In this article, the authors discuss developments that took place at a virtual public forum relating to consumers' privacy and data security held recently by the Federal Trade Commission.
The Federal Trade Commission (FTC) recently held a virtual public forum on the agency's release of an Advance Notice of Proposed Rulemaking (ANPR)1 to regulate the protection of consumers' privacy and data security. In addition to allowing the public the opportunity to share feedback about the ANPR, the hearing also included remarks from FTC leaders as well as two panels with consumer advocacy groups and representatives from industry on the perceived harms stemming from what the FTC characterizes as “commercial surveillance” and whether new rules are needed to protect consumers.
Key topics raised by industry representatives and consumer advocates alike included data minimization and the prevention of secondary uses of data, particularly in the context of behavioral advertising. As discussed further below (see “What Can Companies Do?”), the FTC's focus on behavioral advertising and concerns about the widespread collection of consumers' online activities is part of a broader regulatory emphasis on digital marketing across the globe.
We saw this in California in connection with the state attorney general's recent public settlement of an enforcement action for alleged violations of the California Consumer Privacy Act (CCPA) pertaining to cookies; we saw this in Europe, where state regulators such as the French Data Protection Authority (CNIL)2 have increasingly fined companies for behavioral advertising and cookie practices under the EU General Data Protection Regulation (GDPR); and we saw this when the U.S. Consumer Financial Protection Bureau (CFPB) issued an interpretive rule clarifying that digital marketers are subject to CFPB enforcement as “service providers.”
One particular point of tension that came up throughout the FTC forum, and especially during the public comment period, related to the FTC's legal authority to engage in a privacy rulemaking. Some participants warned of the FTC interfering with ongoing congressional negotiations over proposed federal privacy legislation, the American Data Privacy and Protection Act (ADPPA), and others alluded to FTC rulemaking authority struggling to clear the hurdle of Supreme Court scrutiny under the “major questions” doctrine.
Regardless of legal procedural concerns, the rulemaking process is fully underway, with the FTC looking to use public feedback in order to move to the next stage of the Mag-Moss rulemaking process: issuing a Notice of Proposed Rulemaking. The agency took public written comments about the ANPR until October 21, 2022.
The three Democratic commissioners – Chair Lina Khan and Commissioners Rebecca Slaughter and Alvaro Bedoya – delivered brief remarks highlighting their individual concerns and areas of focus for privacy rulemaking. Notably, neither of the Republican commissioners, Christine Wilson and Noah Phillips, shared their views in this forum, though both publicly dissented from the issuance of the ANPR (Wilson's dissent3 and Phillips' dissent4 ), airing disputes on policy and the agency's authority to promulgate privacy rules.
Khan highlighted research that asserts that many Americans have limited insight about the information being collected about them and how it is used. Addressing the question of legal authority, Khan noted that the FTC has a long record of using its tools to regulate data privacy and security. But, she added, the goal of this rulemaking process is to determine if business practices today are so “prevalent” that the FTC needs to move beyond case-by-case adjudication and issue market-wide rules. The public forum was an important step to “democratize” this rulemaking process, according to Khan.
Slaughter shared her view that it is important for the FTC to show that the agency is no longer shying away from exercising its rulemaking authority. (Recall that, as the acting chair for the first six months of 2021, she anticipated new rulemakings when she created a rulemaking group within the FTC's Office of General Counsel.) Slaughter also voiced her support for strong federal legislation but noted that, until there is a law on the books, she believes that the FTC must use its tools to regulate the field.
Bedoya commented on the breadth of the ANPR, noting his view that the ANPR is intentionally broad, going beyond normal bedrocks of consumer notice and consumer choice/consent. According to Bedoya, privacy rights and harms have gone well beyond the point of initial collection, and the FTC needs to enforce across all of these areas.
