FPF Urges Federal Trade Commission to Craft Practical Privacy Rules
FPF Comments Regarding FTC ANPR Urge the Commission to Provide Individuals with Strong, Enforceable Rights and Companies with Greater Clarity about their Obligations under Section 5 of the FTC Act.
The Future of Privacy Forum filed comments regarding the Federal Trade Commission’s Advance Notice of Proposed Rulemaking, recommending that the Commission prioritize practical rules that clearly define individuals’ rights and companies’ responsibilities.
The Commission has spent decades enforcing prohibitions against unfair and deceptive data practices regarding a wide range of established and emerging technologies. Those privacy and security enforcement actions have been based on the FTC’s statutory authority, which provides flexibility to address consumer harms arising from novel technologies and business practices, but which does not articulate granular rights for consumers or requirements for businesses. Clear, practical rules can more specifically define what data practices the Commission considers unfair or deceptive. The current FTC rulemaking is an opportunity to provide individuals with strong, enforceable rights and companies with greater clarity about their obligations under Section 5 of the FTC Act.
FPF’s comments urge the Commission to:
- Codify its “common law” privacy and security norms. FTC enforcement actions are often viewed by practitioners as precedent or guidance. But settlements and consent decrees do not provide explicit, comprehensive rules that companies must follow and upon which consumers can rely. The Commission should codify key aspects of its deception and unfairness settlements while also incorporating lessons from FTC staff reports, workshops, privacy laws, self-regulatory regimes, and commercial best practices. Specifically, the FTC should:
- require businesses to provide material, clear, and prominently accessible data use policies;
- require businesses to implement reasonable security measures;
- require businesses to comply with the representations they make about privacy and security, including self-regulatory commitments;
- prohibit companies from circumventing individuals’ clearly expressed privacy preferences without clear, explicit, superseding consent from the individual; and
- articulate the circumstances in which the FTC considers discriminatory algorithmic decision-making to be an unfair trade practice, the factors the Commission considers when weighing that determination, and the degree to which the Commission’s analysis relates to other anti-discrimination regimes.
- Go beyond its common law privacy and security norms to mitigate important privacy risks and establish increased clarity regarding companies’ responsibilities. When crafting these sorts of rules, the FTC should be guided by three principles:
- data exists on a spectrum of identifiability, rather than in binary categories of “personal information” or “not personal information,” and privacy enhancing technologies can reduce the identifiability of data and otherwise mitigate risks;
- standards for evaluating the fairness of “secondary uses” of data are needed to define the boundaries of what secondary uses are compatible, based on a careful evaluation of context, expectations, harms, and benefits of processing, including competition;
- It is especially important to consider the harms that sensitive data use can create, the manner in which those harms impact marginalized communities, and the heightened protections that may be appropriate to mitigate those harms. At the same time, sensitive data is essential to a wide range of activities, including detecting and addressing disparate outcomes.
As a practical matter, the FTC acts as the primary U.S. privacy enforcement agency. Although FPF views a new, pragmatic, comprehensive federal privacy law as the ideal mechanism for grappling with complex technologies and data flows, clear and practical FTC rules defining unfair and deceptive practices would benefit individuals and businesses.