On Aug. 11, 2022, the Federal Trade Commission announced a Notice of Proposed Rulemaking regarding the collection, sharing and use of certain information which it refers to as “commercial surveillance data” and whether the use of that data constitutes a violation of the provisions of the Federal Trade Commission Act. The Commission has also announced its intention to hold a virtual public forum on Sept. 8, 2022 to discuss the issue.
U.S. Does Not Have a Comprehensive Data Privacy Law
The United States does not currently have a comprehensive data privacy law, although a bill proposing such a law is currently winding its way through Congress. As a result, data privacy laws represent a patchwork quilt of state law, federal sectoral laws and international laws which apply to the collection, sharing, use, storage and accuracy of certain kinds of Personally Identifiable Information (PII).
In addition, under the century-old FTC Act Section 5 which prohibits both “deceptive” and “unfair” trade practices in commerce, the Commission has promulgated rules and enforcement actions against companies which either fail to have privacy standards or which fail to abide by published privacy policies. In essence, the FTC asserts, companies which promise to keep data private and not to share it, but do so anyway are “deceptive” and companies which collect data without providing reasonable notice and ability to opt-out of the collection are “unfair.” Indeed, the FTC recently announced that it might initiate an enforcement action against an AdTech agency that collects and sells license plate data with geolocation. One of the FTC’s concerns is that this data could be used to track patients’ travels for healthcare services, including for fertility, gynecological or related services.
Addressing the Data Surveillance & Data Broker Industry
The FTC is attempting to use its regulatory authority to address the data surveillance and data broker industry generally, but also to address those who create a market for such data. At an increasing rate, consumers are having even the most intimate details of their lives tracked and examined. Furthermore, the companies that collect, aggregate and analyze this data, as well as companies that sell or use this data, are not transparent about their data collection and use practices.
For example, the General Data Protection Rules (GDPR) in the EU regulates the collection, transfer and use of any information that identifies a specific individual PII. Collection of PII may only be done for legitimate purposes, companies must be transparent about what they collect, why and what they are doing with the data, and they must appropriately secure the data, make sure it is accurate, give the data subject access to the data collected and delete or remove the data when it is no longer needed for the stated purpose. Under GDPR, the collection of personal data – whether it is a name, phone number, address, IP address or tracking information – must generally be done with the informed consent of the data subject and be done for lawful purposes (consent, knowledge and a “click-through” agreement is not sufficient). GDPR applies to data collected about residents of the EU, irrespective of where the data is collected or by whom. With the UK’s Brexit, a special treaty applies GDPR like restrictions to residents of the UK, and the U.S. and Europe have negotiated specific safe harbor provisions permitting the collection of GDPR protected data by U.S. entities, provided that they have enforceable agreements to comply with the GDPR principles. Similar privacy laws exist in many countries from Mexico to Singapore to China.
Complying With State Privacy Laws
In the absence of a comprehensive data privacy law in the U.S., companies have to, in addition to complying with GDPR and other international laws, comply with a host of state privacy laws like those in Virginia, California, Utah, Colorado and Connecticut as well as data breach disclosure laws which regulate the collection and use of PII at the state level, and require notification to data subjects whenever the PII is “accessed” in a manner inconsistent with the data privacy policy. In Ohio, Governor DeWine has supported a proposed law to require Ohio companies to comply with good data collection, privacy and security practices. In addition, the U.S. government has various sectoral privacy laws regulating things like phone records, bank records and even records of video rentals.
The FTC NRPM is an attempt to regulate the marketplace for personal data collected without the knowledge or consent of the data subject – so-called surveillance data. As the Commission notes:
Commercial surveillance is the business of collecting, analyzing and profiting from information about people. Technologies essential to everyday life also enable near constant surveillance of people’s private lives. The volume of data collected exposes people to identity thieves and hackers. Mass surveillance has heightened the risks and stakes of errors, deception, manipulation and other abuses. The Federal Trade Commission is asking the public to weigh in on whether new rules are needed to protect people’s privacy and information in the commercial surveillance economy.
This would include things like tracking software used by schools and businesses to monitor and track their students and employees, video surveillance, geolocation and telematics, performance measurements, as well as capturing individuals’ search and browsing histories, what they are reading, their social media and communications, facial recognition and biometric surveillance, automated license plate readers, cell site location tracking, GPS and other location data, tracking purchasing history and the use of AI or other sophisticated tools to profile data subjects.
FTC to Address Potential Consumer Harms
In particular, the FTC seeks to examine the potential consumer harms arising from lax data security or commercial surveillance practices, including those concerning physical security, economic injury, psychological harm, reputational injury and unwanted intrusion. The FTC noted that it wanted to address certain specific questions including:
- Which practices do companies use to surveil consumers?
- Which measures do companies use to protect consumer data?
- Which of these measures or practices are prevalent? Are some practices more prevalent in some sectors than in others?
- How, if at all, do these commercial surveillance practices harm consumers or increase the risk of harm to consumers?
- Are there some harms that consumers may not easily discern or identify? Which are they?
- Are there some harms that consumers may not easily quantify or measure? Which are they?
- How should the Commission identify and evaluate these commercial surveillance harms or potential harms? On which evidence or measures should the Commission rely to substantiate its claims of harm or risk of harm?
- Which areas or kinds of harm, if any, has the Commission failed to address through its enforcement actions?
- Has the Commission adequately addressed indirect pecuniary harms, including potential physical harms, psychological harms, reputational injuries, and unwanted intrusions?
- Which kinds of data should be subject to a potential trade regulation rule? Should it be limited to, for example, personally identifiable data, sensitive data, data about protected categories and their proxies, data that is linkable to a device, or non-aggregated data? Or should a potential rule be agnostic about kinds of data?
- Which, if any, commercial incentives and business models lead to lax data security measures or harmful commercial surveillance practices? Are some commercial incentives and business models more likely to protect consumers than others? On which checks, if any, do companies rely to ensure that they do not cause harm to consumers?
- Lax data security measures and harmful commercial surveillance injure different kinds of consumers (e.g., young people, workers, franchisees, small businesses, women, victims of stalking or domestic violence, racial minorities, the elderly) in different sectors (e.g., health, finance, employment) or in different segments or “stacks” of the internet economy. For example, harms arising from data security breaches in finance or healthcare may be different from those concerning discriminatory advertising on social media which may be different from those involving education technology. How, if at all, should potential new trade regulation rules address harms to different consumers across different sectors? Which commercial surveillance practices, if any, are unlawful such that new trade regulation rules should set out clear limitations or prohibitions on them? To what extent, if any, is a comprehensive regulatory approach better than a sectoral one for any given harm?
In the absence of a comprehensive data privacy law, it appears that the FTC may step into the vacuum and use its authority to regulate unfair trade practices to require greater transparency in data collection, security and use.
How Should Companies Proceed?
For now, companies should, in addition to complying with existing law, adopt reasonable data privacy and use policies that are both comprehensive and flexible to meet their current and anticipated future business needs. They should, to the extent possible, inform data subjects about what data they are collecting, why and what the data subjects’ rights are with respect to use, deletion, accuracy and security. They should also ensure that the data they collect is secured, whether stored and used locally or on third party cloud or SAAS providers, and ensure that third parties agree to the protection of such data by contract. Finally, when purchasing data that has been collected by third parties, including data brokers, marketers, advertisers or others, companies should take reasonable steps to make sure that this data was collected and is being shared in compliance with data privacy laws.
For further questions or clarifications regarding the content of this article, please contact KJK Cyber Security & Data Breach attorney’s Mark Rasch (MDR@kjk.com; 301.547.6925).