff's expertise.[12] At minimum, the record we will build through issuing this ANPR and seeking public comment can serve as a resource to policymakers across the board as legislative efforts continue.

Of course, an aggressive, Khan-led FTC set on activating dormant powers to bar widespread data practices may motivate Republican and industry stakeholders to reach a deal with California Democrats on preemption of state privacy statutes as a means of ending this rulemaking.

Khan also highlighted “a few topics from the ANPR on which I am especially eager for us to build a record:

§  Procedural protections versus substantive limits: Growing recognition of the limits of the “notice and consent” framework prompts us to reconsider more generally the adequacy of procedural protections, which tend to create process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place.[13] Are there contexts in which our unfairness authority reaches a greater set of substantive limits on data collection? [14] When might bans and prohibitions on certain data practices be most appropriate? [15]

§  Administrability: Information asymmetries between enforcers and market participants can be especially stark in the digital economy. How can we best ensure that any rules we pursue can be easily and efficiently administered and that these rules do not rest on determinations we are not well positioned to make or commitments we are not well positioned to police? How have jurisdictions successfully managed to police obligations such as “data minimization”? [16]

§  Business models and incentives: How should we approach business models that are premised on or incentivize persistent tracking and surveillance, especially for products or services consumers may not be able to reasonably avoid? [17]

§  Discrimination based on protected categories: Automated systems used by firms sometimes discriminate based on protected categories—such as race, color, religion, national origin, or sex—including in contexts where this discrimination is unlawful.[18] How should we consider whether new rules should limit or forbid discrimination based on protected categories under our Section 5 unfairness authority? [19]

§  Workplace surveillance: Reports suggest extensive tracking, collection, and analysis of consumer data in the workplace has expanded exponentially.[20] Are there particular considerations that should govern how we consider whether data abuses in the workplace may be deceptive or unfair? [21]

In her statement as part of the ANPRM, Slaughter highlighted another impetus for a TRR on data privacy and protection: the FTC Act permits the agency to seek and receive a range of monetary relief under TRRs the Supreme Court of the United States took away from other cases in AMG Capital. Slaughter said:

Providing a financial penalty for first-time lawbreaking is now, in the wake of the loss of our Section 13(b) authority, a particular necessity. Last year, the Supreme Court ruled that we can no longer seek monetary relief in federal court for violations of the FTC Act under our 13(b) authority.[13] I have testified in Congress that the loss of this authority is devastating for consumers who now face a significantly steeper uphill battle to be made whole after suffering a financial injury stemming from illegal conduct.[14] But the loss of 13(b) also hampers our ability to deter unlawful conduct in the first place. In its absence, and without a statutory fix, first-time violators of the FTC Act are unlikely to face monetary consequences for their unlawful practices.[15] Trade Regulation Rules enforced under Section 19 can enable such consequences.

Hence, the FTC could seek monetary damages like restitution and disgorgement of ill-gotten gains for a violation of a TRR on data privacy and protection of the sort the agency can no longer seek for most Section 5 offenses.

Like Khan, Slaughter expressed her preference for Congress to enact ADPPA or another strong data privacy and protection law. She went so far as to claim that the Magnuson-Moss rulemaking “will not clip the wings of Congressional ambition…[and] [o]ur work here is complementary to Congress' efforts.”

Outgoing Commissioner Noah Joshua Phillips argued against the ANPRM in saying:

National consumer privacy laws pose consequential questions, which is why I have said, repeatedly,[2] that Congress— not the FTC—is where national privacy law should be enacted.

Phillips continued:

So I don't think we should do this. But if you're going to do it, do it right. The Commercial Surveillance and Data Security advance notice of proposed rulemaking (“ANPR”) issued today by a majority of commissioners provides no notice whatsoever of the scope and parameters of what rule or rules might follow; thereby, undermining the public input and congressional notification processes. It is the wrong approach to rulemaking for privacy and data security.

Phillips further contended:

What the ANPR does accomplish is to recast the Commission as a legislature, with virtually limitless rulemaking authority where personal data are concerned. It contemplates banning or regulating conduct the Commission has never once identified as unfair or deceptive. That is a dramatic departure even from recent Commission rulemaking practice. The ANPR also contemplates taking the agency outside its bailiwick. At the same time, the ANPR virtually ignores the privacy and data security concerns that have animated our enforcement regime for decades. A cavalcade of regulations may be on the way, but their number and substance are a mystery.

