The US Federal Trade Commission announces inquiry into commercial surveillance practices

August 18, 2022 |

The US Federal Trade Commission (the “FTC”), as close as the US gets to a privacy regulator, has announced an inquiry into the use of surveillance in a commercial context.  It is wide ranging, covering cookies.

The FTC first announced the Proposed Rule Making on Commercial Surveillance on 11 August with FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices which provides:

The Federal Trade Commission today announced it is exploring rules to crack down on harmful commercial surveillance and lax data security. Commercial surveillance is the business of collecting, analyzing, and profiting from information about people. Mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation, and other abuses. The FTC’s Advance Notice of Proposed Rulemaking seeks public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.

“Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC Chair Lina M. Khan. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent. Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.”

The business of commercial surveillance can incentivize companies to collect vast troves of consumer information, only a small fraction of which consumers proactively share. Companies reportedly surveil consumers while they are connected to the internet – every aspect of their online activity, their family and friend networks, browsing and purchase histories, location and physical movements, and a wide range of other personal details.

Companies use algorithms and automated systems to analyze the information they collect. And they make money by selling information through the massive, opaque market for consumer data, using it to place behavioral ads, or leveraging it to sell more products.  

The FTC is seeking comment on a wide range of concerns about commercial surveillance practices. For example, some companies fail to adequately secure the vast troves of consumer data they collect, putting that information at risk to hackers and data thieves. There is a growing body of evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms.

While very little is known about the automated systems that analyze data companies collect, research suggests that these algorithms are prone to errors, bias, and inaccuracy. As a result, commercial surveillance practices may discriminate against consumers based on legally protected characteristics like race, gender, religion, and age, harming their ability to obtain housing, credit, employment, or other critical needs.

In the last two decades, the FTC has used its existing authority under the FTC Act to bring hundreds of enforcement actions against companies for privacy and data security violations. These include cases involving the sharing of health-related data with third parties, the collection and sharing of sensitive television viewing data for targeted advertising, and the failure to implement reasonable security measures to protect sensitive personal data such as Social Security numbers.

The FTC’s past work, however, suggests that enforcement of the FTC Act alone may not be enough to protect consumers. The FTC’s ability to deter unlawful conduct is limited because the agency generally lacks authority to seek financial penalties for initial violations of the FTC Act. By contrast, rules that establish clear privacy and data security requirements across the board and provide the Commission the authority to seek financial penalties for first-time violations could incentivize all companies to invest more consistently in compliant practices.

Information about how to submit comments on the FTC’s Advance Notice of Proposed Rulemaking is included in the Federal Register notice. The deadline for submitting comments will be 60 days after the notice is published in the Federal Register in the coming days. Submitted comments will be posted to

The FTC followed up with another FTC undertakes inquiry into commercial surveillance practices and wants your insights which provides:

Commercial surveillance refers to the pervasive collection, tracking, and monetization of personal data. It’s an enterprise that has proven astonishingly lucrative for platforms and other businesses, but often thrives in the shadows without the knowledge of the consumers whose personal information is their stock-in-trade. The FTC has announced an Advance Notice of Proposed Rulemaking – and a September 8, 2022, virtual public forum – to take a closer look into harmful commercial surveillance practices and lax data security. We want your input into the prevalence of those practices and ways to address potential harms to consumers.

Consider cookies that track people’s every online move and apps that collect vast quantities of data unrelated to the service they provide. Next, factor in the extent to which companies compile information about people’s location, purchases, browsing history, race, gender, or age in critical areas like health, finance, and education – data deserving of exacting privacy and security measures. Now overlay those collection practices with the murky but flourishing marketplaces where that information is combined, shared, and monetized, and the contours of the issue begin to take shape.

For decades, the FTC has used Section 5’s prohibition on unfair or deceptive practices to challenge a wide variety of privacy- and security-related conduct. For example, we’ve brought cases against companies that have shared health-related data with third parties, disclosed consumers’ financial information in retaliation for negative online reviews, sold “stalkerware” that let buyers secretly monitor another person’s online activity or physical location, and created and sold advertising dossiers of individual consumers’ TV-viewing habits. We’ve also taken action against companies whose lax security practices allowed third parties to steal – and misuse – consumers’ personal information.

But is law enforcement enough to protect consumers? The explosive growth in the information collection economy suggests it’s time to take an in-depth assessment of how commercial surveillance affects the day-to-day lives of consumers and whether the current consumer protection set-up is sufficient to protect them from harm.

Leave a Reply