October 24, 2022
This summer, the Federal Trade Commission announced that it would be evaluating possible rules to better “crack down” on harmful commercial surveillance and inadequate data security. To that end, the Commission sought public comment on a variety of issues and concerns about commercial surveillance practices.
In response to the Commission’s request, IDAC submitted a letter highlighting the following areas where we believe further action by the Commission would help address challenges to digital consumer protection:
1. Collaborate with civil society watchdogs to stop harm before it becomes a law enforcement problem. There is a critical role for tech-savvy civil society watchdogs, academics, and journalists to identify and resolve risks and harms early to prevent consumer harm before it occurs or before impact is widespread. Greater attention and resources should be spent on giving concrete guidance to developers, ensuring compliance with best practices, monitoring ongoing behavior, and resolving noncompliance quickly before widespread harm occurs. To advance this goal, the Commission should form a multistakeholder task force to catalyze and support upstream efforts by civil society groups that can help advance the Commission’s consumer protection mission.
2. Increase protections for sensitive health data not covered by HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) provides protections for only a subset of sensitive user health information. The intimate details of a user’s health and wellbeing that are collected by apps relating to sexual wellness, reproduction, mental health care, fitness, and weight loss fall into a nebulous gap in consumer protections that may leave users vulnerable. The Commission should broaden its definitions of health data and take urgent steps to create rules and standards for safeguarding sensitive health information that falls outside of HIPAA.
3. The Commission should work with the Federal Election Commission (“FEC”) to identify and resolve any gaps in data protection that relate to campaign activities before the 2024 presidential campaign. In recent campaign cycles around the world, the data practices of political candidates, parties, and political action committees have come under increasing scrutiny. In particular, journalists, scholars, and civil society groups have raised concerns about the possible effects of campaign practices that seek to collect geolocation information, persistent identifiers, the contact information of users’ social networks, and other identifying data that users did not know is being shared. Now that the FEC has a quorum, the Commission and the FEC should coordinate to determine their relative jurisdictional responsibilities with respect to the 2024 presidential elections and take proactive steps to prevent data misuse by 2024 campaigns.
4. The Commission should take further steps to protect consumers against overcollection of location data. IDAC investigations have repeatedly shown widespread over-collection of precise user location data, which is often sold to third parties for a substantial profit in what has become a multi-billion dollar market for users’ location data. Location data is particularly sensitive because of what it reveals about a user, including their hobbies, lifestyle choices, and habits. The Commission should use its Section 18 rulemaking authority to define the sale, transfer, use, or purchase of precise location data collected by an app for purposes other than the essential function of the app as an “unfair act or practice.”
5. The Commission should take further steps to regulate dark patterns. Dark patterns have only one purpose: to serve as a digital trap door to deter consumers from making rational choices about their personal data at the point where it is most impactful to do so. The Commission should use the full measure of its authority to put the digital ecosystem on notice that dark patterns will be closely scrutinized for violations of federal law; issue clear guidelines for companies designing user interfaces for privacy choices; encourage investigators, researchers and civil society groups to share findings with the Commission to develop the record for bringing actions and issuing guidance; and, investigate and take action against companies that use dark practices to thwart consumers’ ability to opt-out of tracking and data collection.
6. The Commission should take further steps to protect children online while ensuring safe access to the transformative possibilities of technology to help children learn and thrive. In the past 20 years, despite the drastic changes in the social media landscape and online presence of children, there have not been changes to federal laws regarding the protection of children online. Congress should update the Children’s Online Privacy Protection Act (COPPA), but in the meantime, the Commission should make protecting children online a greater priority, while maintaining focus on the need to avoid overly blunt measures that have the unintended effect of blocking children’s access to the transformational opportunities offered by digital education and engagement.
IDAC will continue to monitor digital privacy developments at both the state and federal levels, and we welcome your input going forward.