Simplify for Success - Conversation with Lauren Kitces
We invited Lauren Kitces on #SimplifyForSucess, a podcast series presented by Meru Data and hosted by Priya Keshav.
Lauren discussed FTC's proposed rulemaking regarding data privacy and data security. She also shared her insights around the enforcement actions from the past and how companies can prepare for the FTC enforcement.
Thank you to Fesliyan Studios for the background music.
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Transcript:
Priya Keshav:
Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid paced work environment. We've invited a few colleagues in data and information governance space to share their strategies and approaches for simplification.
In this episode, we will be talking about the US Federal Trade Commission and its proposed rulemaking process. The agency filed an advanced notice of proposed rulemaking that will explore rules to crack down on harmful commercial surveillance and lax data security practices. The agency currently seeks comments on harms stemming from commercials surveillance and whether new rules are needed to protect people’s privacy and information. To talk about this, our guest for the show is Lauren Kitces. Lauren has been a guest on our show before. She's a member of the privacy and civil security practice at Sidley Austin. She provides business-oriented privacy and cybersecurity advice to a wide range of clients. She has a strong international experience, which she uses to help translate pre-existing international efforts into US regulatory compliance. Hi Lauren, welcome to the show.
Lauren Kitces:
Hi Priya, it's great to be here again.
Priya Keshav:
So, we will be talking about FTC's proposed rulemaking regarding data privacy and data security. So, maybe you can kind of help us understand what the proposed rulemaking is about and maybe we can go from there.
Lauren Kitces:
So the FTC is commonly, more often than not, known for taking companies into an investigation or some type of an inquiry because of behavior they view as being unfair or deceptive, and that is under their remit and the FTC act under Article 5, that's what most people deal with on a regular basis. That's what most people think of when they think of FTC and privacy and cybersecurity. In this instance, what we're looking at is a very long process that's laid out in Article 18 of the FTC Act, that goes through and allows for the FTC to create trade regulation rules that are specific to acts and practices which are unfair or deceptive. And there's a lot more detail to it. But at its core that is what's going on here, and the very first step of that before you can get to actual proposed rulemaking is an advanced notice of proposed rulemaking, and that's the step that the FTC has just started.
Priya Keshav:
So the notice itself asks 95 or so specific questions across 11 subject areas, right? So could you tell us a little bit more about the notice?
Lauren Kitces:
So the notice is divided up into sections, but at its core and by its title, it is dedicated to pretty much two themes, which is commercial surveillance and then lax data security practices. The commercial surveillance definition still encompasses the lax data security. It's almost as though, like data security sits underneath commercial surveillance a little bit while it's separate. But the commercial surveillance definition is extraordinarily broad, it’s pretty much the definition they're using in the advance notice or proposed rulemaking, and it is pretty much anything to do with touching personal information or data that might be important to a company, and so in that regard, it's not just surveillance in the way we may be thinking about it. The questions that are included are designed to effectively provide the Commission with information. And this is extremely important because there's only two circumstances in which the FTC can undertake creating these rules. So there's two prongs basically, it has to be unfair, deceptive and prevalent, whatever they're creating rules about. But they can only undertake to do this if they either have issued cease and desist orders regarding these actual practices previously, or if they have other information that indicates a wide, it's called a widespread pattern of unfair or deceptive acts or practices. So really, what is at the core of these 95 questions is where they have not previously issued these cease-and-desist orders, their consent decrees if you will, that we're familiar with, it's getting at that information that they would have to have in order to move forward with and have succeed potentially in having the actual proposed rules and potential actual rules effect eventually.
Priya Keshav:
What is the ultimate objective of FTC with this rulemaking process?
