Overview
Whether they know it or not, most Americans today surrender their personal information to engage in the most basic aspects of modern life. When they buy groceries, do homework, or apply for car insurance, for example, consumers today likely give a wide range of personal information about themselves to companies, including their movements,1 prayers, 2 friends, 3 menstrual cycles,4 web-browsing, 5 and faces, 6 among other basic aspects of their lives.
Companies, meanwhile, develop and market products and services to collect and monetize this data. An elaborate and lucrative market for the collection, retention, aggregation, analysis, and onward disclosure of consumer data incentivizes many of the services and products on which people have come to rely. Businesses reportedly use this information to target services—namely, to set prices.
7 curate news feeds, 8 serve advertisements, 9 and conduct research on people’s behavior,10 among other things.
While, in theory, these personalization practices have the potential to benefit consumers, reports note that they have facilitated consumer harms that can be difficult if not impossible for any one person to avoid.
11. Some companies, moreover, reportedly claim to collect consumer data for one stated purpose but then also use it for other purposes.
12 Many such firms, for example, sell or otherwise monetize such information or compilations of it in their dealings with advertisers, data brokers, and other third parties.
13 These practices also appear to exist outside of the retail consumer setting. Some employers, for example, reportedly collect an assortment of worker data to evaluate productivity, among other reasons.
14—a practice that has become far more pervasive since the onset of the COVID-19 pandemic.
15 Many companies engage in these practices pursuant to the ostensible consent that they obtain from their consumers.
16 But, as networked devices and online services become essential to navigating daily life, consumers may have little choice but to accept the terms that firms offer.
17 Reports suggest that consumers have become resigned to the ways in which companies collect and monetize their information, largely because consumers have little to no actual control over what happens to their information once companies collect it.
18. In any event, the permissions that consumers give may not always be meaningful or informed. Studies have shown that most people do not generally understand the market for consumer data that operates beyond their monitors and displays.
19. Most consumers, for example, know little about the data brokers and third parties who collect and trade consumer data or build consumer profiles.
20. That can expose intimate details about their lives and, in the wrong hands, could expose unsuspecting people to future harm.
21. Many privacy notices that acknowledge such risks are reportedly not readable to the average consumer.
22. Many consumers do not have the time to review lengthy privacy notices for each of their devices, applications, websites, or services.
23. Let alone the periodic updates to them. If consumers do not have meaningful access to this information, they cannot make informed decisions about the costs and benefits of using different services.
24. This information asymmetry between companies and consumer runs even deeper. Companies can use the information that they collect to direct consumers’ online experiences in ways that are rarely apparent—and in ways that go well beyond merely providing the products or services for which consumers believe they sign up.
25. The Commission’s enforcement actions have targeted several pernicious dark pattern practices, including burying privacy settings behind multiple layers of the user interface.
26. And making misleading representations to “trick or trap” consumers into providing personal information.
27. In other instances, firms may misrepresent or fail to communicate clearly how they use and protect people’s data.
28. Given the reported scale and pervasiveness of such practices, individual consumer consent may be irrelevant.
The material harms of these commercial surveillance practices may be substantial, moreover, given that they may increase the risks of cyberattack by hackers, data thieves, and other bad actors. Companies’ lax data security practices may impose enormous financial and human costs. Fraud and identity theft cost both businesses and consumers billions of dollars, and consumer complaints are on the rise.
29. For some kinds of fraud, consumers have historically spent an average of 60 hours per victim trying to resolve the issue.
30. Even the nation’s critical infrastructure is at stake, as evidenced by the recent attacks on the largest fuel pipeline.
31. Meatpacking plants, 32 and water treatment facilities
33 in the United States.
Companies’ collection and use of data have significant consequences for consumers’ wallets, safety, and mental health.
Sophisticated digital advertising systems reportedly automate the targeting of fraudulent products and services to the most vulnerable consumers.
34. Stalking apps continue to endanger people.
35. Children and teenagers remain vulnerable to cyber bullying, cyberstalking, and the distribution of child sexual abuse material.
36. Peer-reviewed research has linked social media use with depression, anxiety, eating disorders, and suicidal ideation among kids and teens.
