If you could write a policy governing data security on the Internet, what would it look like?
Last week, Federal Trade Commission (FTC) took a small step toward expanding online regulation when it voted 3-2 to approve an advance notice of proposed rulemaking (ANPR) to solicit public comment on the prevalence of commercial surveillance and data security practices that harm consumers.
ANPR is exactly what it sounds like: it’s not a regulation that will directly change anything, but rather a notice that the FTC is studying online commercial practices and asking for feedback on the topic, as they may propose new rules at some point. This may sound like a lot of nothing—and, in fact, nothing may come of it—but as a consumer, business owner, or tech worker, you have an opportunity to make yourself heard on this issue.
The problem of personal data does not disappear
The main problem most consumers are aware of, although some try not to think too much about it: your data is everywhere. Every link you click, app you download, account you follow, product you buy and move means sharing personal data with companies. We are most aware of this when we notice online ads that seem to know exactly what you need or want. It might sound creepy, and it probably should.
An overview of the 44-page ANPR document lists reasons for concern, including misuse of personal data, misleading privacy policies, phishing, fraud, cyber attacks, surveillance software and discrimination:
“For example, some employers’ automated systems have reportedly learned to favor men over women. Meanwhile, a recent study found that lenders’ use of educational attainment when applying for loans can harm students who attended historically black colleges and universities. The Justice Department recently settled its first algorithmic discrimination case under the Fair Housing Act for a social media ad delivery system that unlawfully discriminated based on protected categories. Importantly, similar heterogeneous results can occur even when only automated systems are considered unprotected consumer traits”.
The timing of the ANPR also comes amid reports of heightened concerns that personal data from period-tracking apps and social media are being used to track people potentially seeking abortion services after Roe v. Wade.
Additional regulation may seem like an obvious necessity — after all, the European Union has adopted it General Data Protection Regulation (GDPR) in 2016, providing its consumers with far more privacy than US consumers, including its famous “right to be forgotten.”
More privacy, more annoyance?
However, the GDPR, with its far-reaching rules, may prevent similar regulation in the US, with its complex import/export rules that require compliance by US companies doing business with consumers in the EU.
Even though everyone says they want privacy, virtually every technological business model relies on personal data. Cookies are tracked wherever you are, and even though many sites ask for your consent and allow consumers to set their own preferences or opt out (the result of the implementation of GDPR in 2018), this option to opt out of data tracking is usually considered how annoying at best. They have become so ubiquitous that an entire industry of autoresponders has sprung up, often opting out of cookies.
And that’s the point. The more privacy, the more small annoyances will arise when we are online.
Impact on technology business
Consumers are only part of the equation. Companies that benefit from commercial surveillance will clearly be hurt by further regulation—and while it’s easy to dismiss this as affecting giant tech conglomerates and billionaire CEOs, it will also affect small businesses, especially those that rely on social media advertising, track consumers who are relevant to their products and will be happy to click on their ads.
Actually in 2016 US Chamber of Commerce Foundation found that federal regulations disproportionately affect small businesses, becoming a potential roadblock to data security regulations that could make it difficult for digital businesses of all sizes to turn a profit.
Where do you enter?
Somewhere, at least in theory, there is a balance between protecting consumers and allowing tech businesses to operate, and the FTC doesn’t pretend to know what it is.
Some of the questions raised by the ANPR include, “Should the new rules codify a ban on misleading claims about the security of consumer data, thereby allowing the Commission to seek civil penalties for first violations?” looks like stuff that should have been put in place years ago. But in general, it is more difficult than fighting fraud.
One of the most important aspects of ANPR is the feedback part. If you are a consumer, a technology business owner, or both, and you want to participate in the possible shaping of future FTC regulation, you can submit comments online or by mail. Full information on page 42 of this document: