FTC Mandating Data Minimization through a Section 5 Unfairness Rulemaking

Unfair data collection practices and surveillance have eroded consumer privacy, and this present and unwanted observation constitutes a substantial injury to consumers. This paper argues that the Federal Trade Commission (FTC) should use its Section 5 unfairness authority to establish a Data Minimization Rule to prohibit all secondary data uses with limited exceptions, ensuring that people can safely use apps and online services without having to take additional action. It also lays out two additional options to consider should the FTC decline to prohibit all secondary uses: prohibit specific secondary data uses, such as behavioral advertising or the use of sensitive data; or mandate a right to opt-out of secondary data use, including through global opt-out controls and databases.

Unwanted Surveillance Harms Consumers

Consumers are constantly tracked: online, through their use of apps, and in the physical world, via cameras and the like. This information reveals consumers’ most sensitive characteristics, including health conditions, sexual orientation, sexual activities, gender, political affiliations, and union membership, and is transferred to hundreds, if not thousands, of different companies, typically without their knowledge or consent.6 The current “notice and choice” regime, in which consumers are expected to read extensive privacy policies and make “all or nothing” decisions about whether to use an online service or app, makes it impossible for consumers to meaningfully participate in the market while protecting their privacy. In many cases, the companies themselves have not decided to whom data will be sold and the purposes for which it will be used. It is impossible for consumers to assess the cost of a loss of control over their personal information, or to determine a value and “trade” their data for goods or services.

Data Minimization Approach by FTC

To supplement this Data Minimization Rule, the FTC should adopt data transparency obligations for the primary use of data; civil rights protections over discriminatory data processing; nondiscrimination rules, so that users cannot be charged for making privacy choices; data security obligations; access; portability; correction; and deletion rights. In addition, the FTC should prohibit the use of dark patterns concerning data processing.

The FTC has wide authority to issue prescriptive rules to forestall business practices that can cause consumer injury. Concerning the judicial interpretation, the courts generally give broad deference to expert agencies’ interpretation of their substantive statutes, and these privacy regulations are likely to withstand First Amendment scrutiny.

Direct Publication Source: https://epic.org/wp-content/uploads/2022/01/CR_Epic_FTCDataMinimization_012522_VF_.pdf