FTC Addresses Privacy and Data Security Issues In ADPR





The FTC recently announced an ambitious Advance Notice of Proposed Rulemaking (ANPR) broadly aimed at a host of privacy and data security issues. This is the first step by the agency to explore using its Section 18 rulemaking authority under the FTC Act to issue a broad consumer privacy-focused trade regulation rule. The ANPR poses 95 questions and various topics, ranging from collection of information from children, to consent, data security, biometrics, artificial intelligence, and automated decision-making. The ANPR is focused on the impact to consumers and as workers or employees in a business capacity.

In its overview, the FTC points to the rise in privacy and security regulation at the international and state levels, suggesting a need for a more comprehensive approach at the federal level. The Agency also noted limitations in its own regulatory parameters, citing limits to its ability to issue remedies. Because the agency generally lacks authority to seek monetary remedies for initial violations of the FTC Act, the Commission believes that enforcement of the FTC Act alone may not be enough to protect consumers. As a result, the Commission views rules that establish privacy and data security requirements as arguably providing the FTC the authority to seek financial penalties for first-time violations and thereby driving compliance.

Section 18 of the FTC Act authorizes the FTC to issue trade regulation rules that define with specificity acts or practices that are unfair or deceptive (known as “Mag Moss Rulemaking”). Under Section 18, the agency must show that the unfair or deceptive acts or practices in question are prevalent. This determination can be made only if the FTC has previously “issued cease and desist orders regarding such acts or practices,” or if it has any other information that indicates a widespread pattern of unfair or deceptive acts or practices. That said, the FTC’s stated purpose for the ANPR is to generate a public record about prevalent commercial surveillance practices or lax data security practices that are unfair or deceptive. The Commission concedes that the comments might not ultimately result in the promulgation of new rules, but that the comments will inform the Commission’s enforcement work and may inform reform by Congress or other policymakers.

Putting it Into Practice. While it is too soon to say whether this process will result in any substantive rules (Mag Moss rulemaking is a lengthy process taking several years if successful), the ANPR is nonetheless informative. The questions posed in the ANPR provide clues on the FTC’s perspective on certain activities and potential enforcement priorities. Comments to the ANPR must be received 60 days after publication of the notice in the federal register. The FTC will also be holding a public forum on September 8, 2022. Comments can be submitted online or by paper. Other guidelines for submitting comments can be found in the ANPR.


Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.
National Law Review, Volume XII, Number 234




Leave a Reply

Your email address will not be published. Required fields are marked *