DataEthics4All’s Call for Comments on FTC’s Regulation Rule on Commercial Surveillance and Data Security
Shilpi Agarwal
#1 Leading Voice on Empowering Youth Through AI: Founder of STEAM in AI and DataEthics4All, Featured Deeplearning.AI Ambassador, SXSW EDU 2025 AI Speaker, ASU+GSV 2025 Leading Woman in AI ??
The Federal Trade Commission’s Commercial Surveillance and Data Security Public Forum is hosting a public forum regarding its Advanced Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices that harm consumers and competition.
SUMMARY:?The Federal Trade Commission (“FTC”) is publishing this advance notice of??proposed rulemaking (“ANPR”) to request public comment on the prevalence of commercial?surveillance and data security practices that harm consumers. Specifically, the Commission?invites comment on whether it should implement new trade regulation rules or other regulatory?alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze,?and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in?ways that are unfair or deceptive.
DATES:?Comments must be received on or before [60 DAYS AFTER DATE OF?PUBLICATION IN THE?FEDERAL REGISTER]. The Public Forum will be held virtually on?Thursday, September 8, 2022, from 2 p.m. until 7:30 p.m.
ADDRESSES:?Interested parties may file a comment online or on paper by following the?instructions in the Comment Submissions part of the?SUPPLEMENTARY INFORMATION??section below. Write “Commercial Surveillance ANPR, R111004” on your comment, and file?your comment online at?https://www.regulations.gov. If you prefer to file your comment on?paper, mail your comment to the following address: Federal Trade Commission, Office of the?Secretary, 600 Pennsylvania Avenue, NW, Suite CC-5610 (Annex B), Washington, DC 20580.??FOR FURTHER INFORMATION CONTACT:?James Trilling, 202-326-3497; Peder Magee,?202-326-3538; Olivier Sylvain, 202-326-3046; or?[email protected].
Overview??
Whether they know it or not, most Americans today surrender their personal information?to engage in the most basic aspects of modern life. When they buy groceries, do homework, or?apply for car insurance, for example, consumers today likely give a wide range of personal?information about themselves to companies, including their movements,1?prayers,?2?friends,?3?menstrual cycles,4?web-browsing,?5?and?faces,?6?among other?basic aspects of their lives.
Companies, meanwhile, develop and market products and services to collect and?monetize this data. An elaborate and lucrative market for the collection, retention, aggregation,?analysis, and onward disclosure of consumer data incentivizes many of the services and products?on which people have come to rely. Businesses reportedly use this information to target?services—namely, to set prices.
7?curate news feeds,?8?serve advertisements,?9?and?conduct research on people’s behavior,10?among other things.
While, in theory, these personalization practices?have the potential to benefit consumers, reports note that they have facilitated consumer harms?that can be difficult if not impossible for any one person to avoid.??
11. Some companies, moreover, reportedly claim to?collect consumer data for one stated??purpose but then also use it for other purposes.
12?Many such firms, for example, sell or otherwise?monetize such information?or compilations of it in their dealings with advertisers, data brokers,?and other third parties.
13?These practices also appear to exist?outside of the retail consumer setting. Some employers, for example, reportedly collect an assortment of?worker data?to?evaluate productivity, among other reasons.
14—a practice that has become far more pervasive?since the onset of the COVID-19 pandemic.
15?Many companies engage in these practices pursuant to the ostensible?consent that they?obtain from their consumers.
16 But, as networked devices and online services become essential?to navigating daily life,?consumers may have little choice?but to accept the terms that firms?offer.
17?Reports suggest that?consumers have become resigned?to the ways in which companies?collect and monetize their information, largely because consumers have little to no actual control?over what happens to their information once companies collect it.
18.??In any event, the?permissions that consumers give may not always be meaningful or??informed. Studies have shown that most people do not generally understand the market for?consumer data that operates beyond their monitors and displays.
19. Most consumers, for example,?know little about the data brokers and third parties?who collect and trade consumer data or build consumer profiles.
20. That can?expose intimate details about their lives?and, in the wrong hands, could expose unsuspecting people to future harm.
21. Many privacy notices that acknowledge such risks are reportedly not readable to the average consumer.
22. Many?consumers do not have the?time to review lengthy privacy notices?for each of their devices, applications, websites, or?services.
23.?Let alone the?periodic updates?to them. If consumers do not have meaningful access to?this information, they cannot make informed decisions about the costs and benefits of using?different services.
24.?This?information asymmetry?between companies and consumer runs even deeper.?Companies can use the information that they collect to direct consumers’ online experiences in?ways that are rarely apparent—and in ways that go well beyond merely providing the products or?services for which consumers believe they sign up.
25.?The Commission’s enforcement actions?have targeted several pernicious dark pattern practices, including?burying privacy settings behind multiple layers of the user interface.
26.?And?making misleading representations?to “trick or trap” consumers into providing personal information.
27.?In other instances, firms may misrepresent or fail to communicate clearly?how they use and protect people’s data.
28.?Given the reported scale and pervasiveness of such practices,?individual consumer consent may be irrelevant.??
The material harms of these commercial surveillance practices may be substantial,?moreover, given that they may increase the risks of cyberattack by hackers, data thieves, and?other bad actors. Companies’ lax data security practices may impose enormous financial and?human costs. Fraud and identity theft cost both businesses and consumers billions of dollars, and?consumer complaints are on the rise.
