Federal Trade Commission Commercial Surveillance and Data Security Proposed Rulemaking

Commercial surveillance is the practice of collecting and analyzing information about people for profit. Over the past months, the U.S. Federal Trade Commission (FTC) has increased its focus on companies’ harmful commercial surveillance programs and on inadequate data security of personal information practices. Companies have been able to operate these programs with limited repercussions. Primary activities of companies that fall under the commercial surveillance category include collecting, analyzing, and monetizing vast amounts of consumer information. The FTC is concerned with obscure and excessive data collected, which could then be analyzed using algorithms and automated systems to create profiles, influence consumers, and predict their desires and behaviors. Additionally, companies often monetized this by using the collected and analyzed data for providing services/products, selling data to third parties for targeted ads, or using the data to target consumers with dangerous or harmful content.

In a recent interview at the IAPP Privacy. Security. Risk. Conference, U.S. Federal Trade Commissioner Rebecca Kelly Slaughter was asked: What do you think is the harm that the FTC should be focused on in terms of protecting consumers? Slaughter responded: “The thing I think I’m most worried about is the way in which data (our data) is turned around and used against us. Not just shared in ways we don’t want it to be, but used to, for example, target us with harmful, dangerous, manipulative content. I think that is a real problem about which we should be concerned.”

The FTC Act of 1914 empowers the Commission to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. This directive from Congress mandates the FTC to respond to such acts that are deemed unlawful. The FTC wants to better understand commercial surveillance with the potential for rulemaking if necessary to adhere to the Commission’s responsibility in enforcing the prevention of unfair methods of competition and/or unfair or deceptive acts or practices.

The FTC has published an Advance Notice of Proposed Rulemaking (ANPR), which is the first procedural step in determining if new trade regulation rules or other regulatory alternatives are warranted. The ANPR and related public comments will be an open record supporting the outcome.

The new trade regulation rules will clarify what the law prohibits and requires from market participants versus the current state, which requires market participants to read and understand fifteen FTC orders to interpret what the law expects and how to apply it to their business.

Why is this important?

Rules created by the FTC will directly impact consumers, privacy professionals, and client service practitioners. Existing FTC rules guide how we conduct business daily, including how to govern children’s privacy, the creation of the Privacy Act, and Privacy of Consumer Financial Information Act. Concerns expressed by the FTC include:

  • Lax data security – There is concern that many companies do not sufficiently or consistently invest in securing the data they collect against hackers and data thieves.
  • Retaliation – Companies may deny access to consumers who do not wish to have their personal information shared with other parties – or require consumers to pay a premium to keep their personal information private.
  • Inaccuracy – Automated decision-making systems and the algorithms that comprise them are safeguarded by companies, leading to a lack of knowledge regarding how they
  • Dark patterns – By utilizing a dark pattern, a company is attempting to influence or manipulate a consumer into making a decision they might not usually make on their own.
  • Harm to children – With the expansion of technologies that are directed at kids and the growing reliance on digital tools, children and teens face greater risks of immediate and long-term dangers
  • Surveillance creep – Companies often deceive consumers in their privacy policies regarding data collection and the various purposes of that data collection by using the data for other purposes not originally stated in the privacy policy.
  • Bias and discrimination – Several widely-used commercial surveillance practices may result in bias against users based on protected characteristics such as race, gender, age, etc.

Next steps

Provide feedback. Review the topics and questions located on the FTC’s website here and provide the FTC comments in the areas of expertise and knowledge here. While there are 10 topics and almost 100 questions to consider, these are not all-inclusive. For example, there are no specific questions related to the potential harm of collecting user location data; therefore, it is important for the public to review and provide response and comment. The FTC has extended the public comment period to November 21, 2022, as it is important to collect comments from a wide breadth of stakeholders.

For those who would prefer to provide comments via paper, mail those comments to the FTC at:

Federal Trade Commission, Office of the Secretary

600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B)

Washington, DC 20580

Michael Kim

Security and Privacy

Joseph Emerson

Security and Privacy

Subscribe to Topics

In the latest episode, Protiviti’s @KonstantHacker and guest @JulienCamirand from Nord Quantique discuss a new approach to qubit error correction. Listen now! https://ow.ly/h4Oc50SqWh5 #ProtivitiTech #Quantum #Podcast

#Protiviti is a 2024 Compliance #Microsoft Partner of the Year Finalist. Congrats to this year’s award recipients who were selected based on their commitment to customers, the impact of their solutions, and their exemplary use of Microsoft tech. https://ow.ly/69mt50SqWbB #MSPartner

How can you tell if a #fintech firm is competent with #GenAI? Certification can certainly distinguish a firm from its competitors, says Protiviti’s Christine Livingston, but is also doesn’t tell the full story about how well they leverage the tech overall. https://ow.ly/vy1r50SkquW

Generative #AI is set to revolutionize the field of enterprise architecture. Get a comprehensive overview of the impact of #GenAI on EA activities, plus challenges, risks and limitations in the latest Technology Insights blog post. https://ow.ly/foPJ50SkUW6 #ProtivitiTech

Protiviti’s @KonstantHacker will join a panel to speak on “Quantum Leap: Securing Manufacturing's Next Frontier with Post Quantum Cryptography” on July 18 in Chicago, IL. Register today for this in-person event. https://ow.ly/s02X50SkfcI #ProtivitiTech #Quantum

Load More