FTC commercial surveillance rules could arrive within months, sources say
The Federal Trade Commission (FTC) is aiming to roll out its long-awaited proposed rules governing commercial surveillance in the next few months, with a focus on ensuring that companies properly handle the data they harvest from the apps, websites and devices that consumers use.
According to two sources familiar with the agency’s plans, the rules will emphasize data security and data minimization, or the idea that companies should only collect the data they need to conduct business with consumers and delete it when business concludes.
Other areas of concentration will include algorithmic accountability — or the concept that companies should face consequences for actions taken based on decisions by algorithms — and the related issue of how to protect consumers’ civil rights from algorithmic errors.
The agency has been working behind the scenes to set the new proposed rules since August 2022, when it announced it had begun seeking new ways to crack down on what it called at the time “harmful commercial surveillance and lax data security.”
Commercial surveillance is the business of gathering, analyzing and making money from individuals’ personal data. The companies affected by the rule could include all of those using data in their business, including banks, retailers, insurers and car manufacturers as well as tech giants trafficking in data such as Meta and Google.
When the agency first announced it was investigating a new rule, it said in a press release that “mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation, and other abuses.”
New regulations governing commercial surveillance would have a huge impact on data privacy because it would establish bright lines around what is and isn’t permissible for companies to do, instead of forcing the agency to rely on piecemeal enforcement actions as currently happens.
Agency officials have been signaling this work may be coming to a head in recent days. In remarks delivered at Fordham Law School last week, Bureau of Consumer Protection Director Samuel Levine outlined a series of recent FTC enforcement actions which he said should be seen as laying the groundwork for “our ongoing surveillance rulemaking proceeding, where we are considering market-wide rules to protect consumers’ data.”
Levine cited a series of recent relevant FTC enforcements, including five cases against companies sharing consumers’ sensitive health data for advertising purposes and 16 orders carrying data minimization requirements.
“Today’s commercial surveillance practices are threatening not only our privacy but our fundamental freedoms,” Levine said. “We want Americans to be able to enjoy a zone of privacy on the internet, rather than needing to surrender to constant surveillance that undermines our fundamental freedoms.”
An FTC spokesperson declined to comment for this story.
‘Privacy writ large’
The FTC’s work setting new commercial surveillance rules has been closely watched in the privacy community, where advocates say change is desperately needed.
The agency “establishing guardrails for the collection and the use of our information would be a critical step forward in recognizing that we deserve to have privacy online and off, and it's certainly a call to action for Congress to follow suit,” said Cody Venzke, senior policy counsel at the ACLU.
A second privacy advocate who requested anonymity due to the secrecy surrounding the FTC’s plans called the rulemaking the “most comprehensive attempt by the FTC to regulate privacy writ large, as opposed to their usual modus operandi of individual enforcement actions."
The agency’s initial announcement that it was considering pursuing such a rule made several references to both algorithmic accountability and data minimization and security, as well as how they are intertwined.
“Data abuses such as surreptitious biometric or location tracking, unaccountable and discriminatory algorithmic decision-making, or lax data security practices have been either caused by, exacerbated by, or are in service of nearly unfettered commercial data collection, retention, use, and sharing,” Commissioner Rebecca Kelly Slaughter wrote in the notice announcing the agency would be investigating the new rule.
That document began with a stark warning about the way companies capture Americans’ data everywhere they go, citing how “when they buy groceries, do homework, or apply for car insurance, for example, consumers today likely give a wide range of personal information about themselves to companies, including their movements, prayers, friends, menstrual cycles, web-browsing, and faces, among other basic aspects of their lives.”
Once the FTC issues its “notice of proposed rulemaking” it will hold a hearing inviting more public comment before formalizing the new rule.
Even with the FTC apparently moving forward, the effort could be upended if the new American Privacy Rights Act passes in Congress. That legislation, still in draft form for now, includes language saying that it would end an FTC rule on commercial surveillance. It is unclear if APRA will gain traction in Congress when it is formally introduced, much less be enacted.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.