10/13/2022

FTC Request Comment Data Security

 


6750-01-P FEDERAL TRADE COMMISSION 16 CFR Part 464 Trade Regulation Rule on Commercial Surveillance and Data Security 

Federal Trade Commission. 


ACTION: Advance notice of proposed rulemaking; request for public comment; public forum.

publishing this advance notice of proposed rulemaking (“ANPR”) to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers. Specifically, the Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. 

DATES: Comments must be received on or before [60 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]. The Public Forum will be held virtually on Thursday, September 8, 2022, from 2 p.m. until 7:30 p.m. Members of the public are invited to attend at the website https://www.ftc.gov/news-events/events/2022/09/commercial-surveillancedata-security-anpr-public-forum. 


ADDRESSES: Interested parties may file a comment online or on paper by following the instructions in the Comment Submissions part of the SUPPLEMENTARY INFORMATION section below. Write “Commercial Surveillance ANPR, R111004” on your comment, and file your comment online at https://www.regulations.gov. If you prefer to file your comment on 1 paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue, NW, Suite CC-5610 (Annex B), Washington, DC 20580. FOR FURTHER INFORMATION CONTACT: James Trilling, 202-326-3497; Peder Magee, 202-326-3538; Olivier Sylvain, 202-326-3046; or commercialsurveillancerm@ftc.gov. I. Overview Whether they know it or not, most Americans today surrender their personal information to engage in the most basic aspects of modern life. When they buy groceries, do homework, or apply for car insurance, for example, consumers today likely give a wide range of personal information about themselves to companies, including their movements,1 prayers,2 friends, 3 menstrual cycles, 4 web-browsing,5 and faces,6 among other basic aspects of their lives. 1 See, e.g., Press Release, Fed. Trade Comm’n, Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission (June 22, 2016), https://www.ftc.gov/newsevents/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked. See also Stuart A. Thompson & Charlie Warzel, Twelve Million Phones, One Dataset, Zero Privacy, N.Y. Times (Dec. 19, 2019), https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html; Jon Keegan & Alfred Ng, There’s a Multibillion-Dollar Market for Your Phone’s Location Data, The Markup (Sept. 30, 2021), https://themarkup.org/privacy/2021/09/30/theres-a-multibillion-dollar-market-for-your-phones-location-data; Ryan Nakashima, AP Exclusive: Google Tracks Your Movements, Like It or Not, Associated Press (Aug. 13, 2018), https://apnews.com/article/north-america-science-technology-business-ap-top-news828aefab64d4411bac257a07c1af0ecb. 2 See, e.g., Joseph Cox, How the U.S. Military Buys Location Data from Ordinary Apps, Motherboard (Nov. 16, 2020), https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x. 3 See, e.g., Press Release, Fed. Trade Comm’n, Path Social Networking App Settles FTC Charges It Deceived Consumers and Improperly Collected Personal Information from Users’ Mobile Address Books (Feb. 1, 2013), https://www.ftc.gov/news-events/press-releases/2013/02/path-social-networking-app-settles-ftc-charges-it-deceived. 4 See, e.g., Press Release, Fed. Trade Comm’n, FTC Finalizes Order with Flo Health, a Fertility-Tracking App that Shared Sensitive Health Data with Facebook, Google, and Others (June 22, 2021), https://www.ftc.gov/newsevents/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared. 5 See, e.g., Fed. Trade Comm’n, A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers: An FTC Staff Report (Oct. 21, 2021), https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practicessix-major-internet-service-providers/p195402_isp_6b_staff_report.pdf. 6 See, e.g., Press Release, Fed. Trade Comm’n, FTC Finalizes Settlement with Photo App Developer Related to Misuse of Facial Recognition Technology (May 7, 2021), https://www.ftc.gov/news-events/pressreleases/2021/05/ftc-finalizes-settlement-photo-app-developer-related-misuse. See also Tom Simonite, Face Recognition Is Being Banned—but It’s Still Everywhere, Wired (Dec. 22, 2021), https://www.wired.com/story/facerecognition-banned-but-everywhere/. 2 Companies, meanwhile, develop and market products and services to collect and monetize this data. An elaborate and lucrative market for the collection, retention, aggregation, analysis, and onward disclosure of consumer data incentivizes many of the services and products on which people have come to rely. Businesses reportedly use this information to target services—namely, to set prices,7 curate newsfeeds,8 serve advertisements,9 and conduct research on people’s behavior,10 among other things. While, in theory, these personalization practices have the potential to benefit consumers, reports note that they have facilitated consumer harms that can be difficult if not impossible for any one person to avoid.11 7 See, e.g., Casey Bond, Target Is Tracking You and Changing Prices Based on Your Location, Huffington Post (Feb. 24, 2022), https://www.huffpost.com/entry/target-tracking-location-changingprices_l_603fd12bc5b6ff75ac410a38; Maddy Varner & Aaron Sankin, Suckers List: How Allstate’s Secret Auto Insurance Algorithm Squeezes Big Spenders, The MarkUp (Feb. 25, 2020), https://themarkup.org/allstatesalgorithm/2020/02/25/car-insurance-suckers-list. See generally Executive Office of the President of the United States, Big Data and Differential Pricing, at 2, 12-13 (Feb. 2015), https://obamawhitehouse.archives.gov/sites/default/files/whitehouse_files/docs/Big_Data_Report_Nonembargo_v2. pdf. 8 See, e.g., Will Oremus et al., Facebook under fire: How Facebook shapes your feed: The evolution of what posts get top billing on users’ news feeds, and what gets obscured, Wash. Post (Oct. 26, 2021), https://www.washingtonpost.com/technology/interactive/2021/how-facebook-algorithm-works/. 9 See, e.g., Nat Ives, Facebook Ad Campaign Promotes Personalized Advertising, Wall. St. J. (Feb. 25, 2021), https://www.wsj.com/articles/facebook-ad-campaign-promotes-personalized-advertising-11614261617. 10 See, e.g., Elise Hu, Facebook Manipulates Our Moods for Science and Commerce: A Roundup, NPR (June 30, 2014), https://www.npr.org/sections/alltechconsidered/2014/06/30/326929138/facebook-manipulates-our-moodsfor-science-and-commerce-a-roundup. 11 See, e.g., Matthew Hindman et al., Facebook Has a Superuser-Supremacy Problem, The Atlantic (Feb. 10, 2022), https://www.theatlantic.com/technology/archive/2022/02/facebook-hate-speech-misinformation-superusers/621617/; Consumer Protection Data Spotlight, Fed. Trade Comm’n, Social Media a Gold Mine for Scammers in 2021 (Jan. 25, 2022), https://www.ftc.gov/news-events/blogs/data-spotlight/2022/01/social-media-gold-mine-scammers-2021; Jonathan Stempel, Facebook Sued for Age, Gender Bias in Financial Services Ads, Reuters (Oct. 31, 2019), https://www.reuters.com/article/us-facebook-lawsuit-bias/facebook-sued-for-age-gender-bias-in-financial-servicesads-idUSKBN1XA2G8; Karen Hao, Facebook’s Ad Algorithms Are Still Excluding Women from Seeing Jobs, MIT Tech. Rev. (Apr. 9, 2021), https://www.technologyreview.com/2021/04/09/1022217/facebook-ad-algorithm-sexdiscrimination; Corin Faife & Alfred Ng, Credit Card Ads Were Targeted by Age, Violating Facebook’s AntiDiscrimination Policy, The MarkUp (Apr. 29, 2021), https://themarkup.org/citizen-browser/2021/04/29/credit-cardads-were-targeted-by-age-violating-facebooks-anti-discrimination-policy. Targeted behavioral advertising is not the only way in which internet companies automate advertising at scale. Researchers have found that contextual advertising may be as cost-effective as targeting, if not more so. See, e.g., Keach Hagey, Behavioral Ad Targeting Not Paying Off for Publishers, Study Suggests, Wall St. J. (May 29, 2019), https://www.wsj.com/articles/behavioralad-targeting-not-paying-off-for-publishers-study-suggests-11559167195 (discussing Veronica Marotta et al., Online Tracking and Publishers’ Revenues: An Empirical Analysis (2019), https://weis2019.econinfosec.org/wpcontent/uploads/sites/6/2019/05/WEIS_2019_paper_38.pdf). 