In an open forum on September 8th, 2022 the FTC had a two-panel discussion concerning commercial surveillance and inadequate data security. Chairman Lena Kahn noted in her opening remarks that there have been a few companies on their radar but believe there are widespread commercial surveillance practices necessitating a need for market-wide rules.
Overall, the forum was intense in nature from the perspective of the FTC, while receiving categorical support from the public. Heavy emphasis was placed on the disproportionate impact on certain marginalized groups with invasive advertising potentially fueling discrimination. The FTC reiterated that it has an obligation to act when they see harm from unlawful conduct, stopping just short of saying there is widespread unlawful conduct, but obviously there is a reasonable suspicion of such.
Interestingly, the National Retail Federation & Mozilla joined the panel, seemingly trying to garner industry involvement. META was on the agenda for the first panel but did not attend and gave no comment. Mozilla clearly sees privacy as an advantage for themselves and seems to embrace this, saying online privacy is a mess when it comes to the collection of data without consciousness or transparency. The NRF emphasized a consumer-centric approach to data privacy and joined sensible discussion about the difference between first-party data collection versus third-party usage that benefits the market-dominant companies.
The NRF also stressed that should have choices like past purchase history to make decisions, giving the consumer control. GDPR legitimate interest is a good guideline for this position. Retailers are inherently first parties and thus lower risk to consumers because they are accountable to consumers directly. Third parties are often unknown to consumers and pose a much higher risk. This leaves a lack the incentive to satisfy consumer needs since they have no accountability.
There was quite a bit of conversation around GPC. It seemed as if the NRF thought this would potentially create confusion for consumers, when in conflict with something they have opted in to like a loyalty program. Colorado regulations may try to address this, and they felt strongly that any specific choice should override the more generalized choice like GPC.
“Mozilla makes money on advertising, what we want to see is a shift away from behavioral advertising which links closer to commercial surveillance. Traditional forms of advertising can be viable models and force a shift to more friendly practices,” said Mozilla Chief Security Officer Marshall Erwin.
The second panel included Electronic Privacy Information Center Deputy Director Caitriona Fitzgerald, an interesting choice as they are an established advocate. “Consumers have lost control of data that tracks them, and it is unclear where that data can be used. Those often impact disproportionately on marginalized users.” That underlined the very strong opening and critical nature of the second panel. “Tracking leads to consumer profiling and algorithmic decision-making, which in turn, violates individual privacy.” Fitzgerald went as far as to compare it to illegal practices. “The way that companies like Google use user data would be statutory violations if they were done by something like the US Post Service,” she stated.
Upturn, another advocate was very focused on the discriminatory practices. Upturn Executive Director Harlan Yu said, “calls attention to the impact of disadvantaged communities and marginalized groups and the use of tenant screening companies that contribute to displacement.” He used markedly strong language as well as saying the FTC needs to root out commercial ad practices that lead to discriminatory outcomes, especially where there are gaps in civil rights law.
Digital Innovation and Democracy Initiative was focused on the impact to individual privacy in sensitive situations. The Dobbs case outlines how vulnerable online activities can affect individual lives. Heatmaps could be used to track visitors to abortion clinics to their individual homes which puts consumers at risk. “Librarians finding information for a patron have long had a duty of confidentiality. But with Google, now information retrieval is a commercial transaction, even when users seek knowledge of sensitive issues like health conditions,” said DIDI leader Karen Kornbluh.
Joint Center for Political and Economic Studies not surprisingly focused on privacy implications in influencing elections. Ads for new houses can be steered toward whites or ads for the best jobs can be steered toward men. “Personal behavioral data is used to show users content for reasons they can’t see and don’t understand.” A lack of privacy can enable discrimination. “Data collection can be used to infer sensitive racial and ethnic data which (in Meta’s case) was used to allegedly create discriminatory advertising campaigns.”
Future of Privacy Forum Senior Director for U.S. Policy Stacey Gray, CIPP/US underscored most important is to urge moving forward with these rules rather than the exact specifics. It appeared that since the harms are so well documented, they wanted to focus on the practical requirements. “Consent and de-identification should both be relevant but not dispositive. FTC could help be defining standards for de-identification,” said Gray. She also pointed out that online activity inherently exposes sensitive information like health conditions, religion, sexual orientation, race, and other elements, with virtually no oversight to brokers of this extremely sensitive information. Gray notes that GDPR doesn’t require consent for all data collection; it has different lawful foundations, with consent being one, putting consent in the proper hands.
Summary of key discussions:
Public comments were all extremely supportive, urging the FTC to go as far as possible and asserting that they have the authority.
Heavy emphasis on the need for consumer choice.
All panelists asserted the very strong overall need for rulemaking beyond just technology as soon as possible.
While they expressed support for a legislative alternative like ADPPA, this demonstrates the FTC is serious about moving forward with privacy rulemaking, but keep in mind this is a long process that’s just beginning.