The Backup Plan: FTC Publishes Advance Notice of Proposed Rulemaking for Consumer Data Privacy

The Federal Trade Commission has issued an Advance Notice of Proposed Rulemaking on the topic of consumer data privacy. The ANPR announces the FTC's intent to pass regulations protecting consumer data and to collect information and public comments on the topic.

What Is An ANPR? Is It A Regulation?

The ANPR is not a regulation and has no legal weight on its own.

First, a brief introduction to how the American government creates regulations. In the method the FTC is using, the agency issues an Advanced Notice of Proposed Rule making in the Federal Register, the publication that records all regulatory updates. The ANPR is a statement that the agency intends to investigate a given topic to determine if and how it needs regulating. It also includes what methods of regulation the agency is considering. This is followed by a period of public comment where citizens and stakeholders can provide input and suggestions.

After researching the topic, taking public comments, and notifying Congress of the intent to move forward, the agency will issue a Notice of Proposed Rule making. Unlike an ANPR, which is a general statement of intent, the NPR includes an actual first draft of the rule's text along with an explanation of why the regulation is needed. After another public comment period and informal hearings for interested parties, the agency will develop and publish the final text of the rule.

What Is In This ANPR?

The ANPR, titled "Commercial Surveillance and Data Security," lays out the FTC's plans for what topics in the field of consumer data it will investigate and get public comment on, in order to determine how and what to regulate. The ANPR filing states that the FTC intends to consider trade regulations on commercial surveillance, which it defines as “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information." This includes data actively provided by customers, as well as information collected from a customer's web activity.

The FTC says that it is proposing a rulemaking because recent news reports and research indicate the need for increased protection of consumer data. “Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC Chair Lina M. Khan. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent. Our goal today is to begin building a robust public record ... to address commercial surveillance and data security practices and what those rules should potentially look like.” The FTC is also concerned about the power disparity between data collectors and consumers. Consumers may not want to consent to data collection to use an online service, but have no other viable alternatives. They may not even be aware of the data economy that collects and sells their personal information.

The FTC's research into the topic will examine other fields, like "algorithms, ad-delivery, demographic data, engagement, and the ecosystem’s effects on kids and teens," according to FTC commissioner Rebecca Kelly Slaughter. While these topics are not directly connected to how data is collected, they play a major role in how and why data is processed, and are significant potential subjects of regulation.

The ANPR asks almost a hundred questions about consumer data privacy, to be answered by FTC research and public comment. These questions are grouped into four main topics:

• To what extent do commercial surveillance practices or lax security measures harm consumers?
• To what extent do commercial surveillance practices or lax security measures harm children, including teenagers?
• How should the Commission balance costs and benefits (of regulating certain surveillance practices)?
• How, if at all, should the Commission regulate harmful commercial surveillance or data security practices that are prevalent?

What Does This Mean for Consumer Privacy?

As of now, nothing. The ANPR is only a statement of intent to consider passing regulations; it contains nothing enforceable. The public comment submission is not open yet at time of writing, but the FTC will start seeking feedback once the ANPR is officially published. The ANPR's true impact has less to do with the text itself than with the message it sends.

All members of the FTC, both those who voted for and against the Notice, wrote in their opinions that the ideal solution for consumer data privacy protection would be for Congress to pass the American Data Privacy and Protection Act (ADPPA). Passing a law would be quicker and provide more authority than any regulation the FTC could pass without the ADPPA in place. The law is close to being voted on, but still being discussed in committee, particularly its controversial state preemption section. By issuing this ANPR on data privacy, the FTC is signalling that Congress needs to take action and pass the ADPPA--and the FTC will act if Congress drags its feet.

This is mostly a symbolic gesture, since the rule making process is long enough that the ADPPA could pass before significant progress is made on the proposed rule. The research that the FTC will do as part of the rule making process will also be part of the public record, and will thus inform Congress of the urgent need for privacy protection. The FTC has made clear that if the ADPPA passes, it will drop this rule making process to work on fulfilling its duties under the federal law. If Congress fails to work out the disputes holding up the bill, however, the final rules produced from this ANPR could be a decent fallback to provide some level of consumer data protection.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to aid companies with data discovery and automated compliance with GDPR (EU), CCPA/CPRA (California), COPPA, ADPPA and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/ and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.