3 Some companies, moreover, reportedly claim to collect consumer data for one stated purpose but then also use it for other purposes.12 Many such firms, for example, sell or otherwise monetize such information or compilations of it in their dealings with advertisers, data brokers, and other third parties.13 These practices also appear to exist outside of the retail consumer setting. Some employers, for example, reportedly collect an assortment of worker data to evaluate productivity, among other reasons14—a practice that has become far more pervasive since the onset of the COVID-19 pandemic.15 Many companies engage in these practices pursuant to the ostensible consent that they obtain from their consumers.16 But, as networked devices and online services become essential to navigating daily life, consumers may have little choice but to accept the terms that firms 12 See, e.g., Drew Harvell, Is Your Pregnancy App Sharing Your Intimate Data with Your Boss?, Wash. Post (Apr. 10, 2019), https://www.washingtonpost.com/technology/2019/04/10/tracking-your-pregnancy-an-app-may-be-morepublic-than-you-think/; Jon Keegan & Alfred Ng, The Popular Family Safety App Life360 Is Selling Precise Location Data on Its Tens of Millions of Users, The MarkUp (Dec. 6, 2021), https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-onits-tens-of-millions-of-user. 13 See, e.g., Fed. Trade Comm’n, Data Brokers: A Call for Transparency and Accountability (May 2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federaltrade-commission-may-2014/140527databrokerreport.pdf. See also, e.g., Press Release, Fed. Trade Comm’n, FTC Puts an End to Data Broker Operation that Helped Scam More Than $7 Million from Consumers’ Accounts (Nov. 30, 2016), https://www.ftc.gov/news-events/press-releases/2016/11/ftc-puts-end-data-broker-operation-helpedscam-more-7-million; Press Release, Fed. Trade Comm’n, Data Broker Defendants Settle FTC Charges They Sold Sensitive Personal Information to Scammers (Feb. 18, 2016), https://www.ftc.gov/news-events/pressreleases/2016/02/data-broker-defendants-settle-ftc-charges-they-sold-sensitive. 14 See, e.g., Drew Harwell, Contract Lawyers Face a Growing Invasion of Surveillance Programs That Monitor Their Work, Wash. Post (Nov. 11, 2021), https://www.washingtonpost.com/technology/2021/11/11/lawyer-facialrecognition-monitoring/; Annie Palmer, Amazon Is Rolling Out Cameras That Can Detect If Warehouse Workers Are Following Social Distancing Rules, CNBC (June 16, 2020), https://www.cnbc.com/2020/06/16/amazon-usingcameras-to-enforce-social-distancing-rules-at-warehouses.html; Sarah Krouse, How Google Spies on Its Employees, The Information (Sept. 23, 2021), https://www.theinformation.com/articles/how-google-spies-on-its-employees; Adam Satariano, How My Boss Monitors Me While I Work From Home, N.Y. Times (May 6, 2020), https://www.nytimes.com/2020/05/06/technology/employee-monitoring-work-from-home-virus.html. 15 See, e.g., Danielle Abril & Drew Harwell, Keystroke tracking, screenshots, and facial recognition: The box may be watching long after the pandemic ends, Wash. Post (Sept. 24, 2021), https://www.washingtonpost.com/technology/2021/09/24/remote-work-from-home-surveillance/. 16 See Tr. of FTC Hr’g, The FTC’s Approach to Consumer Privacy (Apr. 9, 2019), at 50, https://www.ftc.gov/system/files/documents/public_events/1418273/ftc_hearings_session_12_transcript_day_1_4-9- 19.pdf (remarks of Paul Ohm). See also Fed. Trade Comm’n, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress 26 (May 2000), https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-fair-information-practices-electronicmarketplace-federal-trade-commission-report/privacy2000.pdf. 4 offer.17 Reports suggest that consumers have become resigned to the ways in which companies collect and monetize their information, largely because consumers have little to no actual control over what happens to their information once companies collect it.18 In any event, the permissions that consumers give may not always be meaningful or informed. Studies have shown that most people do not generally understand the market for consumer data that operates beyond their monitors and displays.19 Most consumers, for example, know little about the data brokers and third parties who collect and trade consumer data or build consumer profiles20 that can expose intimate details about their lives and, in the wrong hands, could expose unsuspecting people to future harm.21 Many privacy notices that acknowledge such risks are reportedly not readable to the average consumer.22 Many consumers do not have the 17 See Tr. of FTC Hr’g, The FTC’s Approach to Consumer Privacy (Apr. 10, 2019), at 129, https://www.ftc.gov/system/files/documents/public_events/1418273/ftc_hearings_session_12_transcript_day_2_4- 10-19.pdf (remarks of FTC Commissioner Rebecca Kelly Slaughter, describing privacy consent as illusory because consumers often have no choice other than to consent in order to reach digital services that have become necessary for participation in contemporary society). 18 See Joe Nocera, How Cookie Banners Backfired, N.Y. Times (Jan. 29, 2022), https://www.nytimes.com/2022/01/29/business/dealbook/how-cookie-banners-backfired.html (discussing concept of “digital resignation” developed by Nora Draper and Joseph Turow). See also Nora A. Draper & Joseph Turow, The Corporate Cultivation of Digital Resignation, 21 New Media & Soc’y 1824-39 (2019). 19 See Neil Richards & Woodrow Hartzog, The Pathologies of Digital Consent, 96 Wash. U. L. Rev. 1461, 1477-78, 1498-1502 (2019); Daniel J. Solove, Introduction: Privacy Self-Management and the Consent Dilemma, 126 Harv. L. Rev. 1879, 1885-86 (2013) (“Solove Privacy Article”). 20 See generally Fed. Trade Comm’n, Data Brokers: A Call for Transparency and Accountability (May 2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federaltrade-commission-may-2014/140527databrokerreport.pdf. 21 See, e.g., Press Release, Fed. Trade Comm’n, FTC Puts an End to Data Broker Operation that Helped Scam More Than $7 Million from Consumers’ Accounts (Nov. 30, 2016), https://www.ftc.gov/news-events/pressreleases/2016/11/ftc-puts-end-data-broker-operation-helped-scam-more-7-million; Press Release, Fed. Trade Comm’n, Data Broker Defendants Settle FTC Charges They Sold Sensitive Personal Information to Scammers (Feb. 18, 2016), https://www.ftc.gov/news-events/press-releases/2016/02/data-broker-defendants-settle-ftc-charges-theysold-sensitive; FTC v. Accusearch, 570 F.3d 1187, 1199 (10th Cir. 2009). See also Molly Olmstead, A Prominent Priest Was Outed for Using Grindr. Experts Say It’s a Warning Sign, Slate (July 21, 2021), https://slate.com/technology/2021/07/catholic-priest-grindr-data-privacy.html. 22 See Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, Pew Res. Ctr. (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americansand-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/. See also Solove Privacy Article, 126 Harv. L. Rev. at 1885; Aleecia M. McDonald & Lorrie Faith Cranor, The Cost of Reading Privacy Policies, 4 I/S J. of L. & Pol’y for Info. Society 543 (2008); Irene Pollach, What’s Wrong with Online Privacy Policies?, 50 Comm’s ACM 103 (2007). 5 time to review lengthy privacy notices for each of their devices, applications, websites, or services,23 let alone the periodic updates to them. If consumers do not have meaningful access to this information, they cannot make informed decisions about the costs and benefits of using different services.24 This information asymmetry between companies and consumer runs even deeper. Companies can use the information that they collect to direct consumers’ online experiences in ways that are rarely apparent—and in ways that go well beyond merely providing the products or services for which consumers believe they sign up.25 The Commission’s enforcement actions have targeted several pernicious dark pattern practices, including burying privacy settings behind multiple layers of the user interface26 and making misleading representations to “trick or trap” consumers into providing personal information.27 In other instances, firms may misrepresent or fail to communicate clearly how they use and protect people’s data.28 Given the reported scale and pervasiveness of such practices, individual consumer consent may be irrelevant. 23 Kevin Litman-Navarro, We Read 150 Privacy Policies. They Were an Incomprehensible Disaster, N.Y. Times (2019), https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html; Alexis C. Madrigal, Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days, The Atlantic (Mar. 1, 2012), https://www.theatlantic.com/technology/archive/2012/03/reading-theprivacy-policies-you-encounter-in-ayear-would-take-76-work-days/253851/. See also FTC Comm’r Rebecca Kelly Slaughter, Wait But Why? Rethinking Assumptions About Surveillance Advertising: IAPP Privacy Security Risk Closing Keynote (“Slaughter Keynote”) (Oct. 22, 2021), at 4, https://www.ftc.gov/system/files/documents/public_statements/1597998/iapp_psr_2021_102221_final2.pdf. 24 See FTC Comm’r Christine S. Wilson, A Defining Moment for Privacy: The Time is Ripe for Federal Privacy Legislation, Remarks at the Future of Privacy Forum (Feb. 6, 2020), https://www.ftc.gov/newsevents/news/speeches/remarks-commissioner-christine-s-wilson-future-privacy-forum. 