On August 11, 2022, the Federal Trade Commission (“FTC”) released an “Advance Notice of Proposed Rulemaking” (the “Advance Notice”) proposing to adopt rules regulating “commercial surveillance” and “data security” practices.1 In the Advance Notice, the FTC confirmed its intention to conduct its rulemaking process pursuant to Section 18 of the Federal Trade Commission Act, more commonly known as Magnuson-Moss (or “Mag-Moss”) rulemaking authority. With the release of the Advance Notice, it appears that the FTC is fulfilling Chair Lina Khan’s promise that this would be “a busy summer” for the FTC with respect to regulating privacy and data security issues.2 In this client alert, we seek to answer some of the key questions raised by the FTC’s action.
What Is the FTC Proposing to Do?
The Advance Notice does not include specific rule proposals; rather, the FTC lays out a general case for why rules addressing “harmful” commercial surveillance and “lax” data security practices may be justified.3 The scope of the FTC’s Advance Notice — and therefore the scope of the potential rulemaking — is all-encompassing, potentially covering everything from consumer finance, tech, and healthcare to retail, real estate, and education, and expressly includes relationships — like the employer/employee relationship — that have been carved out of many recently enacted comprehensive state privacy laws. In the Advance Notice, the FTC observes that Americans “surrender their personal information to engage in the most basic aspects of human life” and that companies have developed products and services “to collect and monetize this data.”4 The FTC explains that its privacy authority has been developed on a “case-by-case” basis and through general rulemaking under sector-specific statutes, and that these enforcement actions and rulemaking initiatives have raised important questions about commercial surveillance and data security practices across a broad swath of companies and industries, specifically mentioning insurance, consumer finance, and healthcare as important industries in which commercial surveillance and the use of algorithmic decision-making is prevalent and/or where threats to data security are growing.
The Advance Notice then asks about twenty pages of questions seeking public comment on a variety of issues raised by the stated concerns regarding commercial surveillance and data security practices. These questions include how companies currently surveil consumers; whether and how data minimization and other privacy restrictions hamper algorithmic decision-making and learning; how prevalent algorithmic discrimination is and how such discrimination may affect consumers; and what data security measures companies should implement to protect against risks to the security, confidentiality, or integrity of personal data.
What Is “Mag-Moss” Rulemaking Authority and Why Does It Matter?
Much of the tone and substance of the Advance Notice is driven by the requirements of the Mag-Moss rulemaking procedures. Unlike other independent agencies, the FTC’s rulemaking authority is limited. For example, it may conduct specific rulemaking proceedings as directed by federal laws, and such proceedings would be conducted pursuant to the Administrative Procedures Act. Mag-Moss rulemaking authority gives the FTC some ability to adopt rule outside the context of specific statutory authority, but imposes a higher burden and requires completion of more cumbersome administrative steps, such as an Advance Notice of Proposed Rulemaking, which historically has significantly drawn out rulemakings conducted by the Mag-Moss process. However, in 2021, Chair Khan led a successful effort to change the FTC’s internal rules to streamline the administrative process for Mag-Moss rulemaking proceedings.5 Even under the revised internal rules, however, Mag-Moss rulemaking proceedings remain a difficult and complicated process, and the breadth of the questions asked in the Advance Notice highlights the burden that the FTC faces as it seeks to move forward with rulemaking proceedings concerning issues as complex and controversial as commercial surveillance and data security.
What Did the Other Commissioners Say?
The Advance Notice was adopted on a party-line vote, with each of the five FTC Commissioners releasing a detailed statement outlining their reasons for supporting or opposing the Advance Notice. The three Democratic members of the Commission — Chair Khan,6 Commissioner Alvaro Bedoya,7 and Commissioner Rebecca Slaughter8 — supported the Advance Notice, while the Republican members — Commissioner Noah Phillips9 and Commissioner Christine Wilson10 — did not. Of note, both Commissioner Phillips and Commissioner Slaughter provided highly detailed analyses of the pros (Slaughter) and cons (Phillips) of the FTC moving forward with the rulemaking.
What about Congress and Any Legislative Solutions?
