As part of its ongoing efforts to protect consumer privacy, the Federal Trade Commission heard from industry experts and consumer advocates, as well as the public, on Thursday about its Advanced Notice of Proposed Rulemaking on online consumer privacy, highlighting various concerns for stakeholders regarding commercial surveillance and data practices.
The agency previously issued the ANPR in August and sought public comment. This is the FTC’s latest effort to combat commercial surveillance and relaxed data security in order to protect online consumer privacy.
Alex Brown, Partner on Alston & Bird’s Consumer Protection/FTC team and Co-Chair of the ABA Antitrust Law Section’s Federal and State Privacy Task Force, gave insight into the current legal and regulatory landscape.
The proposed rulemaking comes at a time when the legislative and regulatory landscape in regards to commercial surveillance and data privacy is “a patchwork of issue-specific federal laws and state laws with varying degrees of complexity and comprehensiveness,” Brown told Nextgov.
For example, he pointed to the FTC’s use of Section 5 of the FTC Act as grounding for the agency’s authority and enforcement ability.
Brown noted that current legislation and regulation “all provide some guidance and regulation, but each of these are dated and have substantial holes regarding what’s going on today.”
While Congress is trying to fill those gaps with legislation like the American Data Privacy and Protection Act—or ADPPA—the FTC is also working to strengthen its regulatory muscle. However, the two Republican FTC commissioners voted against the ANPR, stating that it was up to Congress to pass legislation addressing these issues.
Specifically, the FTC is focusing on commercial surveillance and data security requirements.
From Brown’s perspective, the FTC’s new rule should be “looking at the impact it’s going to have on companies’ privacy programs,” he said. “There’s already been a lot of shifting company privacy programs over the last few years, as those companies have shifted to abide by the [European Union’s General Data Protection Regulation] and the California laws, and the other state laws. And it doesn’t appear that the FTC is looking to reinvent an entirely new paradigm with the rule, but rather clog some perceived holes and increase enforcement in specific areas.”
Furthermore, because there is a “patchwork” of federal and state legislation and regulation, it can make compliance more challenging for companies, according to Brown.
On Thursday, FTC Chair Lina M. Khan noted that the hearing will inform how the agency proceeds.
“The FTC has a long record of using its law enforcement tools to combat these types of commercial surveillance and lax data security practices in instances where they are illegal,” Khan said. “With this rulemaking proceeding, we are now seeking to determine whether unfair or deceptive data practices may now be so prevalent that we need to move beyond case by case adjudication and instead have market wide rules.”
The hearing first held a panel of industry perspectives on commercial surveillance and data security.
The panel raised the issue of data collection when a user expects it, such as being a subscriber to something, as opposed to data being sold or shared with a third-party.
Panelist Jason Kint, CEO of Digital Content Next, noted that the FTC should pay close attention to the dominant players, who can at times lay the groundwork and set the tone for the rules. He pointed to issues such as Facebook’s Cambridge Analytica scandal. Others pointed to the need to protect privacy and deter bad actors in addition to thinking about various systems and their impact.
For example, panelist Rebecca Finlay, CEO at Partnership on AI, stated that the FTC must take artificial intelligence and other new or emerging technologies into consideration during its rulemaking process.
The panel also discussed the Global Privacy Control—a browser setting that lets consumers tell websites their privacy preferences without having to manually reach out to each website—as an important measure for users and companies to take to protect choice and privacy.
“The FTC should be careful that, if they do pursue a regulation, to not inadvertently craft regulations that are so broad or so broadly constructed as to interfere with consumer freedoms and choices they have a right to make,” panelist Paul Martino, vice president and senior policy counsel at the National Retail Foundation, said. “Understanding the context is ultimately a touchstone here, if the FTC does move forward with regulations.”
In terms of a solution, panelist Marshall Erwin, chief security officer of Mozilla, described a shift from the type of surveillance and related practices.
“What we want to see is a shift away from behavioral advertising tactics—that are the predominant commercial surveillance tool in use today that’s driving a lot of the problematic activity on the web—towards more benign methods of advertising, ones which we think can be viable and can provide meaningful monetization stream for the vast number of companies and targeting first-party data,” Erwin said. “Contextualizing some of the issues we’ve mentioned here can be viable, but we need a shift away from those sophisticated and targeting practices.”
Consumer advocates also got their own panel on the issues of commercial surveillance and data security.
The consumer panelists emphasized how commercial surveillance and certain data practices can be used in a discriminatory manner. They also were concerned about data targeting as another potentially problematic practice and urged the FTC to move forward with the rulemaking process and use its authority, including in Section 5 of the FTC Act. Additionally, the panelists found that the new rulemaking should include, but also move beyond consent.
The panelists noted that the burden must shift away from consumers and consumer consent to systemic changes.
“Consent, opt-in/opt-out, individual choice, is relevant, but ought not to be the sole or the dispositive factor in these sorts of balancing tests when we talk about fairness,” panelist Stacey Gray, senior director for U.S. policy at the Future of Privacy Forum, said. She pointed to issues of practicality for this point.
Besides practicality, Gray added “we would not want the FTC to limit itself to current technology and to current technology that can be designed for consent. So, we’re increasingly entering a world involving voice-enabled devices, smart city devices [and] connected vehicles. And in all of these contexts, you face a situation of consent either not being possible to obtain—for example, with external facing cameras on a mobility device and not being able to get consent of passersby—or where it is simply a bad idea to give users a choice for consent—for example, with data being used for safety in a connected vehicle. So we need other safeguards and have to expand beyond choice framework. We need to be talking about minimization, anonymization, de-identification, all of these other ways to mitigate risks without placing all of the burdens on the individual.”
The panelists also noted that the FTC should use the EU’s GDPR as a guide for its own framework and to learn what has and has not worked or been effective.
The public has until October 21 to comment on the proposed rulemaking, which is available on the federal register.
Brown added, “anytime you are developing or fine-tuning a regulatory need, you want to be careful to strike the right balance. You want to make rules that companies can actually comply with, rules that deter behavior that is actually harmful to consumers and you want to make sure that you are not negatively impacting competition in the process.”