25 See generally Ryan Calo & Alex Rosenblat, The Taking Economy: Uber, Information, and Power, 117 Colum. L. Rev. 1623 (2017); Ryan Calo, Digital Market Manipulation, 82 Geo. Wash. L. Rev. 995 (2014). 26 See Press Release, Fed. Trade Comm’n, Facebook Settles FTC Charges That It Deceived Consumers by Failing to Keep Privacy Promises (Nov. 29, 2011), https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settlesftc-charges-it-deceived-consumers-failing-keep. 27 See Press Release, Fed. Trade Comm’n, FTC Takes Action against the Operators of Copycat Military Websites (Sept. 6, 2018), https://www.ftc.gov/news-events/press-releases/2018/09/ftc-takes-action-against-operators-copycatmilitary-websites. 28 See generally infra Item III(a). 6 The material harms of these commercial surveillance practices may be substantial, moreover, given that they may increase the risks of cyberattack by hackers, data thieves, and other bad actors. Companies’ lax data security practices may impose enormous financial and human costs. Fraud and identity theft cost both businesses and consumers billions of dollars, and consumer complaints are on the rise.29 For some kinds of fraud, consumers have historically spent an average of 60 hours per victim trying to resolve the issue.30 Even the nation’s critical infrastructure is at stake, as evidenced by the recent attacks on the largest fuel pipeline,31 meatpacking plants,32 and water treatment facilities33 in the United States. Companies’ collection and use of data have significant consequences for consumers’ wallets, safety, and mental health. Sophisticated digital advertising systems reportedly automate the targeting of fraudulent products and services to the most vulnerable consumers.34 Stalking apps continue to endanger people.35 Children and teenagers remain vulnerable to cyber bullying, cyberstalking, and the distribution of child sexual abuse material.36 Peer-reviewed research has 29 Press Release, Fed. Trade Comm’n, New Data Shows FTC Received 2.8 Million Fraud Reports from Consumers in 2021 (Feb. 22, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/02/new-data-shows-ftcreceived-28-million-fraud-reports-consumers-2021-0. 30 Fed. Trade Comm’n, Identity Theft Survey Report (Sept. 2003), https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-identity-theftprogram/synovatereport.pdf. 31 William Turton & Kartikay Mehrotra, Hackers Breached Colonial Pipeline Using Compromised Password, Bloomberg (June 4, 2021), https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-usingcompromised-password. 32 Dan Charles, The Food Industry May Be Finally Paying Attention To Its Weakness To Cyberattacks, NPR (July 5, 2021), https://www.npr.org/2021/07/05/1011700976/the-food-industry-may-be-finally-paying-attention-to-itsweakness-to-cyberattack. 33 Josh Margolin & Ivan Pereira, Outdated Computer System Exploited in Florida Water Treatment Plant Hack, ABC News (Feb. 11, 2021), https://abcnews.go.com/US/outdated-computer-system-exploited-florida-watertreatment-plant/story?id=75805550. 34 See, e.g., Zeke Faux, How Facebook Helps Shady Advertisers Pollute the Internet, Bloomberg (Mar. 27, 2019), https://www.bloomberg.com/news/features/2018-03-27/ad-scammers-need-suckers-and-facebook-helps-find-them (noting an affiliate marketer’s claim that Facebook ‘s ad system “find[s] the morons for me”). 35 See Consumer Advice, Fed. Trade Comm’n, Stalking Apps: What to Know (May 2021), https://consumer.ftc.gov/articles/stalking-apps-what-know. 36 See Ellen M. Selkie, Jessica L. Fales, & Megan A. Moreno, Cyberbullying Prevalence Among U.S. Middle and High School-Aged Adolescents: A Systematic Review and Quality Assessment, 58 J. Adolescent Health 125 (2016); Fed. Trade Comm’n, Parental Advisory: Dating Apps (May 6, 2019), https://consumer.ftc.gov/consumer7 linked social media use with depression, anxiety, eating disorders, and suicidal ideation among kids and teens.37 Finally, companies’ growing reliance on automated systems is creating new forms and mechanisms for discrimination based on statutorily protected categories,38 including in critical alerts/2019/05/parental-advisory-dating-apps; Subcommittee on Consumer Protection, Product Safety, and Data Security, U.S. Senate Comm. on Com., Sci. & Transp., Hearing, Protecting Kids Online: Internet Privacy and Manipulative Marketing (May 18, 2021), https://www.commerce.senate.gov/2021/5/protecting-kids-online-internetprivacy-and-manipulative-marketing; Aisha Counts, Child Sexual Abuse Is Exploding Online. Tech’s Best Defenses Are No Match., Protocol (Nov. 12, 2021), https://www.protocol.com/policy/csam-child-safety-online. 37 See, e.g., Elroy Boers et al., Association of Screen Time and Depression in Adolescence, 173 JAMA Pediatr. 9 (2019) at 857 (“We found that high mean levels of social media over 4 years and any further increase in social media use in the same year were associated with increased depression.”); Hugues Sampasa-Kanyinga & Rosamund F. Lewis, Frequent Use of Social Networking Sites Is Associated with Poor Psychological Functioning Among Children and Adolescents, 18 Cyberpsychology, Behavior, and Social Networking 7 (2015) at 380 (“Daily [social networking site] use of more than 2 hours was. . . independently associated with poor self-rating of mental health and experiences of high levels of psychological distress and suicidal ideation.”); Jean M. Twenge et al., Increases in Depressive Symptoms, Suicide-Related Outcomes, and Suicide Rates Among U.S. Adolescents After 2010 and Links to Increased New Media Screen Time, 6 Clinical Psychological Sci. 1 (2018) at 11 (“[A]dolescents using social media sites every day were 13% more likely to report high levels of depressive symptoms than those using social media less often.”); H.C. Woods & H. Scott, #Sleepyteens: Social Media Use in Adolescence is Associated with Poor Sleep Quality, Anxiety, Depression, and Low Self-Esteem, 51 J. of Adolescence 41-9 (2016) at 1 (“Adolescents who used social media more . . . experienced poorer sleep quality, lower self-esteem and higher levels of anxiety and depression.”); Simon M. Wilksch et al., The relationship between social media use and disordered eating in young adolescents, 53 Int’l J. of Eating Disorders 1 at 96 (“A clear pattern of association was found between [social media] usage and [disordered eating] cognitions.”). 38 A few examples of where automated systems may have produced disparate outcomes include inaccuracies and delays in the delivery of child welfare services for the needy; music streaming services that are more likely to recommend men than women; gunshot detection software that mistakenly alerts local police when people light fireworks in majority-minority neighborhoods; search engine results that demean black women; and face recognition software that is more likely to misidentify dark-skinned women than light-skinned men. See Joy Buolamwini & Timnit Gebru, Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification, 81 Proc. of Mach. Learning Res. (2018); Latanya Sweeney, Discrimination in Online Ad Delivery: Google Ads, Black Names and White Names, Racial Discrimination, and Click Advertising, 11 Queue 10, 29 (Mar. 2013); Muhammad Ali et al., Discrimination Through Optimization: How Facebook’s Ad Delivery Can Lead to Skewed Outcomes, 3 Proc. ACM on Hum.-Computer Interaction (2019); Virginia Eubanks, Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor (2018); Andres Ferraro, Xavier Serra, & Christine Bauer, Break the Loop: Gender Imbalance in Music Recommenders, CHIIR ’21: Proceedings of the 2021 Conference on Human Information Interaction and Retrieval, 249-254 (Mar. 2021), https://dl.acm.org/doi/proceedings/10.1145/3406522. See generally Anita Allen, Dismantling the “Black Opticon”: Privacy, Race, Equity, and Online Data-Protection Reform, 131 Yale L. J. Forum 907 (2022), https://www.yalelawjournal.org/pdf/F7.AllenFinalDraftWEB_6f26iyu6.pdf; Safiya Umoja Noble, Algorithms of Oppression: How Search Engines Reinforce Racism (2018); Danielle Citron, Hate Crimes in Cyberspace (2014). 