The FTC wraps up public comments on consumer-surveillance proposal

The Federal Trade Commission has officially closed comments on a proposal that could lead to regulations of the ways companies collect, sell, and use data.

Rewind: In August, the agency announced that it was “exploring rules to crack down on harmful commercial surveillance and lax data security.” To start, it sought comments from experts, trade organizations, and the public to help determine whether new privacy regulations are needed and what that should look like.

Specifically, it posed roughly 95 questions, which ranged from, “To what extent do commercial surveillance practices or lax security measures harm consumers?” to “Could new rules help ensure that firms’ automated decision-making practices better protect non-English speaking communities from fraud and abusive data practices?”

Answers to those questions as well as general comments sent in response will help guide the commission’s decision-making. More than 11,000 comments were received.

• Under Chair Lina Khan, the FTC (and state-level regulators) have been on a tear, scrutinizing the mechanisms that make up the digital advertising industry. In addition to raising concerns about “harmful commercial surveillance,” the commission has also recently sued a data broker over the selling of location data that it said could be used to “trace the movements of individuals to and from sensitive locations” and warned companies about the use of misleading data claims.
• Federal privacy legislation proposes the creation of a Bureau of Privacy, which would be a part of the FTC, though that bill hasn’t passed.

The comment period closed before Thanksgiving, because even regulators need to make sure they don’t overcook their turkey. Here’s a roundup of some comments Marketing Brew found notable:

• Eric Seufert, mobile marketing analyst and author of the blog Mobile Dev Memo, wrote that while personalized advertising can be beneficial to consumers, “certain corners of the digital advertising marketplace exist as Mad Max-esque free-for-all scrambles for consumer data.” Still, he wrote that he does not think that “the ads-personalization baby must be thrown out with the data-abuse bathwater.”
• Digital advertising researcher and assistant marketing professor at Boston University’s Questrom School of Business, Garrett Johnson, wrote that though cross-site data sharing “creates significant value for advertisers by improving targeting, measurement, and optimization,” it “generates both harms and benefits for consumers.” He wrote that “the FTC’s new direction is…increasingly out-of-step with industry practices,” noting that the “online display industry is rebuilding itself using privacy-enhancing technologies to both protect consumer privacy and continue to generate this value.”
• The Interactive Advertising Bureau wrote that the commission’s proposal indicates that it  “intends to engage in rulemaking substantively outside the scope” of its authority and that privacy regulation should “start with Congress—not the FTC.”
• The California Privacy Protection Agency also wrote in, applauding the FTC for seeking comment. “This important work is sorely needed,” the agency said, adding that "it is important that consumers have tools to appropriately protect their privacy."
• Senator Kirsten Gillibrand encouraged the FTC to consider provisions laid out in her own proposed privacy legislation, the Data Protection Act of 2021, which would create an independent federal agency focused solely on protecting consumer privacy and data. “The lack of regulation has allowed for tech companies to run the industry how they want, with little regard for their users, especially regarding user privacy,” she wrote.
• Rhonda Berger, who filed a comment unaffiliated with an organization, cut to the chase in a three-word comment: “PROTECT MY PRIVACY!”
• The nonprofit research group Electronic Privacy Information Center (EPIC) filed a 230-page tome titled “Disrupting Data Abuse,” which called for the FTC to create a number of rules, including a “data minimization rule” that would ensure companies only collect data they absolutely need to run their business.“These out-of-context secondary uses of data—including its sale to and use by data brokers, surveillance advertising firms, and other entities trafficking in consumer profiles—and the overcollection that feeds them are inconsistent with the reasonable expectations of online consumers,” EPIC wrote.

Finally, nonprofit the Future of Privacy Forum urged the FTC to codify what it called “its ‘common law’ privacy and security norms” and provide clarity on specific rules and regulations businesses should follow, rather than relying on a history of prior enforcement actions.

“Clear and explicit rules can make compliance easier for businesses. And it also helps make sure that consumers are aware of their rights,” explained John Verdi, SVP of policy at the Future of Privacy Forum.