29.?For some kinds of fraud, consumers have historically spent?an average of 60 hours?per victim?trying to resolve the issue.
30.?Even the?nation’s critical?infrastructure is at stake, as evidenced by the recent attacks on the largest fuel pipeline.
31.?Meatpacking plants,?32?and?water treatment facilities
33?in the?United States.?
Companies’ collection and use of data have significant consequences for consumers’?wallets, safety, and mental health.
Sophisticated digital advertising systems reportedly automate?the targeting of fraudulent products and services to the most vulnerable consumers.
34.?Stalking?apps continue to?endanger people.
领英推荐
35.?Children and teenagers remain vulnerable?to cyber bullying, cyberstalking, and the distribution of child sexual abuse material.
36.?Peer-reviewed research has?linked social media use with depression, anxiety, eating disorders, and suicidal ideation among?kids and teens.
37.?Finally, companies’ growing reliance on?automated systems?is creating new forms and?mechanisms for discrimination based on statutorily protected categories.
38. Including in critical?areas such as?housing,
39.?employment,?40.?and?healthcare.
41.?For example, some?employers’ automated systems?have reportedly learned to prefer men over women.
42.?Meanwhile, a recent?investigation suggested that?lenders’ use of educational attainment in credit underwriting?might disadvantage students who attended historically Black colleges and universities.
43.?And the?Department of Justice recently settled its first case challenging algorithmic discrimination?under the Fair Housing Act for a social media advertising delivery system that unlawfully discriminated based on protected categories.
44. Critically, these kinds of disparate outcomes may arise even when automated systems consider only?unprotected?consumer traits.
45.?The Commission is issuing this ANPR pursuant to Section 18 of the Federal Trade?Commission Act (“FTC Act”) and the Commission’s Rules of Practice.
46.?Because recent Commission actions, news reporting, and public research suggest that harmful commercial surveillance and lax data security practices may be prevalent and increasingly unavoidable.
47.?These developments suggest that trade regulation rules reflecting these current realities may be needed to ensure Americans are protected from unfair or deceptive acts or practices.
New rules?could also foster a greater sense of predictability for companies and consumers and minimize the uncertainty that case-by-case enforcement may engender.
Countries around the world and states across the nation have been alert to these concerns. Many accordingly have enacted laws and regulations that impose restrictions on companies’?collection, use, analysis, retention, transfer, sharing, and sale or other monetization of consumer data.
In recognition of the complexity and opacity of commercial surveillance practices today, such laws have reduced the emphasis on providing notice and obtaining consent and have instead?stressed additional privacy “defaults” as well as increased accountability for businesses and?restrictions on certain practices.
For example, European Union (“EU”) member countries enforce the EU’s?General Data?Protection Regulation?(“GDPR”),?48?which, among other things, limits the processing of personal?data to six lawful bases and provides consumers with certain rights to access, delete, correct, and?port such data.
49.Canada’s Personal Information Protection and Electronic Documents Act?and?
50.?Brazil’s General Law for the Protection of Personal Data?contain some similar rights.
51.?Laws in?California, 52.?Virginia, 53.?Colorado, 54.?Utah, 55. and?Connecticut, 56. moreover, include some?comparable rights, and numerous state legislatures are considering similar laws.?Alabama,?57.?Colorado,58. and?Illinois, 59. meanwhile,?have enacted laws related to the development and use of?artificial intelligence.
Other states, including Illinois,?60.?Texas,?61.?and?Washington,?62.?have enacted?laws governing the?use of biometric data.
All fifty U.S. states have laws that require businesses to?notify consumers of certain breaches of consumers’ data.
63.?And numerous states require??businesses to take reasonable steps to secure consumers’ data.
64.?Through this ANPR, the Commission is beginning to consider the potential need for rules?and requirements regarding commercial surveillance and lax data security practices.
Section 18 of the FTC Act authorizes the Commission to promulgate, modify, and repeal trade regulation?rules that define with specificity acts or practices that are unfair or deceptive in or affecting?commerce within the meaning of Section 5(a)(1) of the FTC Act.65?Through this ANPR, the?Commission aims to generate a public record about prevalent commercial surveillance practices?or lax data security practices that are unfair or deceptive, as well as about efficient, effective, and?adaptive regulatory responses.
These comments will help to sharpen the Commission’s enforcement work and may inform reform by Congress or other policymakers, even if the???Commission does not ultimately promulgate new trade regulation rules.
66.??The term “data security” in this ANPR refers to?breach risk mitigation,?data management?and retention, data minimization, and breach notification and disclosure practices.
For the purposes of this ANPR, “commercial surveillance” refers to the collection,?aggregation, analysis, retention, transfer, or monetization of consumer data and the direct?derivatives of that information.
These data include both information that consumers actively?provide—say, when they affirmatively register for a service or make a purchase—as well as?personal identifiers and other information that companies collect, for example, when a consumer?casually browses the web or opens an app. This latter category is far broader than the first.?
The term “consumer” as used in this ANPR includes businesses and workers, not just?individuals who buy or exchange data for retail goods and services. This approach is consistent?with the Commission’s longstanding practice of bringing enforcement actions against firms that??harm companies.
67.?as well as workers of all kinds.
68.?The FTC has frequently used Section 5 of?the FTC Act to protect small businesses or individuals in contexts involving their employment or?independent contractor status.?