It is interesting that Phillips never claims that the FTC is acting outside its mission and statutory grant of authority in initiating a rulemaking. Rather, he frames the ANPRM as the FTC supplanting the Congress as the policymaker and alleges a number of procedural defects. Phillips seems to be suggesting that the majority is violating 15 USC 57a, the section of the FTC Act setting out rulemaking procedures, notably because the notice “provides no notice whatsoever of the scope and parameters of what rule or rules might follow.” However, the relevant section of the FTC Act explains that an ANPRM must:

contain a brief description of the area of inquiry under consideration, the objectives which the Commission seeks to achieve, and possible regulatory alternatives under consideration by the Commission;

To my eye, the FTC has met this statutory burden.

As mentioned above, the FTC’s rulemaking will be challenged from numerous angles as conservative and industry groups will try almost every possible approach to entice an increasingly conservative judiciary to strike down the rulemaking. These groups would settle for injunctions that push the effective date of regulations into the future when a friendlier FTC is installed that is less inclined to move aggressively.

Finally, funding has been an issue for the agency over the last 40 years. If the FTC does not receive increased funding, a strong TRR would be rarely enforced or enforced at the cost of other FTC responsibilities being neglected. Even though the House recently passed the “Merger Filing Fee Modernization Act of 2022” (H.R.3843), a bill that would provide dramatically more money for the FTC’s merger oversight and enforcement responsibilities, it would not explicitly provide funding for the agency’s other activities. Presumably, Congress could allow the FTC to use more of the increased merger fee proceeds to fund antitrust activities while keeping the agency’s appropriated funding steady, which would result in a de facto boost for the FTC. But opponents of a robust regulatory state seek to keep funding down and then impugn agencies when they cannot execute all their missions. Such has been the story of the FTC over the last four decades.

Other Developments

The United Kingdom’s (UK) Competition and Markets Authority (CMA) ordered Meta/Facebook to sell Giphy and published its final report. The CMA “found that Meta’s takeover of Giphy could allow Meta to limit other social media platforms’ access to GIFs, making those sites less attractive to users and less competitive.” In June, the UK’s  Competition Appeal Tribunal ruled against Meta/Facebook on most grounds.

The White House revealed it had “convened leaders from the private sector, academic institutions, and the U.S. Government to advance a national cybersecurity labeling program for Internet-of-Things (IoT) devices” and based on those discussions “will continue to develop the national cybersecurity labeling program for a targeted rollout in the Spring of 2023.”

The Biden Administration published its “National Security Strategy” that “outlines how the United States will advance our vital interests and pursue a free, open, prosperous, and secure world” that includes a subsection titled “Securing Cyberspace.”

The United States (U.S.) National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory that “exposed the “Top Common Vulnerabilities and Exposures (CVEs) Actively Exploited by People’s Republic of China State-Sponsored Cyber Actors” since 2020.”

The United States Court of Appeals for the Fifth Circuit ruled that the Consumer Financial Protection Bureau’s source of funding is not Constitutional.

The United States Office of the Director of National Intelligence published an “unclassified Intelligence Community product dated April 2021” titled “Chinese Space Activities Will Increasingly Challenge U.S. Interests Through 2030.”

The United States (U.S.) Department of Commerce’s Bureau of Industry and Security (BIS) amended “the Export Administration Regulations (EAR) to implement necessary controls on advanced computing integrated circuits (ICs), computer commodities that contain such ICs, and certain semiconductor manufacturing items” and expanded “controls on transactions involving items for supercomputer and semiconductor manufacturing end uses, for example, this rule expands the scope of foreign-produced items subject to license requirements for twenty-eight existing entities on the Entity List that are located in China.”

New York’s Department of Financial Services stated “that EyeMed Vision Care LLC (“EyeMed”) will pay a $4.5 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public, personal health data, including data concerning minors.”

The United States (U.S.) and United Kingdom (UK) launched the “U.S.-UK Comprehensive Dialogue on Technology and Data building on our 2021 commitment to develop a landmark bilateral Technology Partnership, and on significant progress made on U.S.-UK data adequacy.”

The United States (U.S.) Transportation Security Administration (TSA) announced “a new cybersecurity security directive regulating designated passenger and freight railroad carriers” “Enhancing Rail Cybersecurity – SD 1580/82-2022-01,” that “strengthens cybersecurity requirements and focuses on performance-based measures to achieve critical cybersecurity outcomes.”

Canada’s Parliament’s Standing Committee on Access to Information, Privacy and Ethics published its “report on the use of facial recognition technology and the growing power of artificial intelligence.”

