The FTC’s ANPR, A New Framework for Privacy Law
While the Federal Trade Commission (FTC) issued a press release in August of this year that stated that the government agency would be working towards passing some form of federal data protection legislation, the contents of such a law, as well as the scope and application of such a law were not expressly stated. To this end, the FTC also published an advance notice of proposed rulemaking (ANPR) on August 11, 2022, with the aim of obtaining feedback from the general public as it pertains to commercial surveillance and data security practices, in addition to numerous other data privacy topics. With all this being said, the approach that the FTC has taken in recent months as it concerns personal privacy is very much unprecedented.
For reference, virtually all attempts to pass data protection legislation at the U.S. federal level have all but failed as of 2022, as the overwhelming majority of privacy legislation within the country is limited to sector-specific laws, making it difficult to ensure that every American citizen is having their personal data safeguarded at all times. For this reason, it is interesting to note the more macro approach that the FTC is taking when considering the prospect of a major data privacy law, as members of the general public are the very people that such legislation would be enacted to protect in the first place. Likewise, the FTC has described the ANPR as an attempt to “generate a public record” concerning data privacy practices as opposed to a list of proposed rules that are set in stone.
In what has been a recurring theme for the current chairperson of the FTC Linda Khan, the agency’s ANPR is in contrast to previous approaches that the agency has taken with regard to the protection of personal data. To illustrate this point, the FTC has been criticized for the manner in which it handled the infamous Facebook Cambridge Analytica Scandal, as Meta paid a record-setting monetary fine of $5 billion to the government agency in 2019. However, while this fine made headlines around the world, many privacy advocates and government officials alike argued that the fine failed to truly address the underlying factors that allowed for an incident such as the Cambridge Analytica scandal to occur in the first place.
To this end, Rohit Chopra, a Democrat and former member of the FTC, was quoted as saying that the U.S. federal government “essentially traded getting more money, so that an individual did not have to submit to sworn testimony and I just think that’s fundamentally wrong. The lawsuit claims that the settlement was approximately $4.9bn more than Facebook’s maximum exposure under the applicable statute”. Subsequently, it was revealed several years later in 2021 that the fine the FTC initially desired to impose against Mark Zuckerberg was significantly lower than the fine he and his company ultimately agreed to pay, as the former is estimated to have been in the ballpark of $106 million, a far cry from billions of dollars that were paid in the latter.
Going back to the discussion of a federal data protection law, legislation that mimics the fashion in which the FTC has handled privacy violations in the past would fail to achieve the task at hand under many circumstances. Such an approach has been described as the “notice and consent framework, where companies ask consumers to agree to lengthy privacy policies that are heavy on legal text.” This being the case, Khan was quoted as saying that the FTC should instead “approach data privacy and security protections by considering substantive limits rather than just procedural protections,” when speaking at an event that was hosted by the International Association of Privacy Professionals in April of this year.
Key areas of focus
As is the case with any regulations or laws that are geared towards protecting the personal privacy of individuals, the FTC’s ANPR contains several key areas of focus. Most notably, the FTC is looking for members of the American populace to provide the agency with feedback concerning the issues of targeted or personalized advertising, the collection and retention of biometric data, purpose limitation, data minimization, and the privacy of children within the U.S., in addition to others. On top of this, the ANPR also poses several questions to the general public as it pertains to the issues of data security and commercial surveillance.
For example, one of the questions in the ANPR asks “to what extent do commercial surveillance practices or lax security measures harm consumers?” Alternatively, another question asks “what are the costs and countervailing benefits of commercial surveillance practices for consumers and competition?” Furthermore, the privacy framework also asks American citizens how they would handle specific topics concerning the larger issues of data security and commercial surveillance, including consumer consent, automated decision-making systems, and the collection, retention, and transfer of consumer data, among other things.
While the FTC’s most recent efforts to spur the U.S. federal government into passing some form of comprehensive data protection legislation in the upcoming years may never bear fruit, the fact that the government agency has even begun proposing the framework that could serve as the foundation for such a law is a positive development on its own. Moreover, members of the American public have the unique opportunity to have their opinions heard with regard to the ways in which they feel as though a federal privacy law should take shape, as the entire goal of such legislation is to protect the privacy and security of the everyday working citizen.