Attorneys General from 33 US states are urging the Federal Trade Commission to take a practical step toward reining in commercial surveillance of consumers and minimize the data companies are authorized to collect.
The letter [PDF] comes in response to the FTC's August announcement that it was seeking public comments on whether or not it should implement federal regulations around unfair or deceptive data collection, storage, analysis, and other practices.
"Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like," FTC chair Lina Khan said in August.
The letter makes the ultimate argument for minimizing data collection, but also suggests how different types of data should be handled. Location, biometric, and medical data are all cited as concerns, and the AGs urge the FTC to develop rules that promote "fairness, transparency and accountability to consumers." Luckily, there are some state laws that already do much of what the AGs want, making it easy to point to examples.
Location data, the AGs argue, is incredibly revealing, even when anonymized, and such data can also be used to discriminate against certain groups through "digital redlining," a process through which companies check users' geographically location.
"California, Connecticut, and Virginia all have laws which protect or restrict the use and collection of location data in some ways," the AGs said.
Consumers are often in the dark about biometric data, which is readily supplied to companies that offer retina, face, and fingerprint scanning technologies. "But consumers are not always aware of when their data is collected, how it is used, or if it is resold for purposes to which they never meaningfully consented," the AGs said.
They note that Illinois and Texas both have laws that, while not banning the capture of biometric data, "provide safeguards and regulate the capture and use of this data in various ways."
Medical data is being leaked by third-party software like tracking pixels, while health-adjacent data that includes anything collected by wearables, smart devices or apps is available online to the highest bidder as no health-adjacent data is covered by HIPAA, the AGs said.
California's Confidentiality of Medical Information Act extends HIPAA coverage to such areas and has already been used to go after bad actors, the AGs said.
- What do the US midterm election results mean for a federal privacy law?
- Google agrees to $391.5m settlement in privacy lawsuit
- Republican senators tell FTC to back off data security, surveillance rules
- Health insurer Medibank's data breach diagnosis keeps getting worse
The letter also touches on the threats presented by data brokers because different sets of anonymized data purchased from different brokers can "easily" be tied to an individual when paired together and used to build larger profiles.
'Reasonable necessity' = less data collected
In their letter, the Attorneys General say that the commercial surveillance industry's prevailing notice-and-choice system of getting consumer consent has largely failed. "The result is that consumers are often coerced into sharing more personal data than they otherwise intended to," the AGs said.
As was the case with specific types of data protection, the AGs said that laws that minimize what data can be collected, and how it can be retained, are already on the books in California, Colorado, Connecticut, Utah, and Virginia. "Each statute mandates that businesses tie and limit the collection of personal data to what is 'reasonably necessary' in relation to specified purposes," the AGs said.
They note that California's law in particular is a good framework to extend into federal law as it goes further than reasonable necessity by adding proportionality and applying the standard to the use, restriction, and sharing of consumer data as well.
"Limiting the collection and retention of data by businesses will also improve consumer data security because businesses will have less data to protect and less data potentially available to threat actors in the event of an incident," the legal eagles said.
The American Civil Liberties Union (ACLU) yesterday published a letter to the FTC on the same topic. It echoed some of the AG group's points, especially saying that any new FTC rules should address practices that disempower and harm consumers, as well as calling out biometric and location data as specific causes of concern.
The ACLU also argues in favor of addressing algorithmic discrimination and other harms stemming from the use of automated decision-making systems, but while calling for regulations protecting data and addressing discrimination, the civil liberties group reaches the same conclusion as the Attorneys General.
"The best protection against consumer data breaches is to minimize the amount of consumer data collected or retained in the first place," the ACLU said.
The comment period for the FTC's notice of proposed rule making closed yesterday. It's unknown how quickly the commission will move to create new regulations. ®