Major Changes Ahead for the Digital Economy? What Companies Should Know About FTC’s Privacy, Data Security and Algorithm Rulemaking Proceeding
On August 22, 2022, the Federal Register published an Advance Notice of Proposed Rulemaking (ANPR) by the US Federal Trade Commission (FTC or Commission) to address what the FTC characterized in its press release as “harmful commercial surveillance and lax data security.” The FTC’s new Democratic majority, in a 3-2 party-line vote, agreed to issue the ANPR, which also covers automated decision-making. The broad scope of the ANPR—and the Commission’s announcement that “it is exploring rules to crack down on” harmful practices—signal that major regulatory changes affecting the digital economy may be on the horizon. (We provided a brief summary of the ANPR in our August 15 blog post.)
For months, FTC Chair Lina Khan has indicated that developing regulations on data security, privacy and automated decision-making would be a top priority for the Commission. Chair Khan and her fellow commissioners (Commissioners Alvaro Bedoya, Rebecca Kelly Slaughter, Christine Wilson, and Noah Joshua Phillips) believe the FTC’s current approach of regulation through case-by-case enforcement does not sufficiently protect consumers. As Chair Khan has emphasized, adopting regulations would enable the Commission to fine first-time violators, which it generally cannot do under the FTC Act;1 and the very existence of rules would set a baseline for business behavior to prevent injuries that can be difficult to remediate through case-by-case enforcement.
To help inform its planned rulemaking, the FTC will hold a virtual public forum on September 8, 2022. In addition, the Commission is soliciting written comments on a wide range of topics to help guide its formulation of rules. These topics include companies’ practices in collecting, using and retaining consumer data and when those practices might involve sharing, selling or monetizing consumer data unfairly or deceptively. According to the FTC, even if it ultimately declines to pursue rulemaking, the “comments will help to sharpen the Commission’s enforcement work and may inform reform by Congress or other policymakers.”
Comments must be received on or before November 21, 2022.
Overview and Scope of the ANPR
The ANPR’s definitions of “commercial surveillance” and “consumers” indicate that the FTC may be contemplating a sweeping scope for new regulations. “Commercial surveillance” is broadly defined as “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.” This definition appears to cover virtually any type of processing of consumer data.
The ANPR’s definition of “consumers” is also expansive: it includes businesses and workers, “not just individuals who buy or exchange data for retail goods and services.” This definition of “consumer” is vastly broader than generally exists under existing privacy laws and almost certainly would increase compliance burdens on companies.
The breadth of the anticipated rules is further indicated by the questions on which the FTC seeks comment—95 in total—many of which are open-ended and have various subparts. Below we highlight some of those questions to provide insight into the issues the FTC plans to address.
The FTC has an extensive history of disciplining companies for allegedly lax security under the “unfairness” prong of the Commission’s statutory authority. In the ANPR, the FTC seeks comments on whether to codify data security requirements, and on how granular those requirements should be. Among other things, the FTC contemplates requiring companies to certify that their “data practices meet clear security standards.” The Commission also asks whether it should set these standards or rely on third parties, potentially including trade associations as well as standards bodies such as the National Institute of Standards and Technology or the International Standards Organization, to do so. It also asks whether it should incorporate the data security requirements imposed under laws such as the Children’s Online Privacy Protection Act, the EU/UK General Data Protection Regulation (GDPR), the Gramm-Leach Bliley Act (GLBA) Safeguards Rule, or other federal or state laws as a template for its new rules.2
The FTC also asks whether it should codify the prohibition on deceptive claims regarding consumer data security to allow civil penalties for first-time violations.
Limitations on Allowable Collection, Use and Retention of Consumer Data
The FTC appears to be considering requirements for data minimization, purpose limitation, necessity, and proportionality for the collection, use and retention of consumer data. These requirements would limit the quantity and types of data that entities could collect and process based on the intended purpose of the collection and use. With respect to data minimization and purpose limitation, the FTC seeks input on the possible effects of these requirements on algorithmic decision-making and processes and poses questions on the balance between potential requirements’ harms and benefits. Similar obligations are familiar to businesses that have to comply with the GDPR, and those companies should be able to draw from their experiences to inform their comments on these questions.
The FTC asks multiple questions about targeted advertising. Mindful that regulating these practices could “burden companies, stifle innovation or competition, or chill the distribution of lawful content,” the Commission seeks input on the benefits and costs of possible regulations generally and in specific sectors such as finance, healthcare, search, and social media. In particular, the FTC asks about the use of alternative advertising strategies in the event it limits first- or third-party targeting. Entities involved in targeted advertising should therefore prepare to justify their practices with evidence demonstrating the potential harms restrictions would impose on consumers and companies.
The FTC requests views on whether it should prohibit certain commercial surveillance practices “irrespective of whether consumers consent to them.” In addition, the FTC is interested in the form, scope and meaningfulness of consumer consent; the process for giving and withdrawing consent; and how consent could figure in the determination of whether a commercial surveillance practice is unfair or deceptive.
