FTC moves to create data security and privacy rules

The Federal Trade Commission (FTC) took the first steps towards codifying rules on commercial surveillance and data security Thursday, potentially expanding its longstanding role as the country’s de facto privacy watchdog. 

The agency announced that it was exploring regulation of corporate data practices — including how private management of data intersects with discrimination, harms to children, and consumer consent.

“Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC Chair Lina M. Khan in a press release. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent.” 

With the announcement, the agency is not yet proposing specific rules, but test driving a complex regulatory process — and how it might be used to protect consumers from the harmful use of their data. 

There will be a public comment period for the FTC’s Advanced Notice of Proposed Rulemaking (ANPR), lasting 60 days from when it's posted to the Federal Register. The agency is also holding a virtual public forum on the issue next month. 

Under Section 5 of its founding statute, the FTC has the authority to take action against companies engaging in deceptive and unfair practices. It has long used that power to go after companies with lax data security practices. However, that authority has limits — including that first-time violators caught by the agency don’t face financial penalties. A 2021 Supreme Court decision also severely limited the agency’s ability to get monetary relief from Section 5 cases. 

The ANPR is being issued under Section 18, an authority granted to the agency in 1975 under the Magnuson-Moss Warranty—Federal Trade Commission Improvement Act. 

Commissioner Rebecca Kelly Slaughter has pushed for the use of this power, which allows the agency to create “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce,” to address privacy and data security harms affecting consumers. 

However, that rulemaking authority is complex.

“Section 18 of the FTC Act is not like ordinary rulemaking under the Administrative Procedure Act,” Georgetown Law professor and former FTC Bureau of Consumer Protection chief David Vladeck explained, comparing it to the standard process most agencies use to develop regulations. It requires public comment and for the agency to determine how prevalent harmful practices are before it can determine if it will ultimately propose specific regulations.   

Last year, the agency moved to streamline the process for using Section 18 to create rules in 2021 as part of Chairman Khan’s aggressive consumer protection strategy, helping set the stage for the announcement today. 

Nonetheless, Vladeck said, making any rule changes “will be a multi-year process that will require a substantial resource commitment by the Commission.” It will also inevitably undergo judicial review, he added.

FTC Commissioners voted 3-2 to move forward with the ANPR, with Democratic Commissioners Slaughter and Alvaro Bedoya joining Khan in support, and Republican Commissioners Noah Phillips and Christine Wilson opposing. In statements about their dissents, Phillips and Wilson both argued rulemaking of this scope should happen in Congress. 

Congress is currently weighing a major privacy bill, American Data Privacy and Protection Act or ADPPA, but it appears unlikely to pass this year. 

In his statement, Phillips said he was heartened to see Congress at work on the issue and hopes the ANPR does not prevent its further consideration. 

In a press conference, FTC Bureau of Consumer Protection Director Sam Levine said Congress was in the best position to move quickly to protect consumers, and the agency’s exploration of rules in this sector didn’t preclude their action. All commissioners who voted in favor of the ANPR also expressed support for the bill. 

“I prefer Congressional action to strengthen our authority. But I know from personal experience that the road for a bill to become a law is not a straight or easy one,” said Slaughter. 

Bedoya  committed to not voting for specific rules that overlapped with the bill, were it passed by Congress. 

Should Congress take action, the length of the FTC’s rulemaking process means that the agency will “have an opportunity to readdress” if pursuing the rule making still makes sense, Khan said. 

Regardless, the rulemaking process would allow for the creation of a “robust public record” on commercial surveillance that could help inform policy-making, she added.