Business and Legal Insights

Privacy and data security professionals have been closely monitoring the ongoing battle regarding a new proposed federal law, the American Data Privacy and Protection Act ( ADPPA), which in July made it out of committee with surprising bipartisan support, and which could change the privacy landscape throughout the country, preempting multiple state laws and setting a uniform standard for privacy and data security compliance.  But while the ADPPA has been re-negotiated and revised over and over again, the Federal Trade Commission (FTC) has been brewing up its own set of privacy and security rules. On August 11, 2022, the FTC issued an Advance Notice of Proposed Rulemaking (ANPRM), which asks for public comment on 95 questions on a variety of privacy and data security topics, touching almost every industry in the nation. Comments are due within 60 days of publication of the ANPRM in the Federal Register, and a virtual forum will be held on September 8, allowing members of the public to speak for two minutes.

Some commentators have speculated that the FTC’s ANPRM is a reaction to the ADPPA losing some steam in Congress – the FTC might be attempting to pressure lawmakers to find a workable solution and pass a federal law before the midterm elections, which will likely cause additional setbacks in legislation.  If the FTC is planning on pushing forward its new rulemaking at the same time as Congress is finalizing – and hopefully passing – the ADPPA, the potential conflicts could be significant, and cause headaches to businesses spanning multiple industries and business models.

The FTC derives its power to regulate privacy and data security issues from Section 5(a) of the Federal Trade Commission Act (FTC Act) (15 USC §45), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” This short sentence has given, in over a century since it was enacted, tremendous power to the FTC to regulate unfair, deceptive, or unfair and deceptive privacy practices. Unfair privacy practices are those that are injurious to consumers, unethical or unscrupulous, whereas deceptive practices are those that may mislead customers, such as when a company does not follow its own stated privacy policy. With this jurisdiction vested in it by the FTC Act, the FTC has enforced privacy and data protection violations in a multitude of industries, levied many millions dollars of fines, and required businesses to completely overhaul their privacy and data security practices and procedures through consent decrees and court orders. If the new FTC rules are finalized and implemented, there will be yet another body of privacy law for businesses to become familiar with and abide by.

Rulemaking of this type can be a lengthy procedure, often taking five years or more. It is possible that the FTC is indeed signaling that, should Congress fail to pass an umbrella federal statute governing privacy and data security, it will fill that federal void on its own.  Either way, the message is clear: legislative changes are forthcoming in the near future, and it is the responsibility of every potentially-affected business to stay up to date on the newest requirements.