On November 17, 33 state attorneys general (AGs) submitted a comment letter to the Federal Trade Commission (FTC), supporting its contemplated new efforts in the corporate surveillance and data security space. The AGs’ public support for the FTC’s anticipated rulemaking suggests the AGs will continue to focus on data security issues in the coming new year.

On August 22, the FTC released an Advanced Notice of Proposed Rulemaking (FTC-2022-0053-001) through which it invited comments on “whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair and deceptive.”[1] As FTC Chair Lina M. Khan recently explained, “Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts.”[2] She further elaborated, “The growing digitization of our economy — coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used — means that potentially unlawful practices may be prevalent.”[3] Considering these developments, Chair Khan announced that the FTC hopes “to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.”[4]

Several state AGs have decided to join the discussion. Led by the AGs for Massachusetts, Connecticut, Illinois, New Jersey, North Carolina, and Oregon, the AGs assert in their November 17 letter: “We, too, are concerned about the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized.”[5] The AGs explain that they frequently hear from consumers worried about the confidentiality of their personal information, noting that fears of identity theft and data misuse are heightened by the fact that “companies are often collecting more data than they can effectively manage or need to perform their services.”[6] Their submission highlights the heightened sensitivity of certain categories of consumer information, such as location, biometric, and medical data; issues with data brokers and how they surveil consumers; and the topic of how data minimization can help mitigate concerns surrounding data aggregation. Ultimately, the AGs’ letter recommends that the FTC review the states’ own data privacy and security laws, highlighting the laws enacted in California, Colorado, Connecticut, Utah, and Virginia.

Our Take

The AGs’ fulsome response to the FTC’s comment request means the AGs are focused on the developments in the data security and commercial surveillance field. Companies should ensure they follow best practices for data security and retention and think carefully about how they use or sell consumer data to avoid becoming the target of an AG or FTC investigation.

[1] Trade Regulation Rule on Commercial Surveillance and Data Security, 87 Fed. Reg. 51273 (Aug. 22, 2022).

[2] Press Release, FTC, “FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices” (Aug. 11, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices.

[3] Id.

[4] Id.

[5] Comment Letter from the Commonwealth of Massachusetts Office of the Attorney General, Commercial Surveillance ANPR, R111004 (Nov. 17, 2022), https://assets.law360news.com/1550000/1550793/ftc-2022-0053-0764_attachment_1.pdf.

[6] Id.