Presumably to facilitate consumer consent or at least choice over products and services, the Commission asks whether it should require companies to describe the types of data they use, how they collect and process those data, if and how they use automated decision-making to analyze data, how they use the data to arrive at a decision, the impacts of their practices, and any risk-mitigation measures they employ. Relatedly, the FTC seeks input on mandating regular self-reporting, audits or impact assessments about businesses’ commercial surveillance practices and whether these materials should be disclosed publicly.
Automated Decision-Making and Algorithmic Errors
The ANPR may lead to the first specific regulation of artificial intelligence (AI) and other automated decision-making systems applicable to the entire US economy. The FTC presents a number of questions on the reliability of automated decision-making systems. These questions go far beyond earlier descriptions of the proceeding as focused on discrimination when it comes to algorithms.
For example, the FTC asks whether it should require companies to take specific steps to prevent algorithmic errors and what those steps should be. The FTC is also interested in whether it should require companies to certify that their reliance on automated decision-making satisfies standards related to accuracy, validity, reliability, and error (perhaps without regard to risk of harm) and whether it should forbid or limit the development, design and use of systems that produce unfair, deceptive or abusive outcomes.
In recent years, the Commission and various of its members have pressed for companies to take greater care to avoid algorithmic discrimination against protected classes of people. For instance, Commissioner Rebecca Kelly Slaughter has warned that “[a]s an enforcer, I will see self-testing [for unlawful credit discrimination] as a strong sign of good-faith efforts at legal compliance, and will see a lack of self-testing as indifference to alarming credit disparities.”
The ANPR includes questions about how to address this problem, including whether the FTC should “bar or somehow limit the deployment of any system that produces discrimination, irrespective of the data or processes on which those outcomes are based,” and, if so, which standards the Commission should use to measure or evaluate disparate outcomes. These questions suggest the FTC may adopt a disparate-impact analysis for prohibited discrimination along the lines of the Equal Employment Opportunity Commission’s 80-percent rule for prima facie evidence of discrimination. (This rule provides that it is evidence of an adverse disparate impact if the selection rate for the protected class is not at least 80 percent of the rate of the unprotected class.)
Notably, as have other federal agencies in this Administration, the FTC also seeks comment on possible antidiscrimination protections for “underserved groups” that are not recognized and protected from discrimination under laws enacted by Congress.
The FTC requests information on the kinds of biometric information that companies collect, the manners in which such information is collected and the purposes of the collection. The FTC also seeks views on whether and, if so, how it should limit practices that use facial recognition, fingerprinting or other biometric technologies. The ANPR refers to states such as Illinois and Texas that have enacted laws governing the use of biometric data, and companies could draw from their experience complying with these laws to respond to the ANPR’s biometrics-related questions.
The FTC seeks comment on the remedies that it should impose for violations of the new regulations that could arise from the ANPR. It asks whether the rules should “enumerate specific forms of relief or damages that are not explicit in the FTC Act,” including algorithmic disgorgement to prevent companies from profiting from unlawful practices involving AI and automated processes.
Despite not having express authority, the FTC recently has used its broad powers to require disgorgement as part of its settlements with Everalbum, Inc. and WW International, Inc. Everalbum was required to delete the facial-recognition models and algorithms it developed with biometric information from consumers who did not give affirmative consent to the practice while WW International had to delete personal information collected from children without parental consent and to destroy work product and algorithms derived from such information.
Other Issues and Areas of Concern
Other topics covered by the ANPR include questions regarding the:
- extent to which commercial surveillance harms consumers;
- authority of the FTC to promulgate rules and the extent to which provisions of the FTC Act could be used to regulate certain practices;
- harm caused on children by commercial surveillance and child-protective privacy measures; and
- balance between the costs and benefits of promulgating rules governing commercial surveillance practices and the impacts of regulations on competition.
Although the ANPR is the initial step in the lengthy rulemaking process, companies should be mindful of the potential impacts the eventual regulations could have on their business models and operations. The numerous and specific questions posed in the ANPR indicate that the FTC is thinking carefully about how it can set and enforce clear—but potentially quite granular and burdensome—requirements for businesses. Clear requirements could provide more objective, bright-line standards that would help companies avoid inadvertent violations of the open-ended prohibitions of unfair, deceptive and abusive commercial practices under Section 5 of the FTC Act. On the other hand, the more prescriptive and particular the requirements, the more they would hinder innovation in the digital economy and fail to keep pace with technological developments.
If the FTC decides to move forward with promulgating regulations, it will first have to review and evaluate the comments it receives. The ANPR presents an opportunity for companies to assist the FTC in arriving at proposals that preserve innovation and at the same time ensure the ethical use of data. Once the FTC has settled on a set of proposed rules, it may be much harder to obtain significant modifications. Concerned companies should therefore consider engaging with the FTC in this early stage by submitting focused comments on particular questions.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Sections 5(l) and (m)(1) of the FTC Act, 15 U.S.C. § 45(l), (m)(1), prevent the FTC from seeking civil penalties for unfair or deceptive business practices unless it already has adopted a rule or a written decision (other than a consent order) prohibiting the specific practice.
These questions are interesting, particularly given that COPPA and the GDPR are very high-level in terms of security requirements (the GDPR requires adequate technical and organizational measures, while COPPA requires reasonable procedures to protect the confidentiality, security and integrity of personal information).