July 14, 2024

September 27, 2022
Click for PDF
On August 11, 2022, the Federal Trade Commission (the “FTC” or the “Commission”) launched one of the most ambitious rulemaking processes in agency history with its 3-2 vote to initiate an Advance Notice of Proposed Rulemaking (“ANPR”) on “commercial surveillance” and data security.[1] On September 8, the Commission continued the rulemaking process by hosting a virtual “Commercial Surveillance and Data Security Public Forum (the “Public Forum”)” to gather public feedback on the proposed rulemaking.[2]
As explained in more detail in our prior article, the ANPR lays out a sweeping project to rethink the regulatory landscape governing nearly every facet of the U.S. internet economy, from advertising to anti-discrimination law, and even to labor relations. Any entity that uses the internet, even for internal purposes, is likely to be affected by this FTC action.
FTC Rulemaking Process
The FTC is undertaking this rulemaking under Section 18 of the FTC Act (also known as “Magnuson-Moss”), a hybrid rulemaking process that goes beyond the Administrative Procedure Act’s standard notice-and-comment procedures.[3]  The FTC may promulgate a trade regulation rule to define acts or practices as unfair or deceptive “only where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.”  15 U.S.C. § 57a(b)(3) (emphasis added).  The FTC may make a determination that unfair or deceptive acts or practices are prevalent only if: “(A) it has issued cease and desist orders regarding such acts or practices, or (B) any other information available to the Commission indicates a widespread pattern of unfair or deceptive acts or practices.”  15 U.S.C. § 57a.  That means that the agency must show (1) the prevalence of the practices, (2) how they are unfair or deceptive, and (3) the economic effect of the rule, including on small businesses and consumers.
Since the FTC published the ANPR, the Commission has posted 123 comments received thus far.[4]  The Commission will continue to accept public comments until October 21.  After the FTC’s review of comments, the next step in the Magnuson-Moss rulemaking process would be to publish a Notice of Proposed Rulemaking (“NPR”), which would set forth the proposed rule text, a description of its reasons supporting the proposed rules, any alternatives, and a preliminary regulatory analysis assessing the costs and benefits of the proposal and alternatives.  This proposal would be submitted to Congress 30 days before public issuance.  The FTC would then be required to convene a public comment opportunity after the issuance of the NPR and provide interested parties an opportunity for an informal hearing to present its views and resolve disputed factual issues.  Finally, the FTC would publish its Final Rule, accompanied by a Statement of Basis of Purpose detailing the prevalence of the practices being regulated, how they are unfair or deceptive, and the economic effect of the rule, including an assessment of the rule’s costs and benefits and why it was chosen over alternatives.  Any person could then seek review of the rule in the D.C. Court of Appeals within 60 days of promulgation.  If an NPR is published, challenges will be likely.
Commercial Surveillance and Data Security Public Forum
The September 8 Public Forum included (i) statements from Chair Lina M. Khan, Commissioners Rebecca Slaughter and Alvaro Bedoya, and the Commission’s Assistant General Counsel Josephine Liu; (ii) a panel of industry representatives; (iii) a panel of consumer advocates; and (iv) over 65 public commenters.
Key topics discussed during the Public Forum included data minimization, data security, algorithmic discrimination and ethical Artificial Intelligence (“AI”), and the protection of teenagers over 13 years old, among others.
Below are highlights from the sessions:
Commissioner Statements.
Commissioners Phillips and Wilson did not participate in the Public Forum.
Industry Representative Panel.
In addition to the Commissioners’ remarks, the FTC convened a panel of industry representatives moderated by Professor Olivier Sylvain, now Senior Advisor on Technology to Chair Khan.  Professor Sylvain, whose academic work has focused on Section 230 of the Communications Decency Act, joined the FTC in 2021 from Fordham University where he served as Professor of Law.
Panelists included four senior executives and policy counsel from (1) a trade association for the digital content industry; (2) a web browser provider; (3) a retail trade association; and (4) a nonprofit coalition researching the use of artificial intelligence.  Below are key themes from the industry panel:
Consumer Advocate Panel.
