On August 22, 2022, the Federal Trade Commission (“FTC”) indicated through the Advanced Notice of Proposed Rulemaking its intent to limit commercial surveillance – the common corporate practice of collecting, analyzing, and monetizing consumers’ data. As slews of data breaches resulted in millions of dollars in settlement and countless consumers whose data had been jeopardized, 33 states, including Massachusetts, New York, and Texas, showed support for the FTC’s proposed rule through a comment letter dated November 17, 2022.
The letter highlighted the following three areas of greatest concern regarding consumer data:
- Location data;
- Biometric data (such as facial recognition and fingerprinting); and
- Medical data collected by applications, wearables, and devices, regardless of whether Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies.
As pointed out in the letter, consumers are often unaware of when and how their location and biometric information are collected and how they are used. In most cases, consumer-facing privacy policies go unread. Even when consumers take the time to read through the policies, they are often not helpful or understood. For medical data, many consumers do not have a full understanding of how far HIPAA can reach. To address these concerns, the comment letter urged the FTC to focus its regulatory efforts on these three areas of commercial data.
Additionally, the AG comment letter expressed concerns about data brokers and the risks posed by their creation of personalized profiles of consumers (profiles created by scouring online databases, social media, and internet browsing histories). Some data brokers then sell or release these consumer profiles, exposing consumers to heightened risk of targeted scams, advertising, and identity theft. While data brokers are not required to obtain consumers’ consent to collect and sell the consumer profiles, consumers must contact each relevant broker to opt out of the data collection.
The AG comment letter also suggested the FTC refer to the approaches of five model states – California, Colorado, Connecticut, Utah, and Virginia – that have taken initiative in protecting their privacy of their consumers. All five states require businesses to limit the collection of consumer personal data only to what is “reasonably necessary” to a specified purpose. Similarly, the AG comment letter encouraged the FTC to consider limiting businesses’ data retention and impose data minimization requirements to mitigate potential future exposure of consumer data.
Although the AG comment letter expressed support for the FTC’s recent rulemaking approach, the FTC also faces strong pushback from advocacy groups and tech industry groups. These groups’ main arguments are that: (i) the FTC does not have the rulemaking authority in the data privacy and security arena; and (ii) the FTC should focus its punitive efforts on the breachers rather than the businesses.
The extended deadline for comments to the FTC’s rulemaking proposal closed on November 21, 2022, with over 11,000 comments submitted on the matter. Many parties have shown great interest in the FTC’s response to the comments. We will continue to provide updates on the regulatory developments around commercial surveillance.