8 areas such as housing,39 employment,40 and healthcare.41 For example, some employers’ automated systems have reportedly learned to prefer men over women.42 Meanwhile, a recent investigation suggested that lenders’ use of educational attainment in credit underwriting might disadvantage students who attended historically Black colleges and universities.43 And the Department of Justice recently settled its first case challenging algorithmic discrimination under the Fair Housing Act for a social media advertising delivery system that unlawfully discriminated based on protected categories.44 Critically, these kinds of disparate outcomes may arise even when automated systems consider only unprotected consumer traits. 45 39 See Ny Magee, Airbnb Algorithm Linked to Racial Disparities in Pricing, The Grio (May 13, 2021), https://thegrio.com/2021/05/13/airbnb-racial-disparities-in-pricing/; Emmanuel Martinez & Lauren Kirchner, The Secret Bias Hidden in Mortgage-Approval Algorithms, ABC News & The MarkUp (Aug. 25, 2021), https://abcnews.go.com/Business/wireStory/secret-bias-hidden-mortgage-approval-algorithms-79633917. See generally Fed. Trade Comm’n, Accuracy in Consumer Reporting Workshop (Dec. 10, 2019), https://www.ftc.gov/news-events/events-calendar/accuracy-consumer-reporting-workshop. See also Alex P. Miller & Kartik Hosanagar, How Targeted Ads and Dynamic Pricing Can Perpetuate Bias, Harv. Bus. Rev. (Nov. 8, 2019), https://hbr.org/2019/11/how-targeted-ads-and-dynamic-pricing-can-perpetuate-bias. 40 See Ifeoma Ajunwa, The “Black Box” at Work, Big Data & Society (Oct. 19, 2020), https://journals.sagepub.com/doi/full/10.1177/2053951720938093. 41 See Donna M. Christensen et al., Medical Algorithms are Failing Communities of Color, Health Affs. (Sept. 9, 2021), https://www.healthaffairs.org/do/10.1377/hblog20210903.976632/full/; Heidi Ledford, Millions of Black People Affected by Racial Bias in Health-Care Algorithms, Nature (Oct. 24, 2019), https://www.nature.com/articles/d41586-019-03228-6/. 42 Jeffrey Dastin, Amazon scraps secret AI recruiting tool that showed bias against women, Reuters (Oct. 10, 2018), https://www.reuters.com/article/us-amazon-com-jobs-automation-insight/amazon-scraps-secret-ai-recruiting-toolthat-showed-bias-against-women-idUSKCN1MK08G; Dave Gershgorn, Companies are on the hook if their hiring algorithms are biased, Quartz (Oct. 22, 2018), https://qz.com/1427621/companies-are-on-the-hook-if-their-hiringalgorithms-are-biased/. 43 Katherine Welbeck & Ben Kaufman, Fintech Lenders’ Responses to Senate Probe Heighten Fears of Educational Redlining, Student Borrower Prot. Ctr. (July 31, 2020), https://protectborrowers.org/fintech-lenders-response-tosenate-probe-heightens-fears-of-educational-redlining/. This issue is currently being investigated by the company and outside parties. Relman Colfax, Fair Lending Monitorship of Upstart Network’s Lending Model, https://www.relmanlaw.com/cases-406. 44 Compl., United States v. Meta Platforms, Inc., No. 22-05187 (S.D.N.Y. filed June 21, 2022), https://www.justice.gov/usao-sdny/press-release/file/1514051/download; Settlement Agreement, United States v. Meta Platforms, Inc., No. 22-05187 (S.D.N.Y. filed June 21, 2022), https://www.justice.gov/crt/casedocument/file/1514126/download. 45 Andrew Selbst, A New HUD Rule Would Effectively Encourage Discrimination by Algorithm, Slate (Aug. 19, 2019), https://slate.com/technology/2019/08/hud-disparate-impact-discrimination-algorithm.html. See also Rebecca Kelly Slaughter, Algorithms and Economic Justice, 23 Yale J. L. & Tech. 1, 11-14 (2021) (“Slaughter Algorithms Paper”); Anupam Chander, The Racist Algorithm?, 115 Mich. L. Rev. 1023, 1029-30, 1037-39 (2017); Solon Barocas & Andrew D. Selbst, Big Data’s Disparate Impact, 104 Calif. L. Rev. 671, 677-87 (2016). 9 The Commission is issuing this ANPR pursuant to Section 18 of the Federal Trade Commission Act (“FTC Act”) and the Commission’s Rules of Practice46 because recent Commission actions, news reporting, and public research suggest that harmful commercial surveillance and lax data security practices may be prevalent and increasingly unavoidable.47 These developments suggest that trade regulation rules reflecting these current realities may be needed to ensure Americans are protected from unfair or deceptive acts or practices. New rules could also foster a greater sense of predictability for companies and consumers and minimize the uncertainty that case-by-case enforcement may engender. Countries around the world and states across the nation have been alert to these concerns. Many accordingly have enacted laws and regulations that impose restrictions on companies’ collection, use, analysis, retention, transfer, sharing, and sale or other monetization of consumer data. In recognition of the complexity and opacity of commercial surveillance practices today, such laws have reduced the emphasis on providing notice and obtaining consent and have instead 46 15 U.S.C. 57a; 16 CFR parts 0 and 1. 47 In May 2022, three consumer advocacy groups urged the Commission to commence a rulemaking proceeding to protect “privacy and civil rights.” See Letter of Free Press, Access Now, and UltraViolet to Chair Lina M. Khan (May 12, 2022), https://act.freepress.net/sign/protect_privacy_civil_rights. Late in 2021, moreover, the Commission received a petition that calls on it to promulgate rules pursuant to its authority to protect against unfair methods of competition in the market for consumer data. See Press Release, Accountable Tech, Accountable Tech Petitions FTC to Ban Surveillance Advertising as an ‘Unfair Method of Competition’ (Sept. 28, 2021), https://accountabletech.org/media/accountable-tech-petitions-ftc-to-ban-surveillance-advertising-as-an-unfairmethod-of-competition/. In accordance with the provision of its Rules of Practice concerning public petitions, 16 CFR 1.31, the Commission published a notice about the petition, 86 FR 73206 (Dec. 23, 2021), and accepted public comments, which are compiled at https://www.regulations.gov/docket/FTC-2021-0070/comments. The petitioner urges new rules that address the way in which certain dominant companies exploit their access to and control of consumer data. Those unfair-competition concerns overlap with some of the concerns in this ANPR about unfair or deceptive acts or practices, and several comments in support of the petition also urged the Commission to pursue a rulemaking using its authority to regulate unfair or deceptive practices. See, e.g., Cmt. of Consumer Reports & Elec. Privacy Info. Ctr., at 2 (Jan. 27, 2022), https://downloads.regulations.gov/FTC-2021-0070-0009/attachment_1.pdf. Accordingly, Item IV, below, invites comment on the ways in which existing and emergent commercial surveillance practices harm competition and on any new trade regulation rules that would address such practices. Such rules could arise from the Commission’s authority to protect against unfair methods of competition, so they may be proposed directly without first being subject of an advance notice of proposed rulemaking. See 15 U.S.C. 57a(a)(2) (Section 18’s procedural requirements, including an ANPR, apply to rules defining unfair or deceptive acts or practices but expressly do not apply to rules “with respect to unfair methods of competition”). 10 stressed additional privacy “defaults” as well as increased accountability for businesses and restrictions on certain practices. For example, European Union (“EU”) member countries enforce the EU’s General Data Protection Regulation (“GDPR”),48 which, among other things, limits the processing of personal data to six lawful bases and provides consumers with certain rights to access, delete, correct, and port such data. Canada’s Personal Information Protection and Electronic Documents Act49 and Brazil’s General Law for the Protection of Personal Data50 contain some similar rights.51 Laws in California,52 Virginia, 53 Colorado,54 Utah,55 and Connecticut,56 moreover, include some comparable rights, and numerous state legislatures are considering similar laws. Alabama,57 Colorado,58 and Illinois,59 meanwhile, have enacted laws related to the development and use of 48 See Data Protection in the EU, Eur. Comm’n, https://ec.europa.eu/info/law/law-topic/data-protection/dataprotection-eu_en. 49 See Personal Information Protection and Electronic Documents Act (PIPEDA), Off. of the Privacy Comm’r of Can., https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-andelectronic-documents-act-pipeda/ (last modified Dec. 8, 2021). 50 Brazilian General Data Protection Law (Law No. 13,709, of Aug. 14, 2018), https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/. 