By Rory Sweeney
On November 21, 2022, California Attorney General Rob Bonta submitted a comment to the Federal Trade Commission (FTC) in its Advance notice of Proposed Rulemaking on Commercial Surveillance and Data Security. The comment urges the FTC to promulgate a broad set of consumer protection regulations against commercial surveillance and data security practices that harm consumers. Specifically, Bonta requested the FTC to expand its definition of unfair and deceptive acts and practices to include seven key areas related to data privacy:
- Protecting consumers by requiring businesses to implement data minimization and use limitation principles;
- Establishing clear guardrails to protect particularly sensitive personal information, such as precise geolocation and biometric information;
- Providing consumers with a right to opt-out of the sale of their personal information by data brokers;
- Prohibiting businesses and operators of third-party online trackers from tracking or selling data from users that have enabled privacy controls, like the Global Privacy Control (GPC);
- Requiring online services and products that are likely to be accessed by children to have a more stringent age verification process;
- Requiring businesses that collect or maintain health information from consumers, but are exempt from federal HIPAA, to have reasonable security; and
- Protecting vulnerable patients from algorithmic decision-making tools in the healthcare and insurance industry that perpetuate unfair discrimination.
The comment seeks to support the FTC’s use of its rulemaking authority to bolster consumer protection through raising the “floor of privacy protections, while preserving the demonstrated ability of the states to innovate and respond to evolving technologies in the protection of consumer privacy.” Both important aims, but the latter is especially so given the rapid change of technology and the lag of federal legislation relative to that of the states.
If the FTC adopts any of Bonta’s recommendations it would essentially be harmonizing federal law with the consumer rights and business obligations found under the California Consumer Privacy Act (CCPA). This may strengthen the argument against a future federal privacy law aimed at preempting state privacy laws, which the now defunct American Data Privacy and Protection Act (ADPPA) would have accomplished.
Also, Bonta’s behest appears to be well-timed and targeted. FTC Chairperson, Lina Kahn, has repeatedly stated regulation of “commercial surveillance” is a top priority for the agency (commercial surveillance is a novel term, but generally concerned with how businesses collect, use, share and retain consumer personal information, a privacy-oriented concept). Additionally, expanding the definition of unfair or deceptive acts and practices to include CCPA rights and obligations affords another means for Kahn to pursue her operational goal of having the FTC, “move away from seeing [its] work in consumer protection and competition as siloes, and instead apply an integrated approach to cases, rules, research, and other policy tools.”
Looking forward, Expanding the FTC’s definition of unfair or deceptive acts and practices is a creative way to provide gap-filler consumer protections in lieu of a federal privacy law which is likely years away. I believe the FTC will adopt some of Bonta’s recommendations as well as those from other Attorneys General. Doing so should lessen the impediment Congressional deadlock has had on the much needed evolution of US privacy law.