37. Finally, companies’ growing reliance on automated systems is creating new forms and mechanisms for discrimination based on statutorily protected categories.
38. Including in critical areas such as housing,
39. employment, 40. and healthcare.
41. For example, some employers’ automated systems have reportedly learned to prefer men over women.
42. Meanwhile, a recent investigation suggested that lenders’ use of educational attainment in credit underwriting might disadvantage students who attended historically Black colleges and universities.
43. And the Department of Justice recently settled its first case challenging algorithmic discrimination under the Fair Housing Act for a social media advertising delivery system that unlawfully discriminated based on protected categories.
44. Critically, these kinds of disparate outcomes may arise even when automated systems consider only unprotected consumer traits.
45. The Commission is issuing this ANPR pursuant to Section 18 of the Federal Trade Commission Act (“FTC Act”) and the Commission’s Rules of Practice.
46. Because recent Commission actions, news reporting, and public research suggest that harmful commercial surveillance and lax data security practices may be prevalent and increasingly unavoidable.
47. These developments suggest that trade regulation rules reflecting these current realities may be needed to ensure Americans are protected from unfair or deceptive acts or practices.
New rules could also foster a greater sense of predictability for companies and consumers and minimize the uncertainty that case-by-case enforcement may engender.
Countries around the world and states across the nation have been alert to these concerns. Many accordingly have enacted laws and regulations that impose restrictions on companies’ collection, use, analysis, retention, transfer, sharing, and sale or other monetization of consumer data.
In recognition of the complexity and opacity of commercial surveillance practices today, such laws have reduced the emphasis on providing notice and obtaining consent and have instead stressed additional privacy “defaults” as well as increased accountability for businesses and restrictions on certain practices.
For example, European Union (“EU”) member countries enforce the EU’s General Data Protection Regulation (“GDPR”), 48 which, among other things, limits the processing of personal data to six lawful bases and provides consumers with certain rights to access, delete, correct, and port such data.
49.Canada’s Personal Information Protection and Electronic Documents Act and
50. Brazil’s General Law for the Protection of Personal Data contain some similar rights.
51. Laws in California, 52. Virginia, 53. Colorado, 54. Utah, 55. and Connecticut, 56. moreover, include some comparable rights, and numerous state legislatures are considering similar laws. Alabama, 57. Colorado,58. and Illinois, 59. meanwhile, have enacted laws related to the development and use of artificial intelligence.
Other states, including Illinois, 60. Texas, 61. and Washington, 62. have enacted laws governing the use of biometric data.
All fifty U.S. states have laws that require businesses to notify consumers of certain breaches of consumers’ data.
63. And numerous states require businesses to take reasonable steps to secure consumers’ data.
64. Through this ANPR, the Commission is beginning to consider the potential need for rules and requirements regarding commercial surveillance and lax data security practices.
Section 18 of the FTC Act authorizes the Commission to promulgate, modify, and repeal trade regulation rules that define with specificity acts or practices that are unfair or deceptive in or affecting commerce within the meaning of Section 5(a)(1) of the FTC Act.65 Through this ANPR, the Commission aims to generate a public record about prevalent commercial surveillance practices or lax data security practices that are unfair or deceptive, as well as about efficient, effective, and adaptive regulatory responses.
These comments will help to sharpen the Commission’s enforcement work and may inform reform by Congress or other policymakers, even if the Commission does not ultimately promulgate new trade regulation rules.
66. The term “data security” in this ANPR refers to breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.
For the purposes of this ANPR, “commercial surveillance” refers to the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.
These data include both information that consumers actively provide—say, when they affirmatively register for a service or make a purchase—as well as personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app. This latter category is far broader than the first.
The term “consumer” as used in this ANPR includes businesses and workers, not just individuals who buy or exchange data for retail goods and services. This approach is consistent with the Commission’s longstanding practice of bringing enforcement actions against firms that harm companies.
67. as well as workers of all kinds.
68. The FTC has frequently used Section 5 of the FTC Act to protect small businesses or individuals in contexts involving their employment or independent contractor status.