51 In 2021, the European Commission also announced proposed legislation to create additional rules for artificial intelligence that would, among other things, impose particular documentation, transparency, data management, recordkeeping, security, assessment, notification, and registration requirements for certain artificial intelligence systems that pose high risks of causing consumer injury. See Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts, COM (2021) 206 final (Apr. 21, 2021), https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A52021PC0206. 52 See California Privacy Rights Act of 2020, Proposition 24 (Cal. 2020) (codified at Cal. Civ. Code 1798.100 - 199.100); State of Cal. Dep’t of Just., California Consumer Privacy Act (CCPA): Frequently Asked Questions (FAQs), https://oag.ca.gov/privacy/ccpa. 53 See Consumer Data Protection Act, S.B. 1392, 161st Gen. Assem. (Va. 2021) (codified at Va. Code Ann. 59.1- 575 through 59.1-585 (2021)). 54 See Protect Personal Data Privacy Act, 21 S.B. 190, 73 Gen. Assem. (Colo. 2021). 55 See Utah Consumer Privacy Act, 2022 Utah Laws 462 (codified at Utah Code Ann. 13-61-1 through 13-61-4). 56 See An Act Concerning Personal Data Privacy and Online Monitoring, 2022 Conn. Acts P.A. 22-15 (Reg. Sess.). 57 See Act. No. 2021-344, S.B. 78, 2021 Leg., Reg. Sess., (Ala. 2021). 58 See Restrict Insurers’ Use of External Consumer Data Act, 21 S.B. 169, 73rd Gen. Assem., 1st Reg. Sess. (Colo. 2021). 59 See Artificial Intelligence Video Interview Act, H.B. 53, 102nd Gen. Assem., Reg. Sess. (Ill. 2021) (codified at 820 Ill. Comp. Stat. Ann. 42/1 et seq.). 11 artificial intelligence. Other states, including Illinois,60 Texas,61 and Washington,62 have enacted laws governing the use of biometric data. All fifty U.S. states have laws that require businesses to notify consumers of certain breaches of consumers’ data.63 And numerous states require businesses to take reasonable steps to secure consumers’ data.64 Through this ANPR, the Commission is beginning to consider the potential need for rules and requirements regarding commercial surveillance and lax data security practices. Section 18 of the FTC Act authorizes the Commission to promulgate, modify, and repeal trade regulation rules that define with specificity acts or practices that are unfair or deceptive in or affecting commerce within the meaning of Section 5(a)(1) of the FTC Act.65 Through this ANPR, the Commission aims to generate a public record about prevalent commercial surveillance practices or lax data security practices that are unfair or deceptive, as well as about efficient, effective, and adaptive regulatory responses. These comments will help to sharpen the Commission’s enforcement work and may inform reform by Congress or other policymakers, even if the Commission does not ultimately promulgate new trade regulation rules.66 The term “data security” in this ANPR refers to breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices. 60 See Biometric Information Privacy Act, S.B. 2400, 2008 Gen. Assem., Reg. Sess. (Ill. 2021) (codified at 740 Ill. Comp. Stat. Ann. 14/1 et seq.). 61 See TEX. BUS. & COM. CODE 503.001. 62 See Wash. Rev. Code Ann. 19.375.010 through 19.375.900. 63 See Nat’l Conf. of State Leg., Security Breach Notification Laws (Jan. 17, 2022), https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notificationlaws.aspx. 64 See Nat’l Conf. of State Leg., Data Security Laws, Private Sector (May 29, 2019), https://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx. 65 15 U.S.C. 45(a)(1). 66 Cf. Slaughter Keynote at 4; Oral Statement of Comm’r Christine S. Wilson, Strengthening the Federal Trade Commission’s Authority to Protect Consumers: Hearing before the Senate Comm. on Com., Sci. & Transp. (Apr. 20, 2021), https://www.ftc.gov/system/files/documents/public_statements/1589180/opening_statement_final_for_postingrevd.p df. 12 For the purposes of this ANPR, “commercial surveillance” refers to the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information. These data include both information that consumers actively provide—say, when they affirmatively register for a service or make a purchase—as well as personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app. This latter category is far broader than the first. The term “consumer” as used in this ANPR includes businesses and workers, not just individuals who buy or exchange data for retail goods and services. This approach is consistent with the Commission’s longstanding practice of bringing enforcement actions against firms that harm companies67 as well as workers of all kinds.68 The FTC has frequently used Section 5 of the FTC Act to protect small businesses or individuals in contexts involving their employment or independent contractor status.69 67 See, e.g., Press Release, Fed. Trade Comm’n, FTC Obtains Contempt Ruling Against ‘Yellow Pages’ Scam (Nov. 25, 2015), https://www.ftc.gov/news-events/press-releases/2015/11/ftc-obtains-contempt-ruling-against-yellowpages-scam; Press Release, Fed. Trade Comm’n, FTC and Florida Halt Internet ‘Yellow Pages’ Scammers (July 17, 2014), https://www.ftc.gov/news-events/press-releases/2014/07/ftc-florida-halt-internet-yellow-pages-scammers; In re Spiegel, Inc., 86 F.T.C. 425, 439 (1975). See also FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 244 (1972); FTC v. Bunte Bros., Inc., 312 U.S. 349, 353 (1941); In re Orkin Exterminating Co., Inc., 108 F.T.C. 263 (1986), aff’d, Orkin Exterminating Co., Inc. v. FTC, 849 F.2d 1354 (11th Cir. 1988); FTC v. Datacom Mktg., Inc., No. 06-c2574, 2006 WL 1472644, at *2 (N.D. Ill. May 24, 2006). Previously, the Commission included “businessmen” among those Congress charged it to protect under the statute. See Fed. Trade Comm’n, FTC Policy Statement on Unfairness (Dec. 17, 1980), appended to In re Int’l Harvester Co., 104 F.T.C. 949, 1072 n.8 (1984), https://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness. 68 See, e.g., Press Release, Fed. Trade Comm’n, FTC Settles Charges Against Two Companies That Allegedly Failed to Protect Sensitive Employee Data (May 3, 2011), https://www.ftc.gov/news-events/pressreleases/2011/05/ftc-settles-charges-against-two-companies-allegedly-failed; Press Release, Fed. Trade Comm’n, Rite Aid Settles FTC Charges That It Failed to Protect Medical and Financial Privacy of Customers and Employees (July 27, 2010), https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failedprotect-medical-financial; Press Release, Fed. Trade Comm’n, CVS Caremark Settles FTC Charges: Failed to Protect Medical and Financial Privacy of Customers and Employees; CVS Pharmacy Also Pays $2.25 Million to Settle Allegations of HIPAA Violations (Feb. 18, 2009), https://www.ftc.gov/news-events/pressreleases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial. See also Press Release, Fed. Trade Comm’n, Amazon To Pay $61.7 Million to Settle FTC Charges It Withheld Some Customer Tips from Amazon Flex Drivers (Feb. 2, 2021), https://www.ftc.gov/news-events/press-releases/2021/02/amazon-pay-617- million-settle-ftc-charges-it-withheld-some. 69 See, e.g., FTC v. IFC Credit Corp., 543 F. Supp. 2d 925, 934-41 (N.D. Ill. 2008) (holding that the FTC’s construction of the term “consumer” to include businesses as well as individuals is reasonable and is supported by the text and history of the FTC Act). 13 This ANPR proceeds as follows. Item II outlines the Commission’s existing authority to bring enforcement actions and promulgate trade regulation rules under the FTC Act. Item III sets out the wide range of actions against commercial surveillance and data security acts or practices that the Commission has pursued in recent years as well as the benefits and shortcomings of this case-by-case approach. Item IV sets out the questions on which the Commission seeks public comment. Finally, Item V provides instructions on the comment submission process, and Item VI describes a public forum that is scheduled to take place to facilitate public involvement in this rulemaking proceeding. II. The Commission’s Authority Congress authorized the Commission to propose a rule defining unfair or deceptive acts or practices with specificity when the Commission “has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.”70 A determination about prevalence can be made either on the basis of “cease-and-desist” orders regarding such acts or practices that the Commission has previously issued, or when it has “any other information” that “indicates a widespread pattern of unfair or deceptive acts or practices.”71 Generally, a practice is unfair under Section 5 if (1) it causes or is likely to cause substantial injury, (2) the injury is not reasonably avoidable by consumers, and (3) the injury is not outweighed by benefits to consumers or competition.72 A representation, omission, or practice is deceptive under Section 5 if it is likely to mislead consumers acting reasonably under the circumstances and is material to consumers—that is, it would likely affect the consumer’s 70 15 U.S.C. 57a(b)(3). 