FTC Announcement on “Commercial Surveillance” Highlights the Need for Federal Data Privacy Legislation

The Federal Trade Commission (FTC) announced on August 11, 2022 that it was seeking public comment on “commercial surveillance” practices, an intentionally derisive and misleading term the agency uses to refer to businesses collecting consumers’ personal information and using it for targeted advertising.

While the FTC has not yet proposed new rules to address its concerns about consumer privacy and data security, this announcement is a procedural step that brings the FTC one step closer to doing so. Given that Congress is pursuing comprehensive federal data privacy legislation, the FTC’s efforts are at best an unnecessary distraction and at worst a regulatory power grab that would subject businesses to the fickle demands of hostile regulators, threatening the free Internet ecosystem and worsening the digital divide.

Currently, there is no comprehensive federal data privacy law that covers all consumers and all forms of data. Various federal laws provide some protections for health, financial, education, and children’s data, and five states—California, Virginia, Colorado, Utah, and Connecticut—have their own comprehensive privacy laws. The FTC’s announcement should serve as yet another wake-up call that Congress should not keep dragging its feet, and needs to pass reasonable, comprehensive privacy legislation as soon as possible.

A federal privacy law would address many of the FTC’s concerns. First, the FTC states that some companies fail to adequately secure consumer data, leaving this data vulnerable to a data breach. Two of the privacy bills that Congress has recently considered—the Consumer Online Privacy Rights Act (COPRA) and the American Data Privacy and Protection Act (ADPPA)—contain data security requirements for organizations that collect consumer data. Another bill, the Data Care Act, expands on existing data breach notification requirements.

Additionally, the FTC referenced research that suggests some online services may be addictive or otherwise harmful to children. The United States has a federal privacy law protecting children under the age of 13—the Children’s Online Privacy Protection Act (COPPA)—but there has been recent debate over whether Congress or the FTC should revise COPPA or pass additional privacy protections for children or teenagers. The ADPPA would strengthen children’s privacy by requiring express affirmative consent for transferring data between ages 13 and 17 and establish a new Youth Privacy and Marketing Division at the FTC.

The FTC also expressed concern about the lack of transparency surrounding the automated systems companies use to analyze consumer data and place targeted advertisements and the potential for bias in algorithmic decision-making. While many of the concerns about algorithmic bias are overstated, both COPRA and ADPPA contain transparency requirements for how organizations handle the data they collect, as well as civil rights protections.

Finally, the FTC claims that companies do not give consumers enough control over whether or how their data is collected and used. COPRA and the ADPPA would give consumers the right to access, port, rectify, or delete their data. They would also allow consumers to opt out of most forms of data collection or transfers and opt in to collection or transfer of sensitive data.

None of the bills facing Congress strike a perfect compromise on every privacy-related issue, but it is important that the debate surrounding these issues take place in Congress. Congress has worked diligently to craft a bipartisan proposal that balances the interests of different stakeholders, whereas the FTC under the leadership of Chair Khan is eager to pursue one-sided proposals that pass with party-line votes. But this type of aggressive regulatory approach has a limited lifespan—eventually party power shifts, and then a new set of regulators have control. Without bipartisan agreement, these pendulum swings can create ever changing rules, a detriment to both consumers and businesses, not to mention that the current FTC proposal itself would harm consumers and business.

The FTC should have the power to enforce any privacy law Congress passes—as it would if the Data Care Act, COPRA, or ADPPA passed—but FTC rulemaking is not the best solution to the lack of federal data privacy protections. The FTC’s announcement should further impress on Congress that it needs to prioritize privacy and move to pass comprehensive privacy legislation before the regulatory landscape becomes even more complicated than it already is. FTC Commissioner Bedoya wrote in a statement, and confirmed during the press conference of the announcement, that “should the ADPPA pass, I will not vote for any rule that overlaps with it.”

Moreover, the FTC appears to be using its legitimate rulemaking authority on unfair or deceptive acts or practices as a backdoor attempt to regulate so-called “unfair methods of competition” where its authority is disputed. By actively soliciting “comment on the ways in which existing and emergent commercial surveillance practices harm competition” the FTC has signaled that its privacy rulemaking will likely serve as de facto competition regulation. In other words, the FTC is attempting to adopt data privacy rules to regulate competition—a power grab detached from a statutory basis. The FTC should focus on going after scofflaws and real harms to consumers, not the core of the free Internet ecosystem that provides enormous benefits to consumers.

Therefore, not only is FTC’s rulemaking announcement an unnecessary distraction from legislative efforts, but it is a questionable power grab overstretching its statutory authority that will ultimately come at the expense of consumers.