SHARE

August 15, 2022

The FTC Seeks Public Comments Following Introduction of Federal Privacy Bill

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Key Takeaways

  • The FTC's definitions of "data security" and "surveillance" are very broad, encompassing practices that are outside of the traditional understanding of those phrases. This could mean that the FTC's rules could dictate appropriate practices for a company's entire privacy program.
  • These questions provide the opportunity for companies and other stakeholders to comment on how they use information and how an FTC rule could impact their operations.
  • The FTC is considering the impact of existing laws, like the Children's Online Privacy and Protection Act and the Gramm-Leach-Bliley Act, and the forthcoming regime of state privacy laws taking effect in 2023. These are smart and important questions, as the FTC's rules should not be adopted in a vacuum lest they serve little more than to complicate an already challenging and growing mosaic of privacy laws applicable to companies in the United States.

Data privacy and security are again taking center stage in Washington, DC. On the heels of Congress's introduction of the American Data Privacy and Protection Act (ADPPA), the Federal Trade Commission (FTC) announced on August 11, 2022, that it was seeking public comments on 95 questions in an Advance Notice on Proposed Rulemaking for a Trade Regulation Rule on Commercial Surveillance and Data Security (ANPR). While members of the FTC have supported the ADPPA, they continue to express an interest in rulemaking that ultimately complements any legislation that may pass.

For the FTC, any final rule would be promulgated under its power to regulate unfair and deceptive trade practices. Public comments provided in response to this ANPR will help direct the FTC as to which topics, if any, warrant inclusion in a final rule. While this ANPR does not bind the FTC to include certain topics in a final rule or even bind the FTC to finalize any rule at all, it seems likely that the FTC will try to finalize some privacy regulations before the end of the Biden administration. In fact, one of the primary drivers for regulating privacy appears to be the FTC's desire to be able to penalize first-time offenders without first providing a warning as would be required following a Section 5 investigation.

IN DEPTH


HIGHLIGHTING FTC PRIORITIES

The ANPR provides valuable insight into what members of the FTC ultimately hope to include in a final rule and indicates that the FTC may be interested in addressing a wide array of activities, practices and potential enforcement authority. Specifically, input has been requested related to "data security" and "commercial surveillance." "Data Security" includes breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices. "Commercial surveillance" includes the collection, aggregation, analysis, retention, transfer or monetization of consumer data and direct derivatives of that information, including information actively provided by and passively collected from consumers.

The FTC's 95 questions invite discussion on a range of topics—from the effectiveness of current privacy and data security requirements and balancing the costs and benefits of regulation, to the harm to children and teenagers that potential commentators believe results from current business practices. Several strategies appear under consideration to address these practices. This ANPR requests input on data minimization; stronger consumer consent; and principles of notice, transparency and disclosure. Perhaps one of the more interesting aspects of the ANPR is the FTC's floating of a trial balloon to enlist non-FTC, private entity assistance to administer and enforce any new regulations. Where standards for data practices, commercial surveillance and automated decision-making are considered, the FTC also requests input on whether the FTC or a third-party entity would be better suited for certifying compliance.

KEY TAKEAWAYS

Through the series of questions and an introduction setting the stage for this rulemaking, one key theme emerges: Despite questions regarding its authority to regulate in the manner it proposes and resource restraints potentially hindering the FTC's enforcement activities, the FTC wants to establish clear requirements or benchmarks to incentivize companies to invest in compliance and privacy-protective measures. Here are the things we are keeping a close eye on as this rulemaking continues:

  • The FTC's definitions of "data security" and "surveillance" are very broad, encompassing practices that are outside of the traditional understanding of those phrases. This could mean that the FTC's rules could dictate appropriate practices for a company's entire privacy program.
  • These questions provide the opportunity for companies and other stakeholders to comment on how they use information and how an FTC rule could impact their operations.
  • The FTC is considering the impact of existing laws, like the Children's Online Privacy and Protection Act and the Gramm-Leach-Bliley Act, and the forthcoming regime of state privacy laws taking effect in 2023. These are smart and important questions, as the FTC's rules should not be adopted in a vacuum lest they serve little more than to complicate an already challenging and growing mosaic of privacy laws applicable to companies in the United States.

The ANPR will soon be published in the Federal Register; stakeholders will then have 60 days to submit their comments. The FTC is also hosting a virtual public forum for the issues raised in its ANPR on September 8, 2022. The plans for and, ultimately, contents of a potential final rule remain a mystery for now, but this ANPR invites all stakeholders to weigh in and provide valuable insights for the FTC in shaping this rule.

If you have questions about this ANPR or need any assistance with privacy program compliance, please reach out to your McDermott lawyer or contact Amy Pimentel.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Oil License Corruption Charges Don't Stick In Milan Court Of Appeal

By McDermott Will & Emery attorneys McDermott Will & Emery January 27 , 2023

In 2011, global oil company Shell and Italian state-owned oil company ENI struck a deal with the Nigerian government to jointly acquire the license to one of the most valuable oil blocks in Nigeria, known as Oil Prospecting License 245 (OPL 245).

This Week in 340B: January 17 - 23, 2023

By Emily Jane Cook McDermott Will & Emery January 26 , 2023

This weekly series provides brief summaries to help you stay in the know on how 340B cases are developing across the country.

IRS Releases Memorandum on Deducting Cryptocurrency Losses

By Andrew M. Granek McDermott Will & Emery January 26 , 2023

On January 13, 2023, the Internal Revenue Service (IRS) released a Chief Counsel Advice Memorandum (CCA 202302011) concluding that taxpayers cannot claim a deduction for cryptocurrency losses that have, absent a sale or other taxable disposition, substantially declined in value if such cryptocurrency continues to trade on at least one cryptocurrency exchange and has a value that is greater than zero.

More From Privacy

California AG Announces Investigation of Mobile Apps' CCPA Compliance

By Gretchen A. Ramos Greenberg Traurig January 31 , 2023

On Jan. 27, 2023, the California Attorney General announced his office is investigating and sending letters to businesses in the retail, travel, and food industries with popular mobile apps that allegedly are not in compliance with the California Consumer Privacy Act (CCPA) by failing to offer a consumer opt-out mechanism for sales, or honor rights requests submitted via authorized agents.

U.S. Supreme Court Dismisses as 'Improvidently Granted' Case on Scope of Attorney-Client Privilege

By Stephanie L. Adler-Paindiris Jackson Lewis P.C. January 30 , 2023

In a per curiam opinion, the U.S. Supreme Court has dismissed the writ of certiorari granted in In re: Grand Jury, No. 21-1397, writing only that it was “improvidently granted.”

5 Trends to Watch: 2023 Data Privacy & Cybersecurity

By Gretchen A. Ramos Greenberg Traurig January 26 , 2023

While ransomware attacks have been on the rise since 2020, a recent trend has emerged where threat actors are bypassing ransomware malware and encryption tactics and going straight to data theft.

Featured Stories
Closeclose
Search
Menu

Working...