All happy comments are alike, but every unhappy comment is unhappy in its own way. Is that how Tolstoy put it? The U.S. Federal Trade Commission might not say it in those terms, but the agency continues to highlight the importance of hearing from all stakeholders in the ongoing public comment process for its proposed rule on Commercial Surveillance and Data Security.
Since Aug. 11, when the FTC’s Advance Notice of Proposed Rulemaking was first released, we learned a lot about what the agency is most interested in gathering through this first step of a lengthy rulemaking process. For starters, we now know the deadline for submitting public comments is Oct. 21, six weeks from today.
At this stage in the process, public comments are most useful to the FTC if they can assist in refining the scope of its future inquiry. This means that commenters should not try and respond to all 95 questions in the ANPRM.
But how do you choose which questions to answer? One tip came in the form of a presentation from FTC Assistant General Counsel for Legal Counsel Josephine Liu. Her remarks set the table for yesterday’s public forum on the ANPRM, which also included testimony from stakeholders in industry and civil society, as well as a lengthy period for short comments from members of the public. IAPP’s coverage of the public forum is here, and for what it’s worth, I live-Tweeted the main discussions.
Liu drew special attention to three of the questions from the ANPRM. Question 3 asks about prevalence of practices. For the Commission to promulgate a final Trade Regulation Rule, it will need to “define with specificity” acts or practices that are unfair or deceptive and also “widespread” in the marketplace. This is why the Office of the General Counsel drew our attention to this question. Prevalence will be an important factor, whether within a single sector or across the economy.
Quantifying consumer harm was Liu’s other focus area. Question 7 of the ANPRM asks commenters to opine on how the Commission can identify, evaluate, measure and substantiate the harms or potential harms posed by commercial surveillance and lax data security practices. Harm is a perennially important topic in the privacy arena, in part because showing “substantial injury to consumers,” or a risk thereof, is an important prong of the FTC’s unfairness test. Going one step farther, in Question 8, the FTC asks which areas of harm it has failed to address through individual enforcement actions. Establishing a record on this point will help the agency to explain why a trade regulation rule is necessary to resolve these harms, which is a core focus of this early stage of the rulemaking process.
Of course, the substantive questions matter too. Some commissioners have made statements indicating which subjects are of individual interest to them. But what matters more for commenters should be the questions about which you have particular experience, or that you can substantiate with research to back up your claims. For companies, whether your business makes use of algorithms, personalized advertising, biometrics, or other spotlighted areas of personal data processing, you probably have a unique perspective to share.
Here's what else I’m thinking about:
- After hosting a “listening session,” the White House announced a set of Principles for Enhancing Competition and Tech Platform Accountability. The “core principles,” cover six broad areas including competition, privacy, kids’ safety, content moderation, algorithm transparency and algorithmic discrimination.
- On privacy, the statement calls for “robust federal protections for Americans’ privacy,” with “clear limits on the ability to collect, use, transfer, and maintain our personal data, including limits on targeted advertising. These limits should put the burden on platforms to minimize how much information they collect, rather than burdening Americans with reading fine print. We especially need strong protections for particularly sensitive data such as geolocation and health information, including information related to reproductive health. We are encouraged to see bipartisan interest in Congress in passing legislation to protect privacy.”
- On kids’ safety, the statement calls on platforms “and other interactive digital service providers” to put enhanced protections in place for children, adolescents and teens by “prioritizing safety by design standards,” including by “restricting excessive data collection and targeted advertising to young people.”
- Outside stakeholders at the event included voices from academia and civil society, the CEOs of Mozilla and Sonos, and the attorney general of the District of Columba, who recently proposed an algorithmic discrimination law.
- The high-profile trial of ex-Uber CISO Joe Sullivan could be a wakeup call for privacy and security officers alike. The case raises important questions about executive liability for data breaches as well as the boundaries between bug bounty programs and data breaches.
- Merriam Webster added a new definition of the term “metaverse”: “a persistent virtual environment that allows access to and interoperability of multiple individual virtual realities.” Well, that’s the idea, anyway. This is just one of 370 new words from the famously descriptivist dictionary. Another favorite from my lexicon is meatspace, which may soon be known as reality reality.
- Data minimization and its importance to trustworthy data flows was the subject of a speech by Access Now’s Estelle Massé at a G-7 roundtable of data protection authorities. Data minimization was also highlighted many times by commenters in the FTC’s public forum on its ANPRM.
- Fog Reveal, a service of Fog Data Science, is the subject of an investigative report from The Associated Press alleging the tool has been used by law enforcement agencies around the country to “follow people’s movements months back in time.”
- Facebook’s cross-site login button is disappearing from a number of big brands, including Dell, Best Buy, Ford, Pottery Barn, Patagonia, Match and Twitch, according to a CNBC report citing reduced consumer interest in using cross-site logins, potentially for privacy reasons.
Privacy people on the move
- Sept. 13 at 10 a.m. EDT, the U.S. Senate Committee on the Judiciary will host a hearing titled Data Security at Risk: Testimony from a Twitter Whistleblower (Dirksen Senate Office Building Room 226).
- Sept. 13 at 1 p.m. EDT, the U.S. Department of Labor’s Office of Federal Contract Compliance Programs and the U.S. Equal Employment Opportunity Commission, through its HIRE and AI initiatives, will jointly host a roundtable titled “Decoded: can technology advance equitable recruiting and hiring?” (virtual)
- Sept. 14 at 9 a.m. EDT, ForumGlobal hosts The 4th annual Data Privacy Conference USA (National Press Club).
- Sept. 14 at 10:30 a.m. EDT, ITIF and the XR Association jointly host the Augmented and Virtual Reality Policy Conference (Convene).
- Sept. 15 at 10 a.m. EDT, Generation1.ca will host a discussion about privacy best practices in the research and insights industry, “Securing the Frontiers: Privacy Trends Changing the World of Insights” (virtual).
Please send feedback, updates and widespread practices to firstname.lastname@example.org.
If you want to comment on this post, you need to login.