The Consumer Advocate Panel was moderated by Rashida Richardson, an Attorney Advisor to Chair Khan.  This panel included members of non-profits and thinktanks focused on consumer privacy and digital innovation.  In general, the moderator’s questions assumed harmful impacts of data use to consumers.
Public Commenters.
The ANPR and the public workshop are just initial steps in the lengthy FTC rulemaking process.  Given the broad-based scope of the potential rules, the rulemaking process will be closely watched and analyzed.  Gibson Dunn attorneys are closely monitoring these developments, and are available to discuss these issues as applied to your particular business.
[1] Federal Trade Commission Press Release, FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices (Aug. 11, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices.
[2] Federal Trade Commission Event, Commercial Surveillance and Data Security Public Forum (Sept. 8, 2022), https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum.
[3] Magnuson-Moss Warranty Federal Trade Commission Improvement Act, 15 U.S.C. § 57a(a)(1)(B).  The FTC had largely abandoned the promulgation of new trade regulation rules because the Magnuson-Moss process was perceived as too cumbersome and the agency generally preferred case-by-case enforcement over rulemaking.  The Biden Administration, however, has revitalized the interest in promulgating trade regulation rules, to “provide much needed clarity about how our century-old statute applies to contemporary economic realities [allowing] the FTC to define with specificity what acts or practices are unfair or deceptive under Section 5 of the FTC Act.”  Statement of Commissioner Rebecca Kelly Slaughter, Regarding the Adoption of Revised Section 18 Rulemaking Procedures (July 1, 2021), here.
[4] Public comments are available at, https://www.federalregister.gov/documents/2022/08/22/2022-17752/trade-regulation-rule-on-commercial-surveillance-and-data-security.
This alert was prepared by Svetlana S. Gans, Samantha Abrams-Widdicombe, and Kunal Kanodia.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:
United States
Matthew Benjamin – New York (+1 212-351-4079, mb*******@gi********.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rb*********@gi********.com)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, ab*******@gi********.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, db****@gi********.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cg*************@gi********.com)
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, sg***@gi********.com)
Lauren R. Goldman– New York (+1 212-351-2375, lg******@gi********.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, sh******@gi********.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nh****@gi********.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hh****@gi********.com)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, rh**@gi********.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, kl******@gi********.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, ml***@gi********.com)
Vivek Mohan – Palo Alto (+1 650-849-5345, vm****@gi********.com)
Karl G. Nelson – Dallas (+1 214-698-3203, kn*****@gi********.com)
Rosemarie T. Ring – San Francisco (+1 415-393-8247, rr***@gi********.com)
Ashley Rogers – Dallas (+1 214-698-3316, ar*****@gi********.com)
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, as********@gi********.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, ds****@gi********.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, ev*********@gi********.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bw*****@gi********.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mw***@gi********.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dw*******@gi********.com)
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, ab*****@gi********.com)
James A. Cox – London (+44 (0) 20 7071 4250, ja***@gi********.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pd****@gi********.com)
Kai Gesing – Munich (+49 89 189 33-180, kg*****@gi********.com)
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, bg*******@gi********.com)
Joel Harrison – London (+44(0) 20 7071 4289, jh*******@gi********.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vl****@gi********.com)
Penny Madden – London (+44 (0) 20 7071 4226, pm*****@gi********.com)
Michael Walther – Munich (+49 89 189 33-180, mw******@gi********.com)
Kelly Austin – Hong Kong (+852 2214 3788, ka*****@gi********.com)
Connell O’Neill – Hong Kong (+852 2214 3812, co*****@gi********.com)
Jai S. Pathak – Singapore (+65 6507 3683, jp*****@gi********.com)
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Cookies that tie into analytics systems, such as Google Analytics, YouTube and Vimeo analytics for embedded video, etc. The following are the cookies installed by the service: _ga, _gid, collect, vuid
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. The following cookie is installed by the Google Analytics service: _gat


About Author