Who is monetizing your online presence? Commercial surveillance and the FTC’s new rulesAugust 15, 2022

The Federal Trade Commission just posted notice of its intent to increase federal regulations regarding commercial surveillance, data security and privacy. The FTC defines commercial surveillance as “the business of collecting, analyzing, and profiting from information about people.”

Currently, the FTC’s ability to deter unlawful conduct is limited because the agency generally lacks authority to seek financial penalties for initial violations of the FTC Act. While many states have or are currently adopting their own regulations regarding data security, new rules at the federal level that establish clear privacy and data security requirements, and provide the authority for the FTC to seek financial penalties for first-time violations, could incentivize companies to develop and implement consistently compliant practices.

The FTC is concerned that companies collect large amounts of consumer information, only a small fraction of which is proactively shared by consumers. Companies currently track personal details including family and friend networks, browsing and purchase histories, location and physical movements and also are able to collect additional data via purchase from data brokers.

The FTC is seeking comments from the public on a wide range of concerns about commercial surveillance practices. “Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like”, said FTC Chair Lina M. Khan.

Questions the FTC is considering during this proposed rule making process include:

• Do the data security requirements under the Children’s Online Protection Privacy Rule (COPPA) or the GLBA Safeguards Rule offer any constructive guidance for a more general trade regulation rule on data security across sectors or in other specific sectors?
• Should the Commission take into account other laws at the state and federal level (e.g., COPPA) that already include data security requirements. If so, how? Should the Commission take into account other governments’ requirements as to data security (e.g., GDPR). If so, how?

The public will also have an opportunity to share their input on these topics during a virtual public forum on September 8, 2022. Whether you are a consumer or a company that has developed/is developing a business model around the use of collected data, providing feedback and participating in the public forum are key first steps in shaping and monitoring the development of additional federal rules.

Cassie J. Edgar, Patent Attorney and Chair of the Regulatory Law practice group, advises clients in intellectual property, regulatory law, crisis management, compliance, stewardship, lobbying, and matters with USDA, FDA, EPA, and FTC. Cassie is also Co-Chair of the Data Privacy and Cybersecurity practice group. For additional information, please visit MVS or contact Cassie directly via email at cassie.edgar@ipmvs.com.