The United States (U.S.) Federal Trade Commission (FTC) published an Advance Notice of Proposed Rulemaking to possibly incorporate a requirement that manufacturers include repair instructions in the agency’s Energy Labeling Rule.

The United States (U.S.) Department of Commerce’s National Telecommunications and Information Administration (NTIA) announced “it has awarded 23 grants as part of the Tribal Broadband Connectivity Program (TBCP)…totaling more than $601.6 million, bring the total of the program to $1.35 billion awarded to 94 Tribal entities.”

The United States (U.S.) Securities and Exchange Commission announced “charges against Kim Kardashian for touting on social media a crypto asset security offered and sold by EthereumMax without disclosing the payment she received for the promotion” and “Kardashian agreed to settle the charges, pay $1.26 million in penalties, disgorgement, and interest, and cooperate with the Commission’s ongoing investigation.”

The Australian government “has prepared amendments to the Telecommunications Regulations 2021 to better protect Australians following the Optus data breach.”

Arizona Attorney General Mark Brnovich announced “a historic $85 million settlement with Google LLC for deceptively obtaining users’ location data to make billions of dollars in profit.”

The United States (U.S.) Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed new sanctions on a Russian Federation entity through the designation of “a Russian network that procured military and sensitive dual-use technologies from U.S. manufacturers and supplied them to Russian end-users.” The U.S. Departments of Commerce, State, and Treasury also published an alert “detailing the impact of international sanctions and export controls.”

The G7 published a “Compendium of Approaches to Improving Competition in Digital Markets” and an “inventory of new rules for digital markets” after the G7 Joint Competition Policy Makers & Enforcers Summit.

The University of Toronto’s Citizen Lab identified “New Pegasus Spyware Abuses” in Mexico aimed at “journalists and a human rights defender taking place between 2019-2021.”

The White House issued “the National Strategy for Advanced Manufacturing,” a “quadrennial strategy outlines a vision for the U.S. to lead in advanced manufacturing — to grow the economy, create jobs, enhance environmental sustainability, address climate change, ensure national security and improve health care.”

The Organisation for Economic Co-operation and Development published a report titled “Cross-border Data Flows: Taking Stock of Key Policies and Initiatives” that “takes stock of key policies and initiatives on cross-border data flows to inform and support G7 countries’ engagement on this policy agenda.”

Tweet of the Day

Further Reading

Documents detail plans to gut Twitter’s workforce” By Elizabeth Dwoskin, Faiz Siddiqui, Gerrit De Vynck and Jeremy B. Merrill — Washington Post

Twitter Tumbles After US Weighs Security Reviews for Musk Deals” By Jennifer Jacobs and Saleha Mohsin — Bloomberg

Twitter, Musk Talks Warm Up as Buyout Closing Deadline Nears” By Paula Seligson, Katie Roof, and Ed Hammond — Bloomberg

Dollars to Megabits, You May Be Paying 400 Times As Much As Your Neighbor for Internet Service” By Leon Yin and Aaron Sankin — The Markup

Social media platforms brace for midterm elections mayhem” By David Klepper — Associated Press

White House rallies industry support for Internet of Things labeling effort” By Suzanne Smalley and Tonya Riley — Cyberscoop

Facebook owner Meta to sell Giphy after UK watchdog confirms ruling” By Mark Sweney — The Guardian

Western suppliers cut ties with Chinese chipmakers as U.S. curbs bite” By Jeanne Whalen — Washington Post

Report: TikTok bad at culling US election misinformation ads” By Barbara Ortutay — Associated Press

Biden Proposal to Make Gig Workers Employees Sinks Uber and Lyft Stock” By Edward Ongweso Jr — Vice

German cybersecurity chief sacked following reports of Russia ties” By Philip Oltermann — The Guardian

The Regulators of Facebook, Google and Amazon Also Invest in the Companies’ Stocks” By Brody Mullins, Rebecca Ballhaus, Chad Day, John West and Coulter Jones — Wall Street Journal

‘They said: aren’t you that porn star?’ The woman hunting down image-based abuse” By Ingri Bergo and Mathilde Saliou — The Guardian

Coming Events

§ 26 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 27 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.

§ 1 February 2023

o   The Colorado Attorney General will hold a rulemaking hearing on the draft regulations proposed to implement the “Colorado Privacy Act.”

Photo Credits

Photo by isabel garger on Unsplash

Photo by Brian Patrick Tagalog on Unsplash

Photo by Alexander Grey on Unsplash

Photo by Shane on Unsplash

Photo by Erol Ahmed on Unsplash

Photo by Ryan Stone on Unsplash

Photo by David Clode on Unsplash