71 Id. 72 15 U.S.C. 45(n). 14 conduct or decision with regard to a product or service.73 Under the statute, this broad language is applied to specific commercial practices through Commission enforcement actions and the promulgation of trade regulation rules. In addition to the FTC Act, the Commission enforces a number of sector-specific laws that relate to commercial surveillance practices, including: the Fair Credit Reporting Act,74 which protects the privacy of consumer information collected by consumer reporting agencies; the Children’s Online Privacy Protection Act (“COPPA”),75 which protects information collected online from children under the age of 13; the Gramm-Leach-Bliley Act (“GLBA”),76 which protects the privacy of customer information collected by financial institutions; the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act,77 which allows consumers to opt out of receiving commercial email messages; the Fair Debt Collection Practices Act,78 which protects individuals from harassment by debt collectors and imposes disclosure requirements on related third-parties; the Telemarketing and Consumer Fraud and Abuse Prevention Act,79 under which the Commission implemented the Do Not Call Registry80; the Health Breach Notification Rule,81 which applies to certain health information; and the Equal Credit Opportunity Act,82 which protects individuals from discrimination on the basis of race, color, religion, national origin, sex, marital status, receipt of public assistance, or good faith 73 See FTC Policy Statement on Deception (Oct. 14, 1983), appended to In re Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984), https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf. 74 15 U.S.C. 1681 through 1681x. 75 15 U.S.C. 6501 through 6506. 76 Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended in scattered sections of 12 and 15 U.S.C.). 77 15 U.S.C. 7701 through 7713. 78 15 U.S.C. 1692 through 1692p. 79 15 U.S.C. 6101 through 6108. 80 16 CFR part 310. 81 16 CFR part 318. 82 15 U.S.C. 1691 through 1691f. 15 exercise of rights under the Consumer Credit Protection Act and requires creditors to provide to applicants, upon request, the reasons underlying decisions to deny credit. III. The Commission’s Current Approach to Privacy and Data Security a. Case-By-Case Enforcement and General Policy Work For more than two decades, the Commission has been the nation’s privacy agency, engaging in policy work and bringing scores of enforcement actions concerning data privacy and security.83 These actions have alleged that certain practices violate Section 5 of the FTC Act or other statutes to the extent they pose risks to physical security, cause economic or reputational injury, or involve unwanted intrusions into consumers’ daily lives.84 For example, the Commission has brought actions for: • the surreptitious collection and sale of consumer phone records obtained through false pretenses85; • the public posting of private health-related data online86; 83 “Since 1995, the Commission has been at the forefront of the public debate on online privacy.” Fed. Trade Comm’n, Privacy Online: Fair Information Practices in the Electronic Marketplace—A Report to Congress 3 (2000), http://www.ftc.gov/reports/privacy2000/privacy2000.pdf (third consecutive annual report to Congress after it urged the Commission to take on a greater role in policing privacy practices using Section 5 as the internet grew from a niche service to a mainstream utility). The first online privacy enforcement action came in 1998 against GeoCities, “one of the most popular sites on the World Wide Web.” Press Release, Fed. Trade Comm’n, Internet Site Agrees to Settle FTC Charges of Deceptively Collecting Personal Information in Agency’s First Internet Privacy Case (Aug. 13, 1998), http://www.ftc.gov/news-events/press-releases/1998/08/internet-site-agrees-settle-ftccharges-deceptively-collecting. 84 See Fed. Trade Comm’n, Comment to the National Telecommunications & Information Administration on Developing the Administration’s Approach to Consumer Privacy, No. 180821780-8780-01, 8-9 (Nov. 9, 2018), https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-staff-comment-ntiadevelopingadministrations-approach-consumer-privacy/p195400_ftc_comment_to_ntia_112018.pdf; FTC Comm’r Christine S. Wilson, A Defining Moment for Privacy: The Time Is Ripe for Federal Privacy Legislation: Remarks at the Future of Privacy Forum 11, n.39 (Feb. 6, 2020), https://www.ftc.gov/system/files/documents/public_statements/1566337/commissioner_wilson_privacy_forum_spee ch_02-06-2020.pdf. 85 See, e.g., Compl. for Injunctive and Other Equitable Relief, United States v. Accusearch, Inc., No. 06-cv-105 (D. Wyo. filed May 1, 2006), https://www.ftc.gov/sites/default/files/documents/cases/2006/05/060501accusearchcomplaint.pdf. 86 See, e.g., Compl., In re Practice Fusion, Inc., F.T.C. File No. 142-3039 (Aug. 16, 2016), https://www.ftc.gov/system/files/documents/cases/160816practicefusioncmpt.pdf. 16 • the sharing of private health-related data with third parties87; • inaccurate tenant screening88; • public disclosure of consumers’ financial information in responses to consumers’ critical online reviews of the publisher’s services89; • pre-installation of ad-injecting software that acted as a man-in-the-middle between consumers and all websites with which they communicated and collected and transmitted to the software developer consumers’ internet browsing data90; • solicitation and online publication of “revenge porn”—intimate pictures and videos of ex-partners, along with their personal information—and the collection of fees to take down such information91; • development and marketing of “stalkerware” that purchasers surreptitiously installed on others’ phones or computers in order to monitor them92; 87 See, e.g., Decision and Order, In re Flo Health, Inc., FTC File No. 1923133 (June 22, 2021), www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf. 88 See, e.g., Compl. for Civ. Penalties, Permanent Injunction, and Other Equitable Relief, United States v. AppFolio, Inc., No. 1:20-cv-03563 (D.D.C. filed Dec. 8, 2020), https://www.ftc.gov/system/files/documents/cases/ecf_1_- _us_v_appfolio_complaint.pdf. 89 See, e.g., Compl., United States v. Mortg. Sols. FCS, Inc., No. 4:20-cv-00110 (N.D. Cal. filed Jan. 6, 2020), https://www.ftc.gov/system/files/documents/cases/mortgage_solutions_complaint.pdf. 90 See, e.g., Decision and Order, In re Lenovo (United States) Inc., FTC File No. 152 3134 (Dec. 20, 2017), https://www.ftc.gov/system/files/documents/cases/152_3134_c4636_lenovo_united_states_decision_and_order.pdf. 91 See, e.g., Compl. for Permanent Injunction and Other Equitable Relief, FTC and State of Nevada v. EMP Media, Inc., No. 2:18-cv-00035 (D. Nev. filed Jan. 9, 2018), https://www.ftc.gov/system/files/documents/cases/1623052_myex_complaint_1-9-18.pdf; Compl., In re Craig Brittain, F.T.C. File No. 132-3120 (Dec. 28, 2015), https://www.ftc.gov/system/files/documents/cases/160108craigbrittaincmpt.pdf. 92 See, e.g., Compl., In re Support King, LLC, F.T.C. File No. 192-3003 (Dec. 20, 2021), https://www.ftc.gov/system/files/documents/cases/1923003c4756spyfonecomplaint_0.pdf; Compl., In re Retina-X Studios, LLC, F.T.C. File No. 172-3118 (Mar. 26, 2020), https://www.ftc.gov/system/files/documents/cases/172_3118_retina-x_studios_complaint_0.pdf; Compl. for Permanent Injunction and Other Equitable Relief, FTC v. CyberSpy Software, LLC., No. 6:08-cv-01872 (M.D. Fla. filed Nov. 5, 2008), https://www.ftc.gov/sites/default/files/documents/cases/2008/11/081105cyberspycmplt.pdf. 17 • retroactive application of material privacy policy changes to personal information that businesses previously collected from users93; • distribution of software that caused or was likely to cause consumers to unwittingly share their files publicly94; • surreptitious activation of webcams in leased computers placed in consumers’ homes95; • sale of sensitive data such as Social Security numbers to third parties who did not have a legitimate business need for the information,96 including known fraudsters97; • collection and sharing of sensitive television-viewing information to target advertising contrary to reasonable expectations98; • collection of phone numbers and email addresses to improve social media account security, but then deceptively using that data to allow companies to target advertisements in violation of an existing consent order99; 

