The FTC launched a detailed notice of proposed rulemaking on August 11, 2022 regarding commercial surveillance and data security. The commission also released a fact sheet on commercial surveillance.

Here are some key points:

What is the issue with commercial surveillance?

The FTC is concerned that:

• Companies have strong incentives to develop products and services that track and surveil consumers’ online activities as much as possible"
• Companies collect vast troves of consumer information, only a small fraction of which consumers proactively share. This includes: browsing and purchase histories, location and physical movements and a wide range of other personal details, including data purchased from data brokers.
• Companies use algorithms and automated systems to analyze the information they collect to build consumer profiles and make inferences about consumers to predict their behavior and preferences.
• Companies monetize surveillance in a wide variety of ways.
• Companies require people to sign up for surveillance as a condition for service. Companies may deny access to consumers who do not wish to have their personal information shared with other parties – or require consumers to pay a premium to keep their personal information private. These data practices, and the lack of meaningful alternatives, raise questions about whether consumers are really consenting.
• Companies reserve the right to change their privacy terms after consumers sign up for a product or service. Consumers who want to maintain access may have no choice but to accept those updated terms, even those that materially break previous privacy promises.
• Algorithms are prone to errors, bias and inaccuracy. These flaws often stem from the design process.
• Companies increasingly employ dark patterns or marketing to influence or coerce consumers into choices they would otherwise not make, including purchases or sharing personal information.

Why do we need the rulemaking

• Enforcement alone without rulemaking may be insufficient to protect consumers from significant harm.
• Trade regulation rules would set clear legal requirements or benchmarks by which to evaluate covered companies. They also would incentivize all companies to invest in compliance more consistently because, pursuant to the FTC Act, the Commission may impose civil penalties for first-time violations of duly promulgated trade regulation rules.
• Injunctions, which the FTC can issue, are not always sufficient to prevent harm.
• Even in those instances in which the Commission can obtain monetary relief for violations of Section 5, such relief may be difficult to apply to some harmful commercial surveillance or lax data security practices that may not cause direct financial injury or other broadly accepted ways of quantifying harm.
• A trade regulation rule could provide clarity and predictability about the statute’s application to existing and emergent commercial surveillance and data security practices that, given institutional constraints, may be hard to equal or keep up with, case-by-case.

Key points to note:

• The FTC calls out GDPR, CPRA, CPA, UCPA, CTDPA as laws that somewhat regulate this area.
• The rulemaking will apply to businesses and workers, not just individuals who buy or exchange data for retail goods and service.
• Emphasis on data minimization and deceptive design as well as invisible processing.
• Emphasis on disclosure and transparency; preventing opaque/vague disclosures.
• Considering mandatory reporting of third party data protection impact assessments re: surveillance practices.
• Emphasis on freely given EU GDPR style consent which is not conditioned on a service.
• Questions leave open the possibility of a rule dealing with non-personal data as well.
• Emphasis on children's information with questions on protections of children (up to 17); obligations of companies whose services are not targeted at children/teenagers and potential outright prohibition of targeted advertising for children altogether.
• Emphasis on information security with a potential view for prescriptive regulation of administrative, technical and physical security measures.
• Emphasis on data minimization, including limitation on collection; purpose limitation, as well as limitation on retention; and potential limitation on companies from certain sectors (health, financial etc.) on engaging in targeted advertising altogether.
• Emphasis on algorithmic fairness and transparency and considering an outright limitation on certain automated decision-making practices including in targeted advertising.

Key Questions for Public Comment:

(A) To What Extent Do Commercial Surveillance Practices or Lax Security Measures Harm Consumers?

• How, if at all, do these commercial surveillance practices harm consumers or increase the risk of harm to consumers?
• Are there some harms that consumers may not easily discern or identify?
• Are there some harms that consumers may not easily quantify or measure?
• Which areas or kinds of harm, if any, has the Commission failed to address through its enforcement actions?
• Has the Commission adequately addressed indirect pecuniary harms?
• Which kinds of data should be subject to a potential trade regulation rule?

(B) To What Extent Do Commercial Surveillance Practices or Lax Data Security Measures Harm Children, Including Teenagers?

• Are there practices or measures to which children or teenagers are particularly vulnerable or susceptible (e.g. deceptive design)?
• What types of commercial surveillance practices involving children and teens’ data are most concerning?
• In what circumstances, if any, is a company’s failure to provide children and teenagers with privacy protections, such as not providing privacy-protective settings by default, an unfair practice, even if the site or service is not targeted to minors?
• Should new rules set out clear limits on personalized advertising to children and teenagers irrespective of parental consent?

(C) How Should the Commission Balance Costs and Benefits?

(D) How, if at All, Should the Commission Regulate Harmful Commercial Surveillance or Data Security Practices that Are Prevalent?

• Should the Commission commence a Section 18 rulemaking on data security?
• Should the Commission consider limiting commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting, or other biometric technologies?
• To what extent, if at all, should the Commission limit companies that provide any specifically enumerated services (e.g., finance, healthcare, search, or social media) from owning or operating a business that engages in any specific commercial surveillance practices like personalized or targeted advertising?
• Should they, for example, institute data minimization requirements or purpose limitations, i.e., limit companies from collecting, retaining, using, or transferring consumer data beyond a certain predefined point?
• Should new trade regulation rules restrict the period of time that companies collect or retain consumer data?
• Pursuant to a purpose limitation rule, how, if at all, should the Commission discern whether data that consumers give for one purpose has been only used for that specified purpose?
• To what extent, if at all, should the Commission require firms to certify that their commercial surveillance practices meet clear standards concerning collection, use, retention, transfer, or monetization of consumer data?
• To what extent, if at all, should new rules require companies to take specific steps to prevent algorithmic errors?
• If new rules restrict certain automated decision-making practices, which alternatives, if any, would take their place?
• How should the Commission address such algorithmic discrimination?
• In which circumstances, if any, is consumer consent likely to be effective?
• To what extent should new trade regulation rules prohibit certain specific commercial surveillance practices, irrespective of whether consumers consent to them?
• To what extent should the Commission consider rules that require companies to make information available about their commercial surveillance practices?
• To what extent should trade regulation rules, if at all, require companies to explain (1) the data they use, (2) how they collect, retain, disclose, or transfer that data, (3) how they choose to implement any given automated decision-making system or process to analyze or process the data, including the consideration of alternative methods, (4) how they process or use that data to reach a decision, (5) whether they rely on a third-party vendor to make such decisions, (6) the impacts of their commercial surveillance practices, including disparities or other distributional outcomes among consumers, and (7) risk mitigation measures to address potential consumer harms?
• To what extent should the Commission, if at all, make regular self-reporting, third-party audits or assessments, or self-administered impact assessments about commercial surveillance practices a standing obligation?

For more information, follow these links:

Rulemaking page

Commercial surveillance fact sheet

Text of proposed Rulemaking

[View source.]