Press "Enter" to skip to content
FTC Building

FTC Seeks Input for Potential Data Privacy and Security Rulemaking

Published August 15, 2022 by Eric Rosenkoetter

FTC BuildingOn Aug. 11, 2022, the Federal Trade Commission issued an Advance Notice of Proposed Rulemaking seeking input that will shape potential rules “to crack down on harmful commercial surveillance and lax data security.” 

The focus of the ANPR overlaps in part with recent state consumer data privacy laws and federal legislation, but the definition of “commercial surveillance” is extremely broad and “refers to the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.”  

By that definition, receiving information from a consumer who applies for a loan and, using that information with permission to obtain information of their creditworthiness, would be considered “surveillance.” 

Note that the definition in the ANPR differs from the definition in the FTC’s Fact Sheet on the FTC’s Commercial Surveillance and Data Security Rulemaking where commercial surveillance is described as “the business of collecting, analyzing, and profiting from information about people.”

The ANPR provides a summary of the FTC’s history of enforcement actions related to data privacy and security and then turns to its reasons for the rulemaking, explaining that its “experience suggests that enforcement alone without rulemaking may be insufficient to protect consumers from significant harms.”

The ANPR states that part of the issue is the fact that “the FTC Act limits the remedies that the Commission may impose in enforcement actions,” since “the Commission does not have authority to seek civil penalties for first-time violations [of Section 5 of the FTC Act].”  However, trade regulation rules would remedy that issue and “incentivize all companies to invest in compliance more consistently.”

The ANPR includes 95 questions spread out among the following topics:

  1. To What Extent Do Commercial Surveillance Practices or Lax Security Measures Harm Consumers?
  2. To What Extent Do Commercial Surveillance Practices or Lax Data Security Measures Harm Children, including Teenagers?
  3. How Should the Commission Balance Costs and Benefits?
  4. How, if at All, Should the Commission Regulate Harmful Commercial Surveillance or Data Security Practices that Are Prevalent?
    1. Rulemaking Generally
    2. Data Security
    3. Collection, Use, Retention, and Transfer of Consumer Data
    4. Automated Decision-making Systems
    5. Discrimination Based on Protected Categories
    6. Consumer Consent
    7. Notice, Transparency, and Disclosure
    8. Remedies
    9. Obsolescence

The deadline for submitting comments will be 60 days from the date the ANPR is published in the Federal Register, and there will be a virtual public forum on Sept. 8, 2022.

 

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Published in Compliance Management and Data Privacy and Security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.