Recently, the FTC announced its intent to create rules around a vast array of data privacy issues. It’s concerned companies are conducting “commercial surveillance” in ways that potentially harm consumers. It’ll hold a public hearing Sept. 8 to gain public input – required by its rulemaking process – on how companies collect, analyze, share, and monetize consumer data.
But wait, isn’t Congress already trying to tackle this problem with legislation like the ADPPA? Yes! You’re right. But Congressing is hard to do, and change happens slowly. So the FTC is putting some fuel on the fire. It’s saying, “This has to be a priority, and even if it takes us a decade, we’re starting now. Your move, Congress.”
So what’s going to go down, and what do you need to know? In a recent webinar, four experts broke it down for you. Here are the key points.
Is this even a big deal?
It’s a massive milestone for the FTC, one that’s been years in the making. The process is called Magnuson-Moss (referred to as Mag-Moss by the cool kids) rulemaking, and it’s a convoluted and long process under Section 18 of the FTC Act.
“There are some people who say these Mag-Moss rulemakings take forever – they
take an average of five to six years – and technology moves too fast, so it’s not a good tool to use for rulemaking,” said Maneesha Mithal. “And then on the other hand, you have people saying, ‘Hey if we had done this six, seven years ago we could have had a rule by now.’ The FTC is in the thick of it, and this rulemaking can have a really profound impact on companies, changing the rules of the road for a lot of sectors in the economy.”
What’s Mag-Moss rulemaking, anyway?
Agencies issue rules under APA rulemaking, or the Administrative Procedure Act rulemaking. That’s typically where you put out a notice, get comments, publish the final rule. That usually takes six months to a year.
But back in the 1970s and 1980s, some legislators didn’t want the FTC going too far with its rulemaking and wanted to “clip its wings,” so they imposed additional procedures.
Critics of the FTC maintain it can’t just be a “roving regulator” declaring practices unlawful; they have to fit within a specific rubric, meaning the practice is either unfair or deceptive and is prevalent in the marketplace.
“So that’s a really tough hurdle for the FTC,” Mithal said.
“For years now,” said Gabe Maldoff, “the FTC has enforced on privacy and security on a case-by-case basis, and it’s done so under its unfairness and deception authority.”
In the 1970s, the FTC tried to pass rules around television advertising for kids, and the Washington Post ran an editorial calling it the “National Nanny,” which was a turning point for the FTC; it had its rulemaking authority revoked, and there are theories that the FTC has been more cautious in its approach since then.
But now, “there are norms in the privacy space similar to what we see in Europe or starting to develop in the states, so this is huge news because we’re talking about potential national regulations that would codify some of what the FTC has
done and could extend way beyond that – given the scope of the questions that
they’re consulting on – to practices that the FTC hasn’t touched on and even beyond that,” Maldoff said.
Is it significant the FTC is using the term “commercial surveillance” here?
“I do think that it’s a pejorative term towards businesses, and I think that you can see
that permeates throughout” the riposted rulemaking, said Mithal. “The word surveillance is mentioned 80 times.”
But for Maldoff, the verbiage isn’t that important. “The way the FTC defines it, it captures what the FTC has already been looking at for years in the privacy and security space,” he said. “ They’ve defined it as the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and direct derivatives of that information. The way they’ve defined it actually doesn’t incorporate any of the definitions of surveillance, so I’m not sure I read that term as having that much weight in terms of where this goes.”
Mithal said the FTC’s charged with determining whether practices are unfair, which includes a harm component, but it also must balance those concerns against any potential benefits to the consumer. The FTC’s notice of proposed rulemaking discusses potential harms extensively but spends very little time on countervailing benefits.
If the FTC doesn’t consider those benefits, the industry may ask the federal courts to invalidate the rule wholesale.
What’s the commission even asking about? Surprises?
Many of the questions are unsurprising.They’re asking about data security, algorithmic discrimination, children’s and teens’ data, minimization, and purpose limitation. Mithal was surprised there weren’t more questions about data access requests, correction, and deletion – topics of great concern to any privacy pro complying with the GDPR or CPRA.
“If I were still at the FTC advising commissioners, I would suggest on the next round going narrower,” she said.
Isn’t everyone freaking out a little early?
Kind of. As big a deal as it is, the public’s just now getting its chance to weigh in. After a long back-and-forth, maybe the rules do get adopted. But then they can be challenged in court.
“We’re definitely looking at a long road ahead, especially given the breadth of some of these questions,” said Maldoff. “Remember, the FTC’s authority here is just deception and unfairness, so every piece of the regulation they ultimately propose has to tie back to those standards.
He added that many of the questions the FTC’s asking for input on are beyond its traditional enforcement scope, so, “I think the commission is going to have more of an uphill battle there.”
To access the webinar in full, watch here.
