The FTC has issued a long-standing Notice of Proposed Rulemaking (ANPR) regarding business surveillance and data security practices. The FTC invites the public to comment on a wide range of issues (through more than 95 questions) and hints at the possibility of adopting general and prescriptive data privacy and security regulations. Key areas include: (1) harm to consumers from commercial surveillance and data security practices; (2) unique considerations for certain demographics, especially children and sheltered classes; (3) automated decision-making (including artificial intelligence or machine learning (AI/ML)) has caused error, bias, and discrimination; (4) consumer consents and notices/disclosures to consumers regarding commercial oversight and data security practices; (5) how best to regulate these practices; and (6) cost-effectiveness and trade-off considerations of proposed regulation. Many of the topics raised in the ANPR go beyond the FTC’s December 2021 Statement of Regulatory Priorities.
More details on ANPR are included below; comments will be due 60 days after the ANPR is published in the Federal Register. A public forum will also take place on September 8.
The extent of damage to consumers (including children and adolescents). ANPR is seeking more information about the types of harm and how they affect consumers. Questions include, for example, whether and what damages may not be easy to identify or quantify, as well as whether regulation should focus on certain types of data based on data damage risks. ANPR also indicates that different types of consumers may be harmed differently (including children, adolescents, and protected classes) and asks (1) how harms may be particular to various demographic groups and (2) whether regulation should consider special requirements to protect these demographics. These questions are particularly notable because the FTC is currently undertaking a separate review of COPPA.
Data Security. The FTC asks what the granularity of data protection rules should be and whether it should leverage existing requirements such as those in the Children’s Online Privacy Protection Act (COPPA) and the Data Protection Rule. FTC under the Gramm–Leach–Bliley Act (GLBA).
Notice, Transparency and Disclosure. The FTC asks what information about consumer data practices should be made public and what processes enable transparency, as well as what role third parties should play in administering disclosure requirements or conducting audits or investigations. assessments of data practices.
Consumer Consent. The FTC is seeking comment on the effective consent standard, whether certain activities should go beyond consent capacity, and how to provide and enforce opt-out rights.
Collection, use, storage and transfer of consumer data. The FTC asks if and how it should limit biometric data and personalized or targeted advertising practices. It also seeks feedback on data minimization, purpose limitation and data retention requirements, and how to account for interoperability.
Discrimination based on protected categories. The FTC also asks about the prevalence of algorithmic discrimination based on protected categories (e.g. race, gender, age), impact on consumers, how the FTC should assess and address algorithmic discrimination , and whether it should consider rules on algorithmic discrimination in areas where Congress has explicitly legislated, such as housing and employment.
Automated decision systems. The FTC seeks information about the prevalence and inevitability of algorithmic error in automated decision-making systems; what companies can do to avoid algorithmic errors, if any; and what legal theories support limitations on the use of automated systems or prevent the FTC from regulating these and related activities.
Remedies and Obsolescence. The FTC invites comments on the recourse structures for any new rules it adopts and on how rulemaking should take into account changing business models and practices.
Cost-benefit considerations. The FTC recognizes that any potential regulation involves trade-offs. It seeks to understand the potential costs and benefits of regulation and its impact on innovation, competition and consumer access to free services based on current models. The ANPR also wonders about the quantification of these trade-offs, whether the analysis is different in the context of informing children, and whether certain companies should be exempted from certain rules depending on the size or nature of the company consumer data.
Finally, ANPR also notes that the FTC may pursue additional regulatory activities as a result of the above.