On August 11, the US Federal Trade Commission (FTC) announced its intention to commence a rulemaking proceeding on privacy, data security, and automated decision-making that could result in potentially sweeping changes to the digital economy. In a 3-2 party-line vote, the FTC's new Democratic majority agreed to issue an Advance Notice of Proposed Rulemaking (ANPR) "exploring rules to crack down on harmful commercial surveillance and lax data security," in the words of the agency press release.
The scope of the proceeding is far broader than what might commonly be understood to be "commercial surveillance":
- It reaches all consumer data, whether collected or inferred. For purposes of the ANPR, "commercial surveillance" includes "the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information." In other words, the proceeding covers pretty much any information a business might have about people and anything the business does with that information.
- "Consumers" include not only what the FTC and other regulators generally include within that definition (i.e., individuals acting in their personal capacity), but also businesses and employees. According to the FTC, "consumer . . . includes businesses and workers, not just individuals who buy or exchange data for retail goods and services." The anticipated rules almost certainly would increase compliance burdens on companies, which until now have not faced significant privacy obligations regarding business-to-business interactions and employees.
The FTC solicits comment on 95—often open-ended—questions, many with subparts. Among other topics, the agency requests input on:
- how companies' privacy and data security practices may harm consumers, privacy harms the FTC has failed to redress, and types of harm it has failed to consider;
- the scope of data the FTC should regulate;
- whether specific industries such as healthcare and financial services should be subject to stricter privacy requirements;
- the effectiveness of consent; prohibitions on certain commercial surveillance practices, regardless of whether consumers consent to them; and requirements for voluntary and revocable consent;
- requirements for data security;
- minimization, purpose, and other restrictions on the collection, use, retention, and transfer of consumer data, including limits on personalized or targeted advertising and the use of biometric technologies;
- requirements for artificial intelligence (AI) and other automated decision-making systems such as standards for algorithmic accuracy, validity, reliability, or error;
- bans or limitations on the development, design, and use of AI and other "automated decision-making systems that generate or otherwise facilitate outcomes that violate Section 5 of the FTC Act" (i.e., "[u]nfair methods of competition" or "unfair or deceptive acts or practices")—either "economy-wide or only in some sectors";
- prohibitions or restrictions on algorithmic systems that result in discrimination against traditionally protected classes or possibly "other underserved groups" and whether these rules should be limited to realms in which Congress has barred discrimination (e.g., housing, employment, and consumer finance) or should extend to all sectors; and
- remedies for violations.
Taken together, the 95 questions suggest the FTC may have large ambitions for its anticipated rules on privacy, data security and automated decision-making (including AI).
Companies concerned that the rulemaking's outcome might challenge their business model should consider submitting comments, which will be due 60 days after the ANPR appears in the Federal Register. Focused responses to questions may help the FTC arrive at proposals that preserve innovation while at the same time preventing unfair or unethical use of data. Once the FTC has published actual proposed rules, it may be much harder to obtain significant modifications, so many businesses will find it wise to engage at this earlier stage.
Meanwhile, keep an eye on the Enforcement Edge blog for a link to our more-detailed analysis of the ANPR, which is forthcoming.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.