The Federal Trade Commission should consider requiring companies to limit the data they collect from consumers, a group of attorneys general say in a new filing with the agency.
“It is vital that the Commission consider data minimization requirements,” the attorneys general write in a filing led by Massachusetts Attorney General (and governor-elect) Maura Healey, and joined by bipartisan attorneys general from 31 other states and the District of Columbia.
The law enforcement officials say data minimization rules are needed because the current notice-and-choice approach -- which involves using privacy policies to notify people about the collection and use of data, and allowing them to opt out -- is “largely failing consumers.”
The attorneys general -- like other critics of privacy policies -- contend that the documents are not only long and dense, but also often incomplete. The upshot is that even people who take the time to read privacy policies are left in the dark about how their data is used.
The law enforcement officials also point to the FTC's staff report about dark patterns, which said some companies design their interfaces in ways that subvert people's privacy choices.
“The result,” Healey and the others write, “is that consumers are often coerced into sharing more personal data than they otherwise intended to.”
Their comments come in response to the FTC's request for input from the public about potential privacy regulations aimed at curbing so-called “commercial surveillance” -- a phrase the ad industry considers pejorative.
When the FTC initiated the regulatory process, it did so by issuing an “advance notice of proposed rulemaking” -- a 44-page document that requests comments on a broad swath of topics, including online ad targeting.
The agency added in its notice that media reports and public research “suggest that harmful commercial surveillance and lax data security practices may be prevalent and increasingly unavoidable.”
The ad industry has criticized the regulatory initiative, arguing that the FTC lacks authority to issue broad privacy rules. Industry groups also say the FTC gives short shrift to potential benefits of data collection and targeted advertising. Earlier this week, for instance, the Interactive Advertising Bureau argued in its comments that targeted advertising enables companies to offer online content and services. (Privacy advocates have long countered that companies can advertise online without tracking people's behavior across sites.)
For their part, the attorneys general say they are “concerned about the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized.”
Among other topics flagged to the FTC, the attorneys general sound a warning about persistent identifiers -- including mobile ad identifiers and tracking cookies -- that “monitor consumers across time, space, and platforms.”
“Consumers are rarely aware that these technologies exist or the breadth of data they can collect and transmit,” the officials write.
While those types of identifiers are considered pseudonymous, the attorneys general argue that data compiled through cookies, mobile identifiers and the like can sometimes be linked to known individuals.
“When multiple sets of data intersect, previously ‘anonymized’ but sensitive activity can easily be tied to individuals, increasing the risk of targeted scams, unwanted and persistent advertising, identity theft, and lack of consumer trust in the websites they visit,” they write.
The FTC is accepting comments on through November 21.