10/10/2022

Don't Rent From Public Storage

 

Small claims filing against negligent security, false advertising, breach of contract against Public Storage


Exhibit 1

March of 2016 I rented a space from Public Storage after called PS I signed up for AIG Perfect Solutions insurance. I was not told Perfect Solutions was a Public Storage company. I have auto-paid my bill on time for years. PS increased my rent many times. PS ran targeted advertising on Facebook that they were the safest, most secure, storage facility on the planet. They ran television ads about space exploration and how they were hyper secure in 2016. PS owns the building at 23572 Moulton Pkwy, Laguna Woods as well as operates there. The lobby exhibits a camera watching entrants, signs and advertisements say that PS offers secure, climate controlled, fancy storage.

Public Storage owns the building where I had storage. They advertised it as climate controlled, with security alarms and video camera surveillance 24/7. P S never told me they cancelled their alarm and cut the alarm cables. P S has the worst security. I did not know there was rear stairs and rear door entrance. P S has clients enter the elevator with this fancy security codes. The rear of the building is not secure I now know. They use bathroom style door locks, the downstairs door pin does not go into any secure plate, Steve Strohom claims he left his crowbar by the rear door which is suspect, and Steve left the building unlocked. P S has procedures for their employees to keep logs of inspections another employee showed me the log book and Steve failed to enter any inspections for the four days before the event. Two days later he back dated the inspections, the other employee showed me.

P S advertises in their office that they have 24 hour security. P S refused to give camera feed to the Sheriff.

The Sheriffs said P S has a greater number of these events than any other facility.

 

 

October 10th at 12:45 afternoon Steve Strohbom called to inform the building had a burglary.

I asked him: “Have you called the police?”

He answered, “I was told by management not to inform the OC Sheriff.”

I told him this was negligent and that I would be there in fifteen minutes. I called the OC Sheriff while driving to the building. They informed me no one had reported any burglary.

Upon arrival I went upstairs to my unit. Fourteen or more units had been smashed into. The contents of my storage unit was all over the hallway. Boxes opened, broken antique glass Christmas ornaments all over the hallway, and the metal door closed. Another employee a man with dark hair not Steve came upstairs and he told me that “they” had put some of my items back into the storage and would change the lock. The bars from the doors were totally bent so opening the door was accomplished without using a lock. I went downstairs to meet the Sheriff who made a report and promised to send an officer to do fingerprints. I went around the back of the building to find paintings, bubble wrap, and other person’s storage items near the road in the rear of the building that dead ends up to the 23552 storage building for the golf course. The rear door was propped open. Upon close look I found that the security alarm which was once wired to the door had been cut. I asked Steve and the two other employees separately as to what happened to the rear door alarm. All three employees of PS confirmed the alarm system was cancelled and cut off some time in 2018. PS has elaborate video cameras in the entryway, they also have what are dummy cameras that were turned off years ago. There is a system to use a personal code to enter the elevator but there are rear stairs that are easy to access all the units. I did not know there was zero security.

Next to the rear door inside was a crowbar, probably used by the burglars. This rear door remained unlocked and propped open for three days and nights allowing all the strange people in the neighborhood access to 14 + units which the doors were wide open to steal more items. Employees of PS did not take care to lock the doors.

Employees failed to follow company security procedures and neglected to even call some of the tenants. Steve Strombom lied to me on 10/10 saying the locksmith was on his way. I was taking loads of my remaining storage in trips in my car to secure as quickly as I could. It took me seven trips. At 5PM Steve left without telling anyone. I called PS again and they said the locksmith was on his way but the had a flat tire. I was told the facility would close at 9 PM and I was on my second load of moving my storage.

Thirty to forty strange people wandered the hallways that day. Only two other persons who were victims were on site. Employees of PS put people’s personal effects away. The dark-haired guy was putting items back into my ripped boxes and I told him to stop. I left to purchase wrapping materials to re box my items remaining.

 I returned after 9 PM and the back door was still propped open but I could not get into the elevator and moving boxes down the hall and stairs then walking far with heavy items was impossible. Scary men were smoking around the rear door.

I went back the next morning 10/11 at 6:00 AM and other rough looking persons were at the rear door. That day I took loads home and met with the police investigator late in the day, but she said she could not get fingerprints from corrugated doors. That day I spoke again with the young man who replaced Steve Strombom. The young man and the Sherriff Department Investigator both thought it strange that only lockers that were paying and were full were smashed and robbed. Both suggested it was an employee who planned the burglary. Day two the locksmith NEVER fixed the 14 doors and never repaired the rear door. Day three I went back again to see the rear door still open day and night.

PS allowed access to any public person to wander the hallways and take more personal items from the victims for three days. PS employees went into our units. PS employee moved items and repacked boxes.

Police report #21-024495 Deputy Kim did not recover anything.

I made a claim with PS but they denied saying the AIG insurance I had no longer existed. AIG was a subsidiary of PS and now PS owns Starr or Orange Door.

I lost all my life’s personal jewelry, wedding rings, grandmother’s jewelry, sterling, paintings and the majority of my antique glass ornaments were smashed into nothing.

