The FTC issued a detailed notice of proposed rulemaking on August 11, 2022 regarding commercial surveillance and data security. The commission has also published a fact sheet on trade surveillance.

Here are some key points:

What’s wrong with commercial surveillance?

The FTC is concerned that:

  • Businesses have a strong incentive to develop products and services that track and monitor consumers’ online activities as much as possible.”
  • Companies collect vast amounts of consumer information, only a small fraction of which proactively shares with consumers. This includes: browsing and purchase histories, location and physical movements, and a wide range of other personal information, including data purchased from data brokers.
  • Companies use algorithms and automated systems to analyze the information they collect to create consumer profiles and make inferences about consumers to predict their behavior and preferences.
  • Companies monetize surveillance in various ways.
  • Companies require people to sign up for monitoring as a condition of service. Businesses can deny access to consumers who do not want their personal information shared with other parties – or require consumers to pay a premium to keep their personal information confidential. These data practices and the lack of meaningful alternatives raise the question of whether consumers are truly consenting.
  • Companies reserve the right to change their privacy terms once consumers register for a product or service. Consumers who wish to retain access may have no choice but to accept these updated terms, even those that materially violate previous privacy promises.
  • Algorithms are subject to errors, biases and inaccuracies. These flaws often come from the design process.
  • Companies are increasingly using dark schemes or marketing to influence or coerce consumers into making choices they wouldn’t otherwise make, including making purchases or sharing personal information.

Why do we need regulation

  • Enforcement alone without rule-making may be insufficient to protect consumers from significant harm.
  • Trade regulation rules would establish clear legal requirements or benchmarks against which to assess covered companies. They would also incentivize all businesses to invest more consistently in compliance because, under the FTC Act, the Commission can impose civil penalties for the first violation of duly enacted trade regulation rules.
  • Injunctions, which the FTC can issue, are not always enough to prevent damage.
  • Even in cases where the Commission can obtain monetary relief for breach of Section 5, such relief may be difficult to apply to certain harmful commercial surveillance practices or lax data security practices that may not cause direct financial harm or other widely accepted means of quantifying harm. .
  • A business regulation rule could bring clarity and predictability to the application of the law to existing and emerging business surveillance and data security practices that, given institutional constraints, may be difficult to match or follow, as the case may be. per case.

Key points to note:

  • The FTC calls GDPR, CPRA, CPA, UCPA, CTDPA as laws that somewhat regulate this area.
  • The regulations will apply to businesses and workers, not just individuals who buy or trade data for retail goods and services.
  • Emphasis on data minimization and deceptive design as well as invisible processing.
  • Emphasis on disclosure and transparency; prevent opaque/vague disclosures.
  • Consider mandatory reporting of third-party data protection impact assessments regarding surveillance practices.
  • The focus is on free EU GDPR-style consent that is not conditional on a service.
  • The questions leave open the possibility of a rule also dealing with non-personal data.
  • Focus on information relating to children with questions on child protection (up to 17 years old); obligations of companies whose services are not intended for children/adolescents and a possible outright ban on targeted advertising for children.
  • Emphasis on information security with a potential prospect of prescriptive regulation of administrative, technical and physical security measures.
  • Focus on data minimization, including limiting collection; limitation of purpose, as well as limitation of storage; and the potential limitation of companies in certain sectors (healthcare, finance, etc.) to engage in targeted advertising.
  • Emphasize algorithmic fairness and transparency and consider outright limitation of certain automated decision-making practices, including in targeted advertising.

Key Questions for Public Comment:

(A) To what extent do commercial surveillance practices or lax security measures harm consumers?

  • How, if at all, do these market surveillance practices harm consumers or increase the risk of harming consumers?
  • Are there harms that consumers may not readily discern or identify?
  • Are there any harms that consumers cannot easily quantify or measure?
  • What areas or types of harm, if any, has the Commission failed to address through its enforcement actions?
  • Has the Commission adequately dealt with consequential pecuniary damages?
  • What types of data should be subject to a potential trade regulation rule?

(B) To what extent do surveillance marketing practices or lax data security measures harm children, including adolescents?

  • Are there any practices or measures to which children or adolescents are particularly vulnerable or sensitive (eg misleading design)?
  • What types of surveillance business practices involving data on children and adolescents are of most concern?
  • Under what circumstances, if any, is it a business practice for a company to fail to protect the privacy of children and adolescents, such as by not providing default privacy settings? unfair, even if the site or service does not target minors?
  • Should the new rules set clear limits on personalized advertising aimed at children and teens, regardless of parental consent?

(C) How should the Commission balance costs and benefits?

(D) How, if at all, should the Commission regulate prevalent harmful commercial surveillance or data security practices?

  • Should the Commission initiate regulation under Article 18 on data security?
  • Should the Commission consider limiting commercial surveillance practices that use or facilitate the use of facial recognition, fingerprints or other biometric technologies?
  • To what extent, if any, should the Commission prevent companies that provide specifically listed services (e.g. finance, healthcare, research or social media) from owning or operating a business that engages in specific commercial surveillance practices such as advertising?
  • Should they, for example, institute data minimization requirements or purpose limitations, i.e. prevent companies from collecting, retaining, using or transferring consumer data beyond a certain point? predefined?
  • Should new trade regulation rules restrict how long companies collect or retain consumer data?
  • Under a purpose limitation rule, how, if at all, should the Commission determine whether data consumers provide for a specific purpose has been used solely for that specific purpose?
  • To what extent, if any, should the Commission require companies to certify that their market surveillance practices meet clear standards regarding the collection, use, retention, transfer or monetization of consumer data ?
  • To what extent, if any, should the new rules require companies to take specific steps to prevent algorithmic errors?
  • If new rules restrict certain automated decision-making practices, what alternatives, if any, would replace them?
  • How should the Commission approach such algorithmic discrimination?
  • Under what circumstances, if any, is consumer consent likely to be effective?
  • To what extent should new trade rules prohibit specific trade surveillance practices, whether or not consumers consent?
  • To what extent should the Commission consider rules requiring companies to make available information about their commercial surveillance practices?
  • To what extent, if any, should trade regulation rules require companies to explain (1) what data they use, (2) how they collect, store, disclose or transfer that data, ( 3) how they choose to implement a particular system or automated decision-making process to analyze or process the data, including consideration of alternative methods, (4) how they process or use that data to make a decision, (5) whether they rely on a third-party provider to make such decisions, (6) the impacts of their marketing monitoring practices, including disparities or other distribution outcomes among consumers, and (7) the risk mitigation measures to address potential harm to consumers?
  • To what extent should the Commission, if any, make regular self-reporting, third-party audits or assessments or self-administered impact assessments of commercial monitoring practices a permanent obligation?

For more information, follow these links:

Rules creation page

Trade Surveillance Fact Sheet

Text of proposed regulation

[View source.]