On August 22, 2022, the Federal Trade Commission (“FTC”) published an advance notice of proposed rulemaking (“ANPR”) on commercial surveillance and data security practices and requested public comment on regulating the ways that companies can “collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”
What is the current FTC approach to data security and how will it change?
Currently, the FTC is regulating data security on a case-by-case basis. While this has worked in the past, the expansion of the digitization of the economy and the FTC’s limited resources make it challenging to investigate and act upon data security and commercial surveillance practices. A uniform rule would provide more clarity and predictability about Section 5 of the FTC Act, the current authority on data security.
The FTC will hold a virtual, public forum on September 8, 2022, to discuss the proposed rule in greater detail. Through public comments and the public forum, the FTC is looking at generating information about improving current data security practices. The purpose of this ANPR is to improve the FTC’s enforcement work on current regulations and inform policymakers about the need for reform, even if the FTC chooses to not ultimately promulgate a new rule.
Several of the proposed topics for discussion that would be of interest to firms include how the FTC should regulate commercial surveillance and data security practices, regulating automated decision-making systems, as well as consumer consent, notice and disclosure requirements for companies.
What does this ANPR mean for me and my firm?
Building a comprehensive cyber and data security program takes time. Programs must evolve to keep up with new cyber threats. In addition to reviewing and commenting on the proposed rule, firms should consider taking steps to increase cybersecurity and privacy to comply with current industry best practices. Firms that are already complying with industry best practices are better positioned to comply with any new FTC regulations on data security. To prepare for any proposed rulemaking on data security, firms should focus on developing and implementing a cyber and data security program that includes thorough documentation, including access management, and cybersecurity testing and review.