FTC announces advanced notice of proposed rulemaking on commercial surveillance and data security

The FTC has issued a long-anticipated Advanced Notice of Proposed Rulemaking (ANPR) regarding commercial surveillance and data security practices. The FTC invites public comment on a wide range of issues (through more than 95 questions) and alludes to the possibility of adopting broad, prescriptive data privacy and security regulations. Key areas include: (1) harms to consumers from commercial surveillance and data security practices; (2) unique considerations for certain demographics, particularly children and protected classes; (3) automated decision-making (including Artificial Intelligence or Machine Learning (AI/ML)) caused errors, bias, and discrimination; (4) consumer consents and notices/disclosures to consumers about commercial surveillance and data security practices; (5) how best to regulate these practices; and (6) cost-benefit and trade-off considerations of a proposed rulemaking. Many of the topics raised in the ANPR go beyond the FTC’s December 2021 Statement of Regulatory Priorities.

More details on the ANPR are included below; comments will be due 60 days after the ANPR’s publication in the Federal Register. A Public Forum will also be held on September 8.

The Extent of Consumer Harms (including for Children and Teenagers). The ANPR seeks further information on types of harms and how they affect consumers. Questions include, for example, whether and what harms may not be easy to identify or quantify, as well as if a rulemaking should focus on certain kinds of data based on the data’s risks of harm. The ANPR also states that different kinds of consumers may be harmed differently (including children, teenagers, and protected classes) and asks (1) how harms may be particular to various demographics and (2) whether a rulemaking should consider special requirements to protect these demographics. These questions are particularly notable, as the FTC is currently undertaking a separate review of COPPA.

Data Security.  The FTC asks how granular data safeguard rules should be and whether it should leverage existing requirements such as those in Children’s Online Privacy Protection Act (COPPA) and the FTC’s Safeguards Rule under the Gramm–Leach–Bliley Act (GLBA). 

Notice, Transparency, and Disclosure.  The FTC asks what information about consumer data practices should be made public and what processes enable transparency, as well as what role third parties should play in administering disclosure requirements or performing audits or assessments of data practices. 

Consumer Consent.  The FTC seeks comment on the standard for effective consent, whether some activities should be beyond the ability to consent, and how to provide and enforce opt-out rights.

Collection, Use, Retention, and Transfer of Consumer Data.  The FTC asks whether and how it should limit biometric data and personalized or targeted advertising practices. It also seeks input on data minimization, purpose limitation, and data retention requirements, and how to account for interoperability.

Discrimination Based on Protected Categories.  The FTC also asks about the prevalence of algorithmic discrimination based on protected categories (e.g., race, sex, age), the impact on consumers, how the FTC should evaluate and address algorithmic discrimination, and whether it should consider rules on algorithmic discrimination in areas where Congress has explicitly legislated, such as housing and employment. 

Automated Decision-making Systems.  The FTC seeks input on the prevalence and inevitability of algorithmic error in automated decision-making systems; what companies can do to prevent algorithmic errors, if any; and what legal theories support limitations on the use of automated systems or bar the FTC from regulating these and related activities. 

Remedies and Obsolescence.   The FTC seeks comment on remedy structures for any new rules it adopts and how rulemaking should account for evolving business models and practices.

Cost-Benefit Considerations.  The FTC acknowledges that any potential rulemaking involves trade-offs. It seeks to understand the potential costs and benefits of a rulemaking and how it may impact innovation, competition, and consumer access to free services that rely on current models. The ANPR also asks about quantifying these trade-offs, if the analysis is different in the context of children’s information, and if certain companies should be exempt from certain rules based on size or nature of the companies’ consumer data. 

Finally, the ANPR also notes that the FTC may pursue additional rulemaking activities subsequent to the above.


Authored by Mark Brennan, Dan Ongaro, Sophie Baum, and Ambia Harper.

Mark Brennan
Washington, D.C.
Dan Ongaro
Sophie Baum


This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.