The Federal Trade Commission’s effort to crack down on online commercial surveillance tools is likely to face legal headwinds, privacy analysts say.
The agency this month launched an advanced notice of proposed rulemaking posing 95 questions centered on data collection, data use, algorithms, targeted advertising and young peoples’ use of technology, among other areas. According to the FTC, “Mass surveillance has heightened the risks and stakes of errors, deception, manipulation and other abuses,” meaning that new rules may be needed to protect people’s privacy online.
The move comes as Congress remains stalled on a blanket federal privacy law, and it follows a recent U.S. Supreme Court ruling in which the majority indicated support for a legal doctrine that requires agencies to have clear statutory authority from Congress to impose regulations on issues of major national significance. Taken together, privacy experts said, the risk of legal challenges to the FTC’s commercial surveillance rulemaking is high unless Congress passes legislation granting it express regulatory authority over the matter.
“A rulemaking with as profound an impact as this may have is likely to see a challenge given that it’s a major question and subject to Congressional authority,” said Will Duffield, a speech and internet governance analyst at the Cato Institute, a libertarian think tank in Washington, D.C.
The rulemaking is in an early stage of the regulatory process. Consumers and stakeholders will have 60 days to submit comments following its publication in the federal register, expected Aug. 22. Following the initial comment period, the FTC must notify Congress if it intends to move forward before publishing a notice of proposed rulemaking. That second published notice would be followed by another comment period and hearings with stakeholders in tech and privacy, after which the commission would make amendments to the rule, publish a finalized version and begin enforcement.
Tatiana Rice, policy counsel at the Future of Privacy Forum, said the topics posed in the initial slate of questions, alongside responses the commission expects to get in the coming months, will help set the FTC’s agenda on the issue. The Future of Privacy Forum is a think tank and advocacy group focused on developing best practices and policies on privacy protections.
An FTC spokesperson said in an email to S&P Global Market Intelligence that the commission is not proposing specific rules at this point. The spokesperson said Chairwoman Lina Khan and other commissioners who supported the effort are hopeful for federal privacy legislation, and they could not provide a timeline for the rulemaking process. “This is the first step in the process, and we can’t predict how long it will take,” the spokesperson said.
Republican FTC commissioners Christine Wilson and Noah Phillips, who opposed the rulemaking, would prefer to see the bipartisan and bicameral American Data Privacy and Protection Act become law before moving forward. That bill, which is waiting for a vote in the House and Senate, would grant the FTC the authority to craft privacy rules and create new protections. Specifically, the bill calls for regulations that block discriminatory use of Americans’ data and requires platforms such as Google LLC and Meta Platforms Inc. to minimize the amount of user data collected for their products and services to function. It also grants users the ability to opt out of targeted advertising and furthers data protections for children and minors.
Even those who support the FTC’s authority to initiate and enforce preemptive rules for privacy and security note the likely legal challenges.
Jesse Lehrich, co-founder of Accountable Tech, which advocates for strengthened oversight of Big Tech companies, said while the FTC has the right to promulgate rules that fulfill their obligation to protect consumers through their privacy rulemaking, he would not be surprised at future challenges to the rulemaking.
The FTC is likely to keep the recent Supreme Court ruling in mind when creating a final order, said the Future of Privacy Forum’s Rice.
At this early stage, the rulemaking’s likely impact on tech giant companies remains unclear. The FTC could, for instance, opt to prioritize data collection or security, where the agency has more clear-cut authority, said Cato’s Duffield.
The Cato analyst said concerns about the way tech companies respond to consumers in the event of a data breach should lead to stricter notice requirements, but in the meantime, “it’s very hard to tell which direction [the FTC] might go.”
Others view the introductory rulemaking as a collaboration opportunity between the tech sector and regulators. Shane Tews, a nonresident senior fellow at the American Enterprise Institute focusing on privacy, said tech giants’ work in security and user authentication technologies can help the FTC craft modern privacy policies.
“[Collaboration] very much could be a problem-solving entity to a lot of the questions around privacy. You can’t have privacy without security,” Tews said in an interview.
Ultimately, the protective measures outlined by the FTC’s initial rulemaking efforts are contingent on tech companies being forthcoming about their data collection practices, said Lehrich from Accountable Tech.
“Facebook, Google and Amazon[.com Inc.] effectively control the entire digital advertising ecosystem,” Lehrich said. “There’s certainly not a lot of transparency about how they’re using data or setting prices and auctions for ads.”
A Microsoft Corp. spokesperson declined to comment. Meta, Alphabet Inc., Apple Inc. and TikTok Inc. did not respond to requests for comment.