What the latest FTC vote means for online privacy and the modern tech business model

Last week, the Federal Trade Commission (FTC) took a small step toward expanding regulation of online activity when it voted 3-2 to approve an advance notice of proposed rulemaking (ANPR) to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers.

An ANPR is just what it sounds like: It’s not a ruling that will directly change anything, but a heads-up that the FTC is looking into commercial online practices and requesting feedback on the topic because they might at some point propose new rules. It may sound like a lot of nothing — and, in fact, nothing may come out of it — but as a consumer, business owner or tech worker, you have an opportunity to make yourself heard on the issue.

The personal data issue isn’t going away

The main issue is one that most consumers are aware of, though some may try not to think too much about it: Your data is everywhere. Every link you click, app you download, account you follow, product you buy and move you make means sharing personal data with companies. We’re most aware of it when we notice online ads that seem to know exactly what you need or want. It can feel creepy, and it probably should.

In the overview of the 44-page ANPR document, reasons for concern are listed, including misuse of personal data, misleading privacy policies, phishing, fraud, cyberattacks, stalking software and discrimination:

“For example, some employers’ automated systems have reportedly learned to prefer men over women. Meanwhile, a recent investigation suggested that lenders’ use of educational attainment in credit underwriting might disadvantage students who attended historically Black colleges and universities. And the Department of Justice recently settled its first case challenging algorithmic discrimination under the Fair Housing Act for a social media advertising delivery system that unlawfully discriminated based on protected categories. Critically, these kinds of disparate outcomes may arise even when automated systems consider only unprotected consumer traits.”

The timing of the ANPR also follows reports of heightened fears that personal data from menstruation-tracking apps and social media is being used to track people potentially seeking abortion services post- Roe vs. Wade.

More regulation may seem like an obvious necessity — after all, the European Union adopted the General Data Protection Regulation (GDPR) in 2016, providing its consumers far more privacy than US consumers have, including its famous “right to be forgotten.”

More privacy, more annoyances?

Still, the GDPR, with its far-reaching rules, may hinder the creation of a similar regulation in the US, with its complicated regulations for import/export that require compliance from US businesses who do business with consumers in the EU.

(For more on what’s new in data security from a legal perspective, check out this guest post from Kimberly Klayman of the law firm Ballard Spahr, who explains how to make sure your company’s data privacy policy complies with evolving security laws.)

As much as everyone says they want privacy, virtually every tech model of business relies on personal data. Cookies are tracked everywhere you go, and even though many sites request your consent and allow consumers to set their own preferences or opt out (the result of implementation of the GDPR in 2018), this option to opt out of data tracking is generally seen as irritating at best. They’ve become so ubiquitous that there is a cottage industry of cookie popup auto responders, often set to reject cookies by default.

And that’s the thing. The more privacy, the more little annoyances will likely pop up while we’re online.

Impact on tech-related businesses

Consumers are only part of the equation. The companies that benefit from commercial surveillance will clearly be impacted by further regulation — and while it’s easy to shrug that off because it would affect giant tech conglomerates and billionaire CEOs, it would also affect small businesses, especially those that rely on social media ads that track down consumers who are a match with their products and will happily click their ads.

In fact, in 2016, the US Chamber of Commerce Foundation found that federal regulations disproportionately have a negative impact on small businesses, translating to a potential roadblock for data security regulations that may make it more difficult for digital businesses of all sizes to profit.

Where you come in

Somewhere, at least in theory, there is a balance between protecting consumers and allowing tech businesses to function, and the FTC isn’t pretending to know what that is.

Some of the questions the ANPR raises, such as “Should new rules codify the prohibition on deceptive claims about consumer data security, accordingly authorizing the Commission to seek civil penalties for first-time violations?” seem like things that should have been put in place years ago. But overall, it’s more complex than cracking down on fraud.

One of the most important aspects of the ANPR is the feedback part. If you are a consumer, a tech business owner or both, and you want to participate in the possible creation of future FTC regulation, you can submit comments online or by mail. Full details are on page 42 of this document: