Privacy & Information Security Law Blog

On November 21, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth filed comments on the Federal Trade Commission’s Advanced Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and data security. The ANPR sought public comment on, among other things, whether the FTC should implement new rules addressing the ways in which companies collect, aggregate, protect, use, analyze and retain consumer data.

In its comments, CIPL noted that it is a strong supporter of federal privacy legislation, which it views as a superior solution for a U.S. privacy framework. It also noted that there are legitimate questions about whether the FTC can or should undertake broad-based regulatory action of the type envisioned in the ANPR. But since the FTC invited comments – which CIPL believes are intended to generate a public record for purposes of informing both the FTC’s potential actions and those of Congress and other policymakers – CIPL’s comments focused on the substance and nature of the issues raised in the ANPR.

CIPL’s comments stressed that any potential action addressing comprehensive privacy measures should strive for an outcomes-based approach that:

• promotes effective, targeted protections for consumers;
• enables innovative and responsible data uses;
• provides businesses with robust, flexible and future-proof legal bases for processing consumer data, including legitimate interests;
• incorporates accountability-based practices that include contextual risk assessments;
• acknowledges that risk is inherent in any use of consumer data;
• recognizes that risk mitigation does not mean the elimination of risk, but rather the reduction of risk to the extent practicable;
• affirms that companies are best placed to understand the risks raised by their own processing activities and, therefore, are best placed to identify and implement appropriate mitigation measures;
• does not unnecessarily encumber legitimate business practices or thwart data-driven innovation;
• supports Privacy Enhancing Technologies and Privacy Preserving Technologies;
• provides guidance on appropriate risk criteria, frameworks and methodologies; and
• is drafted after engagement and discussions with stakeholders.

CIPL also urged the FTC to re-evaluate its use of the term “commercial surveillance” because the term (as defined in the ANPR) appears to cover many legitimate and necessary data practices. CIPL encouraged the FTC to evaluate data use practices in light of their risks and benefits to both individuals and society, with due consideration of how those risks can be effectively managed and minimized.