Each Commissioner referenced the potential enactment of a federal privacy law, such as the proposed American Data Privacy Protection Act (“ADPPA”). The three Democratic Commissioners explained that they hoped the FTC’s action would spur those legislative efforts — with Chair Kahn explicitly noting that enactment of the ADPPA would likely preclude the need for the rulemaking proceeding, and Commissioner Bedoya urging Congress to enact the ADPPA. On the other side, the two Republican Commissioners argued that the FTC’s rulemaking proceeding is unnecessary, and potentially unlawful, in light of those efforts. In particular, Commissioner Wilson articulated her concern that the FTC’s rulemaking proceeding may be used “as an excuse to derail the ADPPA.”11 Representative Frank Pallone, Chairman of the House Commerce Committee, issued a statement appreciating the FTC’s action to protect consumers, but Representative Pallone noted that “Congress has a responsibility to pass comprehensive federal privacy legislation.”12 Meanwhile, the Ranking Member of the House Commerce Committee, Representative Cathy McMorris Rodgers, released a statement that “the American Data Privacy and Protection Act continues to be the best path forward,” suggesting that she does not support the FTC’s rulemaking proceeding.13
What’s Next?
Because the FTC is proceeding under Mag-Moss authority, it must complete several administrative steps. First, the FTC must undertake a series of public forums designed to ensure broad public participation in the proceeding. The first such effort will be a virtual public forum on September 8, 2022 to solicit public comment on the topics noted in the Advance Notice and any future rulemaking proceedings conducted by the FTC. Second, it must ensure that the record includes detailed comments in response to questions designed to address just how prevalent the identified problem is and whether existing regulatory solutions are sufficient to address it. To that end, the FTC is soliciting written public comments on the Advance Notice — these will be due 60 days after the Advance Notice is published in the Federal Register. Before the FTC can move forward to a final rule, it must develop, adopt, and release a Notice of Proposed Rulemaking with specific proposed rules, with another public comment period, public forums, and other input from the public and very likely Congress.
This is just the first step in what is potentially a long and winding road to any final rules. And even if the FTC manages to adopt a set of final rules in this proceeding, it remains to be seen whether such rules could withstand judicial scrutiny, especially in light of the anti-regulatory stance taken by the Supreme Court in recent cases, like West Virginia v. EPA.14 For now, however, the Advance Notice is so broad and covers so many issues that companies across the economy will need to prepare for a complicated rulemaking proceeding that may produce regulations with broad, significant and lasting effects on companies’ data collection, surveillance and data security practices.
1 Trade Regulation Rule on Commercial Surveillance and Data Security, 16 C.F.R. 464, FTC (Aug. 11, 2022), here.
2 Andrea Vittorio, Data Privacy Takes Priority for FTC Chief as Dems Break Deadlock, Bloomberg Law (June 8, 2022), here.
3 “Commercial surveillance” is defined as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information,” and “data security” as “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.” Advance Notice, at 12–13.
5 FTC Votes to Update Rulemaking Procedures, Sets Stage for Stronger Deterrence of Corporate Misconduct, FTC (July 1, 2021), here.
6 Statement of Chair Lina M. Khan Regarding the Commercial Surveillance and Data Security Advance Notice of Proposed Rulemaking Commission File No. R111004, FTC (Aug. 11, 2022), here.
7 Statement of Commissioner Alvaro M. Bedoya Regarding the Commercial Surveillance and Data Security Advance Notice of Proposed Rulemaking, FTC (Aug. 11, 2022), here.
8 Statement of Commissioner Rebecca Kelly Slaughter Regarding the Commercial Surveillance and Data Security Advance Notice of Proposed Rulemaking, FTC (Aug. 11, 2022), here.
9 Dissenting Statement of Commissioner Noah Joshua Phillips Regarding the Commercial Surveillance and Data Security Advance Notice of Proposed Rulemaking, FTC (Aug. 11, 2022), here.
10 Dissenting Statement of Commissioner Christine S. Wilson Trade Regulation Rule on Commercial Surveillance and Data Security, FTC (Aug. 11, 2022), here.
11 Id.
12 Pallone on FTC’s Advance Proposed Rulemaking on Privacy (Aug. 11, 2022), here.
13 Leader Rodgers’ Statement on the FTC’s Proposed Privacy Rulemaking Notice and the Importance of Enacting one National Standard (Aug. 11, 2022), here.
