FTC Rulemaking on Commercial Surveillance & Data Security

On August 11, 2022, the Federal Trade Commission announced that it would conduct its first-ever rulemaking on commercial surveillance and data security. In a 44-page Advanced Notice of Proposed Rulemaking, the FTC disclosed that it was “exploring rules to crack down on harmful commercial surveillance and lax data security. Commercial surveillance is the business of collecting, analyzing, and profiting from information about people.”

The FTC’s commercial surveillance rulemaking falls under the Commission’s section 5 authority to regulate and prohibit unfair and deceptive trade practices. In its ANPR, the Commission requested “public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.”

EPIC, which has repeatedly called on the FTC to use its rulemaking authority to regulate abusive commercial data practices, filed comments in response to the Commission’s ANPR and intends to participate in each stage of rulemaking process.

Contents of the ANPR

The FTC’s ANPR requests “public comment on the prevalence of commercial surveillance and data security practices that harm consumers.” The ANPR provides an overview, specifies the Commission’s authority, discusses the Commission’s current approach to privacy and data security, and poses 95 questions in the following categories:

  • Harms to Consumers
  • Harms to Children
  • Costs and Benefits
  • Regulations
  • Automated Systems
  • Discrimination
  • Consumer Consent
  • Notice, Transparency, and Disclosure
  • Remedies
  • Obsolescence

The Rulemaking Process

The FTC can use its trade rulemaking authority in two separate but related ways to protect consumers. First, the FTC may “define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce.” Second, trade regulation rules may lay down “requirements prescribed for the purpose of preventing such acts or practices.”

A violation of a rule constitutes an unfair or deceptive act or practice in violation of section 5(a)(1) of the FTC Act, unless the Commission otherwise expressly provides in its rule. Defining unfair and deceptive practices by rule enables the Commission to seek civil penalties of up to $46,517 per violation. (Absent a rule, the Commission typically cannot collect civil penalties for a first-time section 5 violation.)

The Commission’s rulemaking process can take several years, though the Commission announced updates to streamline the process in 2021. There are several steps in the trade rulemaking process (also known as Magnuson-Moss or “Mag-Moss” rulemaking):

Advanced Notice of Proposed Rulemaking

The FTC released the ANPR for its commercial surveillance rulemaking on August 11, 2022 and formally published it in the Federal Register on August 22, 2022. The deadline for public comments in response to the FTC’s ANPR was November 21, 2022. See comments from EPIC and other organizations at the bottom of this page.

Notice of Proposed Rulemaking

If the FTC decides to move ahead with a rulemaking, it must give Congress 30 days’ notice before issuing the proposed rule. The FTC will then publish the proposed text, any alternatives, and the reasons for the rule. The Commission must find that the unfair and deceptive acts that the proposed rule addresses are “prevalent.” The FTC is also required to issue a preliminary regulatory analysis related to the proposed rule at this step. The public will then have another opportunity to comment.

Public Hearing(s)

If requested, the Commission must hold public hearing(s) on the proposed rule. These hearings offer the opportunity for interested parties to conduct cross-examination and present rebuttals before the Commission. At the conclusion of the hearing(s), the presiding officer of the hearing must make a recommendation with respect to the proposed rule.

Final Approval

Following the hearing officer’s recommendation, the Commission will vote on a final rule, which must include: “(A) a statement as to the prevalence of the acts or practices treated by the rule; (B) a statement as to the manner and context in which such acts or practices are unfair or deceptive; and (C) a statement as to the economic effect of the rule, taking into account the effect on small business and consumers.” If the rule is approved, the Commission must issue a final regulatory analysis and publish the rule at least 30 days before its effective date.

Enforcement

After the Commission has promulgated a trade regulation rule, any individual or business which violates the rule “with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such act is unfair or deceptive and is prohibited by such rule” is liable for civil penalties of up to $46,517 per violation.

EPIC’s Work

EPIC has long called on the FTC to exercise its rulemaking authority to safeguard privacy and civil rights. A recent EPIC white paper urged the Commission to establish a data minimization rule using its section 5 unfairness authority. In 2020, EPIC petitioned the FTC to conduct a rulemaking on commercial uses of AI and personal data. EPIC has also joined numerous coalition letters to the Commission calling for a privacy and civil rights rulemaking. EPIC has urged the FTC to use all of its authorities to protect consumers and published a report, What the FTC Could Be Doing (But Isn’t) to Protect Privacy, in 2021.

EPIC’s Comments

Civil Society Comments (UPDATED Dec. 2, 2022)

Support Our Work

EPIC’s work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.

Donate