An appearance by U.S. Federal Trade Commissioner Rebecca Kelly Slaughter at the IAPP Privacy. Security. Risk. 2022 conference was expected to primarily promote reinforcement of the agency's Advance Notice of Proposed Rulemaking on commercial surveillance and lax data security. Attendees were provided a little more than that with Slaughter hinting that the Oct. 21 public comment deadline for the ANPRM may be extended.
In conversation with IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, Slaughter said "no one should expect or count on an extension," but candidly alluded to an inevitable announcement from the FTC.
"There's the sense that everybody already thinks (the rulemaking process) is going to take forever so we should adhere to the deadlines that are in the statute," Slaughter said. "On the other hand, a short extension of a few weeks strikes me as not a totally unreasonable thing. And if we were going to do such a thing, it seems like something we should announce in the next few days if it were to happen."
The initial 60-day comment period sought feedback on 95 wide-ranging questions laid out in the ANPRM, but there had been recent calls to push out the comment deadline to allow more time for more thoughtful submissions. Even with the likely announcement of an extension, Slaughter said the agency "has a real urgency to move" while adding any suggestion that the rulemaking process from start to finish may take 10 years "is not true."
Unpacking rulemaking questions, goals
Beyond the extension talk, Slaughter used her time with a crowd of stakeholders to provide a better window into the FTC's focus as rulemaking moves forward. First and foremost, she wanted to make clear that the perception of over-broadness with the ANPRM may not ultimately be reflected in any final rule the commission arrives at.
Slaughter said there were "many ways" the agency could've gone about "a much more limited" approach, but the task of "tackling a really complicated area with lots of interconnected issues" required casting a wider net.
"We want to make sure we are asking the full breadth of questions. That doesn't mean necessarily that we are going to propose a single rule that addresses all of the issues at once," she said. "I'm interested in how we should be thinking about harm that is difficult to quantify. … In privacy it's hard to quantify harm and draw direct causation arrows."
Slaughter expressed interest in grasping better where bringing deterrence around prevailing market practices for data collection, use and retention, which aligns with comments made during her P.S.R. 2021 keynote speech. She also highlighted her hopes to get a better grasp for children's and teen privacy, noting the "technology addiction" to which young people are succumbing "stems from the current data ecosystem."
And if the ANPRM results in a narrower rule, Slaughter indicated the public consultation will provide a useful reference for the commission to explore future rules and companies to understand views on prevailing issues.
"I think the record in and of itself will have incredible value," Slaughter said. "I don't think anywhere else there exists a participatory public record on all these issues from a huge variety of stakeholders. That's like a gift that will keep on giving for researchers, analysts and market participants."
What if a federal privacy law is enacted?
The ANPRM was published a few weeks after the U.S. House Committee on Energy and Commerce made the proposed American Data Privacy and Protection Act available for a House floor vote. The dueling paths to addressing privacy do not appear to be an issue at the FTC, with all commissioners deferring to a federal law like the ADPPA over rulemaking.
Slaughter reaffirmed her prior sentiments and urged U.S. Congress to pass the ADPPA or a law like it and indicated rulemaking will be curtailed when a federal standard is signed.
"I can't even fathom how we would continue to do a broad ANPR and simultaneously do the nine different rulemakings (the ADPPA) contemplates plus all the enforcement under it," Slaughter said. "There may be some things outside the scope of the federal law we might still consider. … But I also think we take very seriously that when Congress passes a new statute they are telling us directly 'this first' and 'this is important.' We should listen to that directive."
While anxiety exists for Slaughter around whether a federal privacy law will come to fruition, there's more anxiety around properly equipping the agency for the responsibilities it will assume under that potential legislation. Slaughter said the directives only for the FTC under the proposed ADPPA would "basically require us to double our budget" and she's made those funding needs clear to Congress, regardless of a potential law.
Whether it be through a federal standard or rulemaking, Slaughter said the commission understands the need to modernize its approach to enforcement, explaining how the "intentionally broad and general" statute the agency is working under "is not very prescriptive or specific."
"The staff at the FTC has done an incredible job of building an effective (enforcement) program as far as it can go with case-by-case enforcement in this way. But it can only go so far," Slaughter said. "One of the ways we can measure if our approach is effective is seeing if we are really stopping problems … and seeing market behaviors changing. That is absolutely not the case. Every day we have new security breaches or privacy problems. And by new I mean the same ones we've seen before and sometimes by the same companies. … It's a pretty strong signal it's not working well."
