From the outset of its lengthy rulemaking process, the U.S. Federal Trade Commission has been clear about the endeavor's multiple overlapping goals. In addition to crafting eventual rules on data security or commercial surveillance, the FTC seeks to establish a robust public record of comments from a wide variety of stakeholders. Such a record may well help to inform policymaking and enforcement activities, even beyond the four walls of the commission. It can also provide businesses with important signals about the evolution of best practices in the modern privacy landscape.

With the close of the first comment period in response to the first step of the process — the Advance Notice of Proposed Rulemaking — it is clear such a record has been established. As privacy professionals and policy wonks, whether or not we’ve spent the past months drafting our own comments in response to the FTC’s 95 questions, we now have the distinct privilege of sifting through 11,000 plus public comments and coming to a better understanding of the state of privacy thinking in the United States. Well, maybe you don’t need to do this, but I probably should.

Even limited to substantive comments, digesting this amount of information is a massive undertaking. So, I hope you’ll forgive me if I pick a few themes and high points to bring to your attention. For today, why not start at the top?

A bipartisan assortment of 33 attorneys general filed an intriguing joint comment to the FTC highlighting their concerns “about the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized.”

The letter explicitly urges the FTC to consider promulgating a trade regulation rule on data minimization, with reference to “the approach taken in the California, Colorado, Connecticut, Utah and Virginia consumer privacy laws.” Citing these existing statutes, as well as EU General Data Protection Regulation Article 5, the attorneys general argue crafting a national standard with reference to existing frameworks “could extend the protections enjoyed by a few states’ citizens to all Americans, and also ensure that businesses will be operationalizing known concepts.”

How would a data minimization rule work in practice? Well:

“Determining whether the collection, use, sharing, or retention of particular data is ‘reasonably necessary’ or ‘reasonably necessary and proportionate,’ will require a fact-specific inquiry, but the Commission could offer guidance to businesses through its prior orders and in the rule itself. The draft regulations proposed by the California Privacy Protection Agency provide one reference point for this type of guidance. Those regulations, as modified following the public comment period, set forth factors for determining what qualifies as ‘reasonably necessary and proportionate’ and further provide examples of what constitutes a consumer’s ‘reasonable expectations’ with respect to the processing of their personal information. Colorado’s draft regulations concerning the secondary use of personal information similarly set forth a list of factors to consider when determining whether processing is ‘reasonably necessary to or compatible with’ a specified purpose. The Attorneys General urge the Commission to study and potentially include illustrative examples of compatible and incompatible data practices.”

In another section of the letter, the attorneys general point to a grab-bag of state laws highlighting the sensitivity of three categories of personal information: location data, biometrics and “healthcare-adjacent data.” Though they do not spell it out, this seems crafted to encourage the FTC to expand the categories of personal information it treats as sensitive. In one-off enforcement actions, the FTC historically looked to federal laws to determine categories of personal data deserving heightened safeguards, such as data about children, financial information and even video viewing data. The attorneys general seem to suggest state laws should also play a role in this analysis. If an eventual FTC rule seeks to codify the understanding of sensitive data types — and the enhanced privacy treatment they are due — perhaps the agency will indeed look to state laws for guidance.

Notably, California Attorney General Rob Bonta did not sign the joint filing. But Bonta’s office did file a separate Advance Notice of Proposed Rulemaking comment that generally agrees with the other attorneys general on the issues of data minimization and sensitive data, while also supporting additional trade regulation rules on issues like children’s safety and universal opt-out mechanisms. Bonta even goes so far as to propose the final rule text that he believes the FTC should adopt:

“A business has committed an unfair or deceptive act or practice if it collects, uses, or retains personal information in a way that is not reasonably necessary and proportionate to the purposes for which the personal information was initially collected or processed. A business shall obtain explicit, informed consent before collecting or using personal information for any purpose that is unrelated or incompatible with the purpose(s) for which the personal information was initially collected or processed. A business shall not obtain explicit consent by requiring a consumer to consent to an additional unrelated or incompatible purpose in order to use the product.”

Reading these comments feels like peering into a crystal ball at the future of U.S. privacy rules. Whether this future manifests through operation of the FTC, Congress, or state rules depends on what happens next.

Here's what else I’m thinking about:

  • The Kids Online Safety Act saw coordinated opposition. A letter to congressional leaders signed by 90 civil society organizations opposed KOSA in no uncertain terms because the bill “presents significant unintended consequences that threaten the privacy, safety, and access to information rights of young people and adults alike.” The letter cites concerns around overly broad requirements for age verification, parental supervision, and content filtering, as well as potential conflicts with student privacy rules. This could pour cold water on efforts to pass kids privacy protections before the end of the year.
    • NOTE: when reviewing KOSA, make sure you look at the version voted out of committee July 27, which, to my knowledge, has not been officially posted anywhere. You can cobble it together from the approved amendments.
  • Speaking of children, the Chair is expecting. Bloomberg’s Leah Nylen quotes FTC confirmation Chair Lina Khan is planning to take a “short parental leave” starting in January.
  • The fraught work of comparing privacy laws continues, with an analysis by Brookings’ Cam Kerry of conflicts between the American Data Privacy and Protection Act and California’s privacy laws. Regardless of where you fall on this debate, it is good to remember one thing: we can’t know with certainty the real impacts of a law until it is fully baked — through implementing regulations — and fully tested in court.
  • Cold winds blow from Europe on U.S. trade policies. With characteristic bluntness, Politico’s Mark Scott concluded “there’s a brewing trade war between Europe and the U.S.” Scott reported on what to expect from the agenda of the EU-U.S. Trade and Technology Council summit next week. Though the meeting will not focus on privacy or data flows issues, a joint roadmap for trustworthy artificial intelligence is on the agenda. Meanwhile, Bloomberg’s Jillian Deutsch reports EU Commissioner for the Internal Market Thierry Breton pulled out of the TTC meeting over the lack of time dedicated to trade concerns.
  • Nevertheless, save the date for another necessary baby step for Privacy Shield 2.0. Politico also reports a “preliminary announcement” is now expected in the “first half” of December from the European Commission in response to the White House executive order on the EU-U.S. Data Privacy Framework.

Under scrutiny

  • A lawsuit against the NSO Group is featured in the New Yorker, as an American journalist challenges the alleged use of the company’s Pegasus spyware to surveil his activities in El Salvador.
  • Age verification and its many challenges is the subject of a Wall Street Journal article.

Please send feedback, updates and favorite FTC comments to cobun@iapp.org.