Lauren Kitces:
The FTC has or had rather one chair and four commissioners and shortly, well, I guess they still technically have four commissioners. But immediately after this was released, which was released on a Friday, the advance notice of proposed Rulemaking the following Monday, one of the commissioners, Commissioner Phillips, announced that he would be leading the FTC in the fall, and whether that is correlated to this is not completely clear from what is available, it may be. But the crux of it is that there are different perspectives based on which commissioner and the chair that you ask. In general, the goal of these is to create a more robust framework of privacy. That is the stated goal. Some commissioners have stated that that should really only be with Congress to do that, but at its core, the goal of this advance, to perform a proposed rulemaking by what's written in it, is to create a kind of consistent, robust set of guidance, but under the guise of commercial surveillance and lax data security practices. So it's not going to be a federal comprehensive privacy rule or something. It's still within that remit, but if the goal of it is to create a broad, consistent set of understandings in order to better protect, which is the commission’s agreement, to better protect the consumer.
Priya Keshav:
You mentioned a little bit before, but what should this rulemaking process look like? Right now, they've issued a notice, they're collecting feedback, but what happens next?
Lauren Kitces:
Sure, so it's a very drawn out process so I will give a high level overview, but I would say anyone who wants to know the full details, pull up Article 18 of the FTC act and you will have a step by step of everything. But effectively, they have to do this advance notice. And the advanced notice, its purpose is to create kind of a general understanding and to elicit public feedback. And the public feedback is critical by the advanced manager proposed rulemaking in front of us by that document’s own statements because it allows for a broad range of information to be given to the commission. So they're not just working or they're not just working from their own wherewithal, they're working from industry perspective, they're working from a consumer perspective, they're working from other regulator perspective perhaps. And so it gives an ability for the commission to absorb all of that information and then move forward with that information in hand and moving forward can look like different things. So in this document, it actually says we may never create rules. And that may be for a few different reasons, one of which may be they just don't go there for whatever reason, one of which may be that they decide that it's better to just inform other activities. But one of them is this might help Congress and whomever is working on a federal data privacy law with information, because the data that's collected, the information that's collected, will be available to Congress. So in that sense, there's a few different possibilities of what will be done. If it's followed through an actual rulemaking process, it would next go to a full proposed rulemaking, which has to be submitted to Congress. And after that it will then move through several other assessment comments and eventually finalization pieces. But at its core, it will take years to do this. We're not looking at a few months and the next steppingstone on this process is the finalization of the comment period, which is October 21st this year. So, that's the deadline for comments to be submitted by whomever wants to submit them.
Priya Keshav:
If I am looking at what are some of the key takeaways for me, I mean when I say me, let's say I'm a company that wants to kind of understand, then what should be my key takeaway?
Lauren Kitces:
Well, I think the first of which would be if you want to focus on this, if you want to have some contemplation of the potential impact of this. Reading the definition, that's in the advance notice of proposed rulemaking on what qualifies as commercial surveillance, which I'll read it here, but it's the refers to the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information. And so what we're looking at here is an incredibly broad definition. So first off, everything that's in here, it's not clear what would make it into a final rule, and I'll talk about that in just a second. But from its core, you have to be mindful that no matter what makes it in, it has a very broad reach by the definition of commercial surveillance. That is the remit for all of. The 95 questions you referenced get into everything from algorithmic learning and bias, children’s privacy, data security practices, in general. It really runs a very broad range of topics, and all of that sits nestled under this commercial surveillance concept. But because of that, if this were to move forward, it would likely touch a very large number of companies. Now again, we're looking at a years long process here, so this isn't something to think is going to just happen overnight and be concerned in that sense. But if you're looking at it, I would say just understanding the scope of it. And then figuring out which of the questions may have relevance to what you do, which frankly, could be all of them. It is possible, but all of these could apply to a company. But I think the biggest issue with doing that is that a lot of the questions are very vague. And so in focusing on this, I think looking at that definition, understanding where your entity fits in with all of this, but then keeping in mind that what's in front of you may not be what is in an actual proposed rulemaking in that next step that would eventually follow this initial advance notice of proposed rulemaking process.
Priya Keshav:
While FTC is embarking on this rulemaking process, it has already and it's the Commissioners have talked about enforcing privacy violations, and they have had multiple enforcement actions in the past. Can we kind of talk a little bit about what are some of the focus areas around these enforcement actions? The recent one being children’s privacy. What are the areas to watch out for and what does enforcement look like from an FTC perspective? So I asked a lot of questions, so if you want to answer them one by one, that's fine.
