The FTC Is Looking To Fill The Void Of Federal Data Protections: Federal Regulations May Precede Federal Legislation
Co-Authored By: Stacey Shadden and Micah Carlson (Graduate Clerk)
On August 11th, 2022, the U.S. Federal Trade Commission (FTC) voted 3-2 to publish a notice in the Federal Register that the FTC is beginning to consider adopting expansive federal cybersecurity regulations. This Advance Notice of Proposed Rulemaking (ANPR) serves as a message to the public that the FTC is considering adopting regulations and is requesting public comments on the appropriate scope and substance of any potential regulations. The FTC is making this move despite the fact that Congress has begun inching towards passing a legislative package that would provide comprehensive federal guidance on privacy and cybersecurity to consumers and businesses.
Following the impending publication of the ANPR in the Federal Register, the public will be granted a 60-day time period for submitting comments. Additionally, the FTC is planning to host a virtual public forum on the issue on September 8th, 2022. Although it is early in the rule-making process, here are the top things to know as the FTC prepares to consider public comments:
Consumer Harms
In the ANPR, the FTC requests public comments on the types of harms that consumers have experienced in the absence of comprehensive federal data protections. Specifically, the FTC appears to be particularly concerned about harms experienced by children, with the FTC’s press release stating that “[t]here is a growing body of evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms.” The types of harms experienced by consumers may influence the final version of any potential regulations.
Standardized Data Practices
The FTC also requests public comments on whether businesses should be subject to standardized cybersecurity requirements. In requesting such comments, the FTC also asks whether such standardized requirements should be based upon already-existing federal legislation such as the Children’s Online Privacy Protection Act (COPPA) or the Gramm-Leach-Bliley Act. Consequently, it is possible that any standardized cybersecurity requirements could be familiar to many American businesses. However, the FTC also recognizes that rules can often become obsolete as technological advancements are made and consumer expectations shift. Thus, any rule could be subject to future revocation or modification.
The Role of Consent
The ANPR also requests public comments on what role consumer consent should play in any potential regulations. For example, the FTC asks how consent should be defined and if there should be any types of actions where consumer consent would provide inadequate legal justification for performing such actions.
Automated Decision-making Systems
The FTC seems to be particularly concerned about the implications of automated decision-making being performed by algorithmic calculations. Specifically, the FTC requests input on whether algorithmic errors should be acceptable and how harms experienced due to algorithmic errors and biases should be remedied. For businesses that currently or will rely upon artificial intelligence or algorithms to automate their decision-making, any regulation could force a shift in business strategy.
Congressional Action
The FTC’s recent actions have not been received entirely without controversy. The dissenting commissioners have asserted that the FTC should exercise forbearance in the realm of data protections, as Congress appears to have made genuine strides towards passing a comprehensive package on data protections. At the same time, other commissioners at the FTC have asserted that the FTC’s rule-making powers will be used to complement any legislation, and the FTC will be careful to not advance regulations that overlap with any passed legislation. Regardless, any movement by Congress in the realm of data protections may influence any final version of the regulations adopted by the FTC.
McGrath North’s Privacy and Cybersecurity team is experienced in aiding with businesses achieve and maintain regulatory compliance. Reach out to our team today to prepare for the ever-changing landscape in data privacy protections.
Related Attorneys