A staff attorney, Josephine Liu, from the FTC's Office of General Counsel gave a brief presentation on the rulemaking process the FTC will employ here. As we have explained previously, the FTC's rulemaking process in this context is governed by the Magnusson-Moss Warranty Act of 1975 (referred to as Mag-Moss) and includes several additional steps beyond normal notice-and-comment rulemaking allowed by the Administrative Procedure Act. The timeline for Mag-Moss rulemaking includes this initial ANPR, followed by the issuance of a proposed rule that also will include the FTC's explanation of why the prohibited practices are sufficiently “prevalent” to warrant rulemaking. After that, interested parties will have an opportunity to cross-examine the FTC's evidence in an investigational hearing. (This part of the process is the least familiar to practitioners and will be subject to new “streamlined” procedures5 the FTC recently approved.) After this process, if the agency decides that rules are warranted, the FTC would issue final rules, subject to court challenges.
In addition to describing the Mag-Moss rulemaking process and timeline, Liu highlighted three key questions with which the FTC is grappling among the 95 questions raised in the ANPR:
After the staff presentation, the forum turned to perspectives from industry. The four panelists included Jason Kint (chief executive officer, Digital Content Next), Marshall Erwin (chief security officer, Mozilla), Paul Martino (vice president and senior policy counsel, National Retail Foundation), and Rebecca Finlay (chief executive officer, Partnership on AI). Each panelist discussed issues from their own organization's perspective.
Below are some highlights from each panelist's statement:
The panelists also discussed “best practices” from their perspectives. Finlay explained that, when AI is deployed – especially in high-risk settings such as healthcare and hiring – companies need well-functioning internal organizational processes from design to deployment. Erwin stated that there are consensus best practices in data security – consistent with FTC's safeguards rule – that are universally accepted but not universally adopted. Kint pointed to best practices coming out of specific companies, naming specific examples such as Apple (app tracking transparency), Firefox, Brave, and Global Privacy Control. And Martino focused on retailers, explaining that certain concepts, such as Global Privacy Control, could frustrate consumers' choices if they previously elected to receive communications or other services from businesses.
Next, the forum invited the opinions of five panelists from the consumer protection space: Caitriona Fitzgerald (deputy director, Electronic Privacy Information Center (EPIC)), Harlan Yu (executive director, Upturn), Ambassador Karen Kornbluh (ret.) (director, Digital Innovation and Democracy Initiative, German Marshall Fund of the U.S.), Spencer Overton (president, Joint Center for Political and Economic Studies), and Stacey Gray (senior director for U.S. Policy, Future of Privacy Forum (FPF)). These panelists focused on the perceived harms of commercial surveillance and the need for the FTC to use the tools at its disposal.
Below are some highlights from each panelist's statement:
The panelists also suggested ways for the FTC to implement data minimization and transparency in practice as well as debated whether notice and consent remains an appropriate framework. Fitzgerald and Overton stressed that the burden should move away from individual users, with structural rules assigning compliance obligations to companies. Yu highlighted that the FTC should require companies to make good faith efforts to stop discrimination in their data processing and to “show their work.” Gray encouraged the FTC to codify past enforcement actions related to inadequate disclosures being an unfair practice. All five panelists disapproved of the notice and consent framework, highlighting the need to consider power imbalances.
The FTC rulemaking process will take time, with several additional opportunities for companies and industry groups to share their thoughts and concerns and to describe beneficial uses of data that may be negatively impacted by a rulemaking. Crafting any rule will be difficult for the FTC given the hurdles of showing that the practices are prevalent, not negatively impacting data collection and use practices that benefit consumers, and developing a rule sufficiently narrow to avoid vacatur under the major questions doctrine.
But the FTC is not the only regulator looking at these issues. If, as a company, you are actively using digital marketing or cookies to track users online across websites and apps, then you should consider yourself formally on notice that you are engaging in the kind of so-called “commercial surveillance” that is generating regulatory and public angst around the globe.
The first step for companies involved in this space is to understand how you are using digital marketing. Of course, digital marketing is not in itself anti-consumer – many companies rely on this advertising to find and cultivate their business and to provide meaningful choices and opportunities to consumers. But it is important to recognize when you are gathering behavioral data about users interacting with your website and then tracking those users across different websites and apps. This latter type of third-party tracking and profile building is the kind of activity that is concerning to regulators and, to a certain degree, consumers.
Originally Published by Pratt's Privacy & Cybersecurity Law Report, LexisNexis
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.