Lauren Kitces:
Well, I think, I think there's, there's a lot of connecting points between the questions too. Children’s privacy has been an ongoing focus. So while there has been some recent activity in that space, the FTC is certainly not new to the concept of protecting children and the crux of that is also tied to a lot of what else they're focusing on. And so that's what's interesting is children’s privacy doesn't really visit a bubble. It relates to other enforcement actions they've taken and other things they've noted are their focal points. One way that the FTC has recently revealed, if you will, some of their focus is, aside from their public statements, has been their annual privacy con, which is just as geeky as it sounds like, and this year will be their 7th iteration of that they missed one year because of COVID. But it's a curated event where the FTC solicits public interest of what they should talk about, but then picks these topics and then picked research papers. So this is not like a CPO from company speaking, these are researchers and so caught topics such as dark patterns, algorithmic bias and the impact of that, kids’ privacy, health care, privacy, these are all topics that have come up in recent years. And I think that we're seeing a reflection of that both in these statements the FTC is making about their enforcement priorities, dark patterns being a huge one of those right now by their own statements. But also in what we're seeing come out in this ANPR. So I think the event that the proposal linking. So I think it all connects together in a lot of ways. And child privacy has been a big one, actually living up to your security comments on your website or in other materials is a big one, so have you actually, like you said, everything is encrypted and everything is not encrypted. If you're caught, that's likely going to lead to some type of an enforcement action, and likely a settlement. But if you are in a situation where you are... again we're looking at unfair, deceptive practices. So all of this is going to fit in that vein of if you say X and you're doing Y, there's a problem there. But dark patterns that I mentioned is one of their biggest focuses, I would say right now, which is basically just manipulating people by virtue of either having a really complicated set of click throughs that you have to undertake or a weird set of steps that you have to maneuver that forces someone into a certain decision. So that's where the dark pattern effectively is and that is something that has come up even in the guise of children’s privacy is, can we, for example, unsubscribe from a children’s service where there is a dark pattern present? So there's a lot of interconnectivity between recent enforcement, public statements and their privacy con curated events and what we're seeing in the ANPR.
Priya Keshav:
So another area where they've talked about a lot is basically around location data, collecting location data, selling location data. It's been a major focus or they've said that that would be a focus area for them now.
Lauren Kitces:
Yes, well, yes. And that I think comes from two places. One is as is recognized in the ANPR to a good degree, people don't necessarily always know when their precise location is being gathered, and that is disconcerting. I think there's also become a greater focus on location data in recent months and years to some extent. And because of what can be learned if that location data is shared. So when they're looking at that of broking activities, when they're looking at passing on of data, what is the impact that that has and that is definitely reflected in the enforcement discussions that we're seeing, it's reflected in the ANPR, in so far as looking at the different types of data that would be at risk to consumers, looking at what types of data would be created or gathered. And it's also a security concern in some sense is if someone can tell where you are, the worst case scenario, or at least a high risk scenario that's often brought up, is let's say you have a stalker who gets a hold of this information, like, what are they going to do? But there is just a lot of pieces that come up there and so yes, you're right, that is absolutely a recent focus for them?
Priya Keshav:
I mean what would your advice be for companies in terms of FTC enforcements, what to watch out for and how to prepare? I mean if they're kind of looking at it, if you're a CPO and thinking about FTC from an enforcement perspective. I don't know whether I asked you a very broad question, but go ahead.
