The FTC clamps down on commercial surveillance

Ann Kristin Glenster, senior advisor on technology law and governance, University of Cambridge Minderoo Centre for Technology and Democracy.

Regulatory change often seems as slow and inevitable as the shift of tectonic plates. The U.S. Federal Trade Commission’s (FTC) long-awaited steps towards new trade regulation rules on commercial surveillance illustrate this trope.

An absence of robust regulation has enabled the rapid growth of a ubiquitous data economy, fuelled by the collection and commodification of Americans’ personal information. In the process, commercial surveillance has become inescapable.

Over the last decade, alarm bells warning of the impact of this unregulated economy on consumers have steadily grown louder. Some have warned of dark patterns and nefarious user interface designs to manipulate consumers. Others have warned of individuals’ diminishing autonomy as online experiences are personalised, leading to fewer instances of truly free choice. The result is that consumer trust is seeping away, raising concerns for the future of the data economy.

The FTC already has a history of enforcement actions against individual companies for deceptive and unfair online practices. However, the Commission’s overall response to commercial surveillance has been sluggish so far. But the FTC’s consultation announced in August 2022 may change that. The question no longer seems to be whether new trade regulation rules will be adopted, but how they will be conceptualised.

The hope is that new regulations will restore faith in the data economy, for example, by handing greater control over personal information back to the consumer through bolstered use of consent. This will not be a simple task, as what constitutes consent is notoriously difficult to pin down. Despite its normative attractions, ultimately, relying solely on consent to redress the power balance in favour of consumers is unrealistic and unfair. It would be pitting David against Goliath in a battle where David is bound to lose.

Another avenue that is being considered is the adoption of parts of the European Union’s (EU) comprehensive data protection regime set out in the General Data Protection Regulation (GDPR). Specifically, the FTC is considering some of the data processing principles in Article 5 of the GDPR, such as transparency, data minimisation, purpose limitation, and duration limitation.

The terminology used in the FTC’s consultation may be lifted from the EU, but it is worth remembering that these principles are already embedded in the American regulatory landscape as the Fair Information Practices (FIPs), which were recommended to Congress by a U.S. government committee back in 1973. There is, however, a crucial difference between the European data processing principles and the American FIPs - only the former are legally binding.

With the exception of the landmark Privacy Act of 1974, Congress did not adopt the 1973 recommendations for legislation. Instead, it followed the recommendations of the later Privacy Protection Study Commission (PPSC) in 1977. According to the PPSC, the FIPs should be voluntary, which so far has also been the stance adopted by the FTC in its policy on what it terms the Fair Information Practices Principles (FIPPs), which were issued in 1998. Consequently, paying little more than lip service to the FIPPs, big tech has been allowed to harvest and monetise U.S. users’ personal information with impunity. This may be about to change.

The FTC’s consultation suggests that the Commission is finally prepared to tackle commercial surveillance on a systemic level. New trade regulation rules would be designed to regain the public’s trust in the data economy by reassuring American consumers that their personal information would only be processed according to some binding principles, whether these be the EU’s data processing principles or the FTC’s own version of the FIPs.

New trade regulation rules are long overdue. Once implemented and if successful, they may provoke a seismic shift in the data economy that will benefit American consumers. However, there is still a long road ahead, and in the meantime, American consumers will continue to be subjected to rampant commercial surveillance.