A Quick Take on the FTC’s Privacy and Security Rulemaking

On Aug. 11, the Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking (ANPRM) on commercial surveillance and data security. The notice kicks off what could be a lengthy process to develop one or more of what the FTC calls trade regulation rules. Public comments on this first phase of the rulemaking will be due in mid-October.

The ANPRM does not contain any proposed regulatory language. That would come in a subsequent Notice of Proposed Rulemaking. Instead, the ANPRM invites public comment on three broad themes: (a) the nature and prevalence of harmful commercial surveillance and lax data security practices, (b) the balance of costs and countervailing benefits of such practices for consumers and competition, as well as the costs and benefits of any given potential trade regulation rule, and (c) proposals for protecting consumers from harmful and prevalent commercial surveillance and lax data security practices. 

Within this framework, the notice poses 95 numbered questions, some with several subparts. Many relate to privacy, which I leave to others to comment on. Six relate specifically to data security, defined in the notice as breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices. Among the issues raised:

• Should new rules require businesses to implement administrative, technical, and physical data security measures, including encryption techniques, to protect against risks to the security, confidentiality, or integrity of covered data? 
• If so, how granular should such measures be? 
• Do the data security requirements under Children’s Online Privacy Protection Act or the Gramm-Leach-Bliley Act’s Safeguards Rule offer any constructive guidance for a more general trade regulation rule on data security across sectors?
• To what extent, if at all, should the commission require firms to certify that their data practices meet clear security standards? If so, who should set those standards, the FTC or a third-party entity?

In addition to these, the last two sets of questions in the ANPRM focus on remedies and obsolescence. They are framed with specific reference to commercial surveillance, but they are equally applicable to data security. I hope that commenters to the FTC discuss what remedies should be available in cybersecurity cases (for example, whether an enforcement order can order cybersecurity measures that go beyond the specific practices required under a rule) and how a cybersecurity rule can keep up-to-date with rapid changes in both threats and defenses.

Under Section 18(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 57a(a)(1), the commission may prescribe “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce.” As the notice indicates, the commission faces two substantive limits in adopting rules. First, it must have reason to believe that the unfair or deceptive acts or practices that are the subject of the proposed rulemaking are prevalent. Second, the commission may not declare any act or practice unfair unless the act or practice (i) causes or is likely to cause substantial injury to consumers (ii) which is not reasonably avoidable by consumers themselves and (iii) not outweighed by countervailing benefits to consumers or to competition. 

For decades, the unique rulemaking procedures Congress imposed on the FTC had been presumed inside and outside the commission to be so cumbersome as to be impossible to use. However, in 2020, Commissioner Rebecca Kelly Slaughter began arguing that the real impediments to effective rulemaking came not from the statute but from self-imposed requirements. In July 2021, under its new chair, Lina Khan, the FTC voted to streamline its rulemaking procedures, essentially adopting Commissioner Slaughter’s vision. The May 11, 2022, confirmation of Alvaro Bedoya as the FTC’s third Democratic commissioner allowed the 3-2 vote to approve the ANPRM.

As the ANPRM notes, a trade regulation rule could provide much more clarity and predictability than the FTC’s case-by-case enforcement of cybersecurity. But it will not be easy. Currently, FTC data security cases consist of complaints with long lists of failings by the respondent company that the commission alleges are unfair and deceptive, with no indication of the threshold that tipped the respondent’s practices into the realm of unreasonable and thus unlawful, and settlements with long lists of  security measures that the respondent agrees to, with no ruling by the agency that each and every practice is necessary in order to be reasonable and therefore lawful. The same challenge will confront the FTC in rulemaking: No matter how long the list of security measures the FTC requires, it may still argue that the lack of another unlisted security measure rendered an entity’s practices unreasonable and thus unlawful. At the end of the day, any rule will have to include some kind of balancing test that allows consideration of the totality of the circumstances on a case-by-case basis.

There is one huge caveat to the launch of this rulemaking process: The Supreme Court’s June 30 ruling in West Virginia v. EPA may have cast doubt on the authority of the FTC to issue rules on privacy or data security at all. In the EPA case, the Court indicated that, “in certain extraordinary cases,” regulatory agencies could not issue rules on “major questions” affecting “a significant portion of the American economy” without “clear congressional authorization.” With respect to data security, the FTC has such express authorization for financial institutions under its jurisdiction and for online services collecting data on children, but it has none for the rest of the economy. So down the road there is likely to be a Supreme Court case on whether the word “unfair” is sufficient to support this momentous undertaking. All of that would be solved by a one-sentence amendment to the Federal Trade Commission Act, which would be a logical but improbable alternative to the looming failure of the privacy bill moving through the House of Representatives.