Lauren Kitces:
It’s a broad question, but we can have a broad answer and a narrow answer. So, here, I think there's a broad path and there's a narrow path. The broad path is if the FTC has stated that it’s priority, if the FTC has previously enforced on it, I would say you're kind of on double notice. So it's not just that you should be reading the tea leaves and understanding that you're committing an unfair, deceptive practice. It's that once you have that FTC stepping up and saying this is an unfair and deceptive practice, you then no longer have to just read the tea leaves, you actually have someone in front of you going, excuse me? This is exactly what it is, and there's no question so to that end, you may still have to interpret whether you fit within an enforced situation or a statement that they have made, but you have a higher likelihood of problems at that point. So, do your checking, figure out whether or not you were running a foul of something that has previously been articulated by the FTC. Beyond that, I would say, just make sure you're thinking about things that may have historically been considered normal or commonplace when looking at this, because considerations are evolving. So, for example, there is a lot of discussion about third party cookies, ad-based data, all of that right now. That is not a new concept. This has existed for a long time. It's that now there is really starting to be more of an understanding of the ways this can be used, the ways it can be used have grown in volume and purpose and it is taking everything in a very specific direction of more data sharing in the eyes of the regulator, which in turn is highly in the eyes of the regulator, not understood, not known, and likely not okay with the consumers. So to that end, what may be an old practice may not necessarily be okay moving forward and that's a very complicated discussion to have, especially if you're looking at a multi-faceted issue for a company. We're just keeping in mind that it's not just what's next that may be at issue, it may be something that's already in place as well.
Priya Keshav:
Makes sense. Do you want to talk about what would be within the scope of FTC or what they think is within the scope of FTC from a privacy enforcement standpoint?
Lauren Kitces:
So I think when most people think FTC, most people think consumers and consumers are a very broad group. But interestingly in the ANPR and I can't remember, I apologize, which Commissioner or the chair discussed it. But the practice actually, excuse me, it's in the definition consumer, that's where it is. They define consumer and they specify that it's not just consumer in the sense of someone engaging in the purchase or trade of a sale or good. So what you would normally think of someone buying or selling something or someone taking part in that type of practice. But they actually also talk about bringing in employees, effectively, workers I believe they call them, because their remit has historically as they put it, involved enforcement against entities that are harming a company and thereby the employees. So in this instance they're taking a very wide swing at things and how that will go over, I think it depends on different interpretations of the FTC’s remit. But generally most of what we see them doing more often than not is with your commonplace, a consumer in the sale and goods market type of situation here. If these rules were to move forward, they would potentially impact employees and not just your consumer with your lower case C. That is interesting because while the California Consumer Privacy Act soon to be more commonly known, I think The California Privacy Rights Act ,will expire the business to business, and employee exemptions will expire on January 1st, 2023. The other four state privacy laws that are out right now, all exempt employees. So interestingly, some of what would come up here could really create an impact outside of California for companies that would have to think about that. And that would distinguish it, I think, from a lot of what people are expecting when they think FTC, they think, consumer they think individuals, they don't think employees. So I think in that sense, they are not testing the boundaries because there is, I believe, a fair argument. And they have historically worked with employee data sometimes. But in the sense of what normally thought of what it's contemplated when you're thinking an enforcement action, most people are not thinking an employee. So it's interesting here when you're looking at their scope, when looking at what they're trying to do, the scope could be actually quite broad. And so from beyond just the commercial surveillance definition, the person that would be impacted as well.
Priya Keshav:
Any other closing thoughts that you would like to add?
Lauren Kitces:
Well, I think if you have an opinion about this, the best way to share that is to give that opinion to the FTC and that's not easy necessarily. You have about six weeks, I guess, left to undertake that, and it's certainly a large volume of data. When I was first reading this, I couldn't help but laugh and I saw that the comments were due October 21st. It feels as though someone has a thesis project in college that they have to complete in a very short time frame if you want to give meaningful comments on perhaps a large volume of what's in here, because there's just so much content. But that said, I think the FTC is also welcoming pre-existing content. So if you have a research paper that's already been done, you can share that with them. But I think if you have issues with this, or if you have thoughts about how the FTC can best pursue this, share that with the FTC, that is the purpose of this. Otherwise, I would say keep an eye on the big picture, not just this rulemaking. This rulemaking, it will not be quiet if it moves ahead, it will be very publicly known and in the meantime there are pursuits at the federal level and also ongoing discussions at state levels for privacy laws and regulations, and so to that end, don't get too caught up on this. But if it does matter to you, now is your time to say something.
Priya Keshav:
Thank you so much for joining me, Lauren. It's always a pleasure to talk to you.
Lauren Kitces:
Thank you so much. Always pleasure to talk to you as well.
Comments