Last week, EPIC published a report titled Disrupting Data Abuse: Protecting Consumers from Commercial Surveillance in the Online Ecosystem. The report responds to a call for comments from the Federal Trade Commission, which is considering a rule on commercial surveillance and data security. Over 230 pages, we detail the harms inflicted by exploitative commercial data practices, establish the Commission’s authority to regulate those practices, and call on the FTC to impose specific privacy, security, transparency, algorithmic fairness, and anti-discrimination obligations on businesses.
EPIC and coalition partners have repeatedly urged the Commission to undertake a trade regulation rulemaking that would define unfair and deceptive commercial data practices and unlock the FTC’s dormant enforcement power. The Commission, which is the de facto data privacy regulator in the United States, typically lacks the ability to impose fines for first-time privacy and security violations. But a trade rule would establish across-the-board obligations backed by the threat of civil penalties—a major step forward for U.S. data protection. EPIC is heartened to see the Commission considering such a rule now.
Our report begins by laying out the stakes of today’s data privacy crisis:
The lack of comprehensive privacy laws and regulations has allowed abusive data practices to flourish, creating a persistent power imbalance that threatens both individual rights and competition. Due to the failure of policymakers in the U.S. to establish adequate data protection standards, online firms have been allowed to deploy commercial surveillance systems that collect and commodify every bit of our personal data. … The notice and choice approach that has dominated the United States’ response to this uncontrolled data collection over the last several decades simply does not work.
Next, we lay out the Commission’s legal authority to break from the failed approaches of the past and establish robust rules for the commercial processing of personal data. Briefly put, the FTC can use its trade rulemaking authority to prohibit particular commercial data practices as deceptive (i.e., materially misleading) or unfair (i.e., causing substantial and unavoidable injury to consumers that is not outweighed by benefits to consumers or competition). As we explain, “substantial injury” includes harms that may not always be economically quantifiable, such as invasions of privacy, reputational damage, and discrimination. The practices must also be “prevalent”—a standard that is easily met for the types of data uses which would be targeted by a trade rule. Having declared certain data practices unlawful, the Commission can then impose prophylactic obligations on businesses to prevent those practices from occurring.
We then turn to our substantive recommendations for the Commission’s rule.
Data minimization
EPIC argues that business’s collection, use, retention, or transfer of a consumer’s personal information beyond what is reasonably necessary and proportionate to achieve the primary purpose for which it was collected (consistent with consumer expectations and the context in which the data was collected) is an unfair trade practice. These out-of-context secondary uses of data and the overcollection that feeds them are inconsistent with…