The Commission expressed concern that companies are collecting vast troves of sensitive user data, which they fail to safeguard adequately. Many companies track various aspects of their customers’ lives online—often without their knowledge—and sell this data for a profit. To address this widespread and potentially unlawful practice, the FTC is inviting comments from the public. This process, officially called an Advanced Notice of Proposed Rulemaking (ANPRM), signals an intent to make regulatory changes. The FTC is seeking the public’s input on the harmful effects of commercial surveillance before it begins its research. These comments will help the FTC decide if it needs to make new rules to counter the problem. The Commission will host a virtual public forum on Thursday, September 8, and members of the public who wish to contribute will have the chance to do so.
What Is Commercial Surveillance?
Commercial surveillance refers to the use of products and services to track and surveil customers online. Companies collect large volumes of customer data using various techniques, including secret surveillance practices, which involve actively tracking their online activities. They track everything users do online, including their shopping history, location, and the people in their social circle. To coerce users to agree to such invasive data collection practices, companies often make it part of the conditions of their service, the Commission noted. In some cases, users are charged a premium for choosing to opt-out. According to the FTC, companies are driven to engage in this practice by the lure of making a profit. Besides being unethical, such invasive surveillance also put users at risk as some companies fail to implement proper data security practices. “Mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation, and other abuses,” the FTC explained in a press release.
Concerns About Data Security Practices
The FTC also questioned the algorithms and automated systems companies use to analyze the data they collect. “While very little is known about the automated systems that analyze data companies collect, research suggests that these algorithms are prone to errors, bias, and inaccuracy,” the FTC said. The Commission stated that some companies do not sufficiently invest in protecting customer information from hackers and other cybercriminals. They do not employ encryption techniques and other mitigatory measures. There are also concerns about the potential effects of commercial surveillance practices on children. “There is a growing body of evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms,” the Commission explained.
Need for Clear Rules on Privacy and Data Security Requirements
Last year, the FTC warned that health apps that fail to comply with the Health Breach Notification Rule will be subjected to a fine of nearly $44,000. In its latest press release, the FTC said the FCT Act “may not have enough power to protect consumers” from commercial surveillance. This is because it does not give the Commission the authority to fine companies for “initial violations of the FCT Act.” If the rules clearly define the privacy and data security obligations of companies, the Commission would have the power to curtail such harmful practices. However, it remains to be seen how the public consultation process unfolds. “Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” FTC Chair Lina M. Khan said. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent. Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like,” Khan added.