12434969868?profile=RESIZE_400xThe Federal Trade Commission (FTC) is aiming to roll out its long-awaited proposed rules governing commercial surveillance in the next few months, with a focus on ensuring that companies properly handle the data they harvest from the apps, websites and devices that consumers use.  According to two sources familiar with the agency’s plans, the rules will emphasize data security and data minimization, or the idea that companies should only collect the data they need to conduct business with consumers and delete it when business concludes.[1]

Other areas of concentration will include algorithmic accountability or the concept that companies should face consequences for actions taken based on decisions by algorithms and the related issue of how to protect consumers’ civil rights from algorithmic errors.

The agency has been working behind the scenes to set the new proposed rules since August 2022, when the FTC announced it had begun seeking new ways to crack down on what it called at the time “harmful commercial surveillance and lax data security.”

Commercial surveillance is the business of gathering, analyzing and making money from individuals’ personal data. The companies affected by the rule could include all of those using data in their business, including banks, retailers, insurers and car manufacturers as well as tech giants trafficking in data such as Meta and Google.

When the agency first announced it was investigating a new rule, it said in a press release that “mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation, and other abuses.”

New regulations governing commercial surveillance would have a huge impact on data privacy because it would establish bright lines around what is and isn’t permissible for companies to do, instead of forcing the agency to rely on piecemeal enforcement actions as currently happens.

* The FTC's proposed commercial surveillance rules would mark a major shift in data privacy regulations, creating clear guidelines for what companies can and cannot do with the consumer data they collect. This contrasts with the agency's current practice of relying on individual enforcement actions.

* These upcoming changes are expected to stress the importance of data security and data minimization. That means businesses would need to ensure proper handling of consumer data and limit their data collection to only what's necessary for operations. It also suggests a focus on deleting the user data once it's no longer needed for conducting business.

* The proposed rules also suggest an emphasis on algorithmic accountability which would require companies to face consequences for actions taken based on decisions by their algorithms. This points to added consumer protections safeguarding civil rights against potential algorithmic errors.

Agency officials have been signaling this work may be coming to a head in recent days. In remarks delivered at Fordham Law School last week, Bureau of Consumer Protection Director Samuel Levine outlined a series of recent FTC enforcement actions which he said should be seen as laying the groundwork for “our ongoing surveillance rulemaking proceeding, where we are considering market-wide rules to protect consumers’ data.”

Levine cited a series of recent relevant FTC enforcements, including five cases against companies sharing consumers’ sensitive health data for advertising purposes and 16 orders carrying data minimization requirements.  “Today’s commercial surveillance practices are threatening not only our privacy but our fundamental freedoms,” Levine said. “We want Americans to be able to enjoy a zone of privacy on the internet, rather than needing to surrender to constant surveillance that undermines our fundamental freedoms.”

An FTC spokesperson declined to comment for this article.

‘Privacy writ large’ - The FTC’s work setting new commercial surveillance rules has been closely watched in the privacy community, where advocates say change is desperately needed.

The agency “establishing guardrails for the collection and the use of our information would be a critical step forward in recognizing that we deserve to have privacy online and off, and it's certainly a call to action for Congress to follow suit,” said Cody Venzke, senior policy counsel at the ACLU.

A second privacy advocate who requested anonymity due to the secrecy surrounding the FTC’s plans called the rulemaking the “most comprehensive attempt by the FTC to regulate privacy writ large, as opposed to their usual modus operandi of individual enforcement actions."  The agency’s initial announcement that it was considering pursuing such a rule made several references to both algorithmic accountability and data minimization and security, as well as how they are intertwined.  “Data abuses such as surreptitious biometric or location tracking, unaccountable and discriminatory algorithmic decision-making, or lax data security practices have been either caused by, exacerbated by, or are in service of nearly unfettered commercial data collection, retention, use, and sharing,” Commissioner Rebecca Kelly Slaughter wrote in the notice announcing the agency would be investigating the new rule.

That document began with a stark warning about the way companies capture Americans’ data everywhere they go, citing how “when they buy groceries, do homework, or apply for car insurance, for example, consumers today likely give a wide range of personal information about themselves to companies, including their movements, prayers, friends, menstrual cycles, web-browsing, and faces, among other basic aspects of their lives.” 

Once the FTC issues its “notice of proposed rulemaking” it will hold a hearing inviting more public comment before formalizing the new rule.  Even with the FTC apparently moving forward, the effort could be upended if the new American Privacy Rights Act passes in Congress. That legislation, still in draft form for now, includes language saying that it would end an FTC rule on commercial surveillance. It is unclear if APRA will gain traction in Congress when it is formally introduced, much less be enacted.  

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.     For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://therecord.media/ftc-commercial-surveillance-regulations-data-security-privacy-minimization/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!