 

I now know more about PS. PS owns the building on Moulton and they had damages but did not want to get the police involved as it might alert media. PS has a policy of never paying insurance claims. PS took 51 days to deny my claim when the law says they had to notify in 30 days. About 95% of claims are denied. PS never informed me that my insurance cancelled, they just kept increasing my bill every month and taking autopay from my account. PS moved employees from another branch to avoid tenants rage for a couple weeks. PS knows this building location has problems with burglaries, robberies and vagrants. PS removed the alarms on the doors to cut costs without advising tenants. PS has fake security to lure customers. PS employees allowed many people to steal from us by leaving everything open for days. PS employees are supposed to inspect property twice a day and log it in. Steve did not inspect the building for a day or two and only makes his log entries when he escorts a new tenant upstairs. PS is a billion dollar REIT that runs a nationwide scam. PS paints everything orange to hide who they are: people who do not care.

My loss is $xxx,xxx.00 Plus the nightmares, worry and sadness about losing everything of value.

Should I have put valuables in there? I didn't know that their security is all fake lies. 



Things that got stolen or smashed to ruin:

 

Jewelry bag that held my grandmother and great grandmother's
engagement and wedding rings and mine
Two full sterling silver place settings from 1948- 1950

Twenty dollar solid gold eagle and pearl pendant with thirty five inch chain

Watch parts they broke

Parts of an Italian Nativity scene they took Jesus and Mary and two of the Wisemen but not poor Joseph






Here is the door they exited that Public Storage PCSS failed to fix the lock for four days

All the fake security cameras which they claim to the police they don't save the history or feed, but they do.
Employees careless with the keys to the building

Employees leave computer available and turned on and open when they leave the office.

Log book where Steve left the four days lock checks blank then filled in the work fake completed days later.

Jus so you know Public Storage does not care


My boxes rooted through. Upon arrival all were in the hallway. Employees moved them around and put some back into the space though the door was smashed open for four days. Employees opened boxes and cleaned up the glass from broken Christmas ornaments that were more than a hundred years old.

Robber burglars inside job they were too dumb to take first edition books signed



This bathroom doorknob without a lock is what Public Storage considers secure

Old alarm cut. Employees told me the alarm was turned off non payment in 2018. 
Bottom of the exterior door the lock mechanism does not touch the floor. Not secure still today almost a year later October 10, 2022


Pried open door


Crow bar sitting by rear inside 










PUBLIC STORAGE sells insurance which is a scam. They self insure. I paid for insurance and auto paid my account for seven years and they claim the insurance ended. 

98% of Public Storage insurance claims are denied. They blame the tenant for any and all problems








Rental Agreement

Thank you for becoming our customer. You want and agree to rent a self-storage unit from Public Storage on these terms:

Parties and Rented Space

Public Storage and or PSCC, Inc. and or its affiliates, authorized representatives, employees, or other agents, as owner’s agent (Public Storage, “we,” “us,” our “our.”

 

And

xxxxxxxxxu  , as customer (“you,” or “your)

100 Spectrum Center Drive Suite 500, Irvine CA 92618

 

You are an individual _X__    or a business ________________

 

Rental Date: 5/11/2016

Facility: 007009

23572 Moulton Parkway, Laguna Woods, CA 92637-1977

Enclosed space # 2180 approximately 5X5

Alternate Contact:  xxxxx xxxxx telephone: (949) 372-9000

 

FEES AND CHARGES



$ 62.00 Monthly rent due on or before 1st of month       

$ 24.00 New Administrative Fee (non-refundable)

$ 15.00 Insurance

$ 25.00 Dishonored Check Charge

$ 15.00 Late Charge after 10th of the month

$   7.50 Lien Fee 2 After 40 Days (Whether or not sale occurs)

$ 130.00 Lien Sale Fee

 

Occupant acknowledges that the above information is correct, that unless Occupant is identified as a business, Occupant is an individual, that all payments are due before the close of business day on the first day of the month, and that all payments are to be applied to the oldest rent charge first, and then fees and other charges that become due. Occupant also understands and agrees to pay all the charges, fees and rents as noted above and that the owner reserves the right to require that rent, fees, and charges be paid in cash, certified check, or money order.

It is agreed by and between Owner and Occupant:

1.       PURPOSE AND DESCRIPTION OF PREMISES. The parties have entered into this lease/rental agreement for the purpose of renting the above noted storage space (The Premises) and agree to examine the Premises and Property and acknowledges that the space is estimated per Building Office Management Association standards and does not refer to a useable space, that the size of the Premises, and any referenced sizes are approximate, given for illustration only and may vary materially, that the Occupant has an opportunity to measure the Premises prior to moving in, and that the Premises and common areas of the Property are satisfactory for all purposes for which Occupant shall use the Property including the size and capacity of the Premises. This Property being leased has not undergone inspection by a Certified Access Specialist (CA.SP). Occupant shall have access to leased Property only during the Property’s posted hours of operation. Loitering on the Property  or Premises is prohibited.

2.       TERM AND RENT. The term of this Lease Rental Agreement shall commence as of the day written above and shall continue on a month-to-month basis from the first day of the month immediately following until terminated. Occupant shall pay Owner as a monthly rent, without deduction, prior notice, demand or billing statement, the sum noted above (plus any applicable tax imposed by any taxing authority) in advance on the first of the month and shall owe a pro rata



Pu


10/06/2022

Appraisal Came in Low Reconsideration Of Value

 



When a residential appraisal comes in low, a borrower prays they have an experienced seasoned loan officer who can write the long form novel needed to argue for a better valuation. 

The Consumer Financial Protection Board is "surveying" "checking" and "looking at" the system where residential appraisals come in low and mortgage loan officers or borrowers rebut the valuation


On October 6, the CFPB released a blog reporting that lenders that fail to have a clear and consistent method to ensure that borrowers can seek a reconsideration of value risk violating federal law. The blog focuses on the “reconsideration of value” (“ROV”) or appraisal rebuttal process.

In the purchase process borrowers pay for the appraisal for a lender to back up the loan to value and review the condition of the subject. The USPAP appraiser acts as the eyes for the bank. After the 2008 crash rules were set in stone that mortgage loan officers, lenders, brokers -anyone who makes a commission on a home loan cannot speak to licensed appraisers. In that long time ago past mortgage bankers would email comparables and have the listing agent review the errors. Today lenders work through an intermediary called a AMC or RAC and lenders never speak to appraisers. To rebut a low appraisal is a process that every lender has invented their own wheels. The reconsideration of value process is  a hit or miss. Homebuyers and homeowners can ask for a lender to reconsider a home valuation the consumer believes to be inaccurate. 

The reconsideration allows for borrowers to point out specific issues such as factual or other errors or omissions, inadequate comparable properties, or evidence that the appraisal was influenced by prohibited bias. The problem is that borrowers have no access to appraisal data, they don't really understand the ten page report, and don't have the experience to argue with facts. Only facts can overturn an appraisal. CFPB's blog warns that lenders must make sure that their reconsideration of value process is nondiscriminatory and clearly available and accessible to all.  

CFPB issued an outline on options to prevent algorithmic bias in home valuations. Bias exists even in the data of closed loans provided by the FHFA.  Additionally, along with other regulators, the CFPB is looking at the work of the Appraisal Foundation and the Interagency Task Force on Property Appraisal and Valuation Equity (PAVE).

 Couple bullet points in going forward I must note:


  • Of course the originator wants the appraisal to match the sales price. The deal may fail and they don't get paid. 👎
  • Newer Loan officers don't have the arrows in their quiver to write a rebuttal and provide actual comps with correct adjustment and timely valuation points.
  • Appraisers like to hold on to their opinion of value.

I have below a list of items to prepare in completing a reconsideration of value.
The ways to overturn an appraisal are: 

1. be kind, have new photos, have documentation, run everything through the AMC
2. a rebuttal needs three comparables that were missed for some reason- say they had not closed on the day appraiser saw  property
3. comparables are within five percent of subject square footage and lot size to avoid large adjustments
4. comparables are within the past three months and are closed sales with a loan, not cash
5. comparables are similar room count and subject property type
6. comparables are in the same track or similar track nearby
7. look at the photographs and compare to old MLS, look at the sky and the weather to verify appraiser actually took the images in the recent time frame
8. How large is the adjustment percentage to the sold price? If huge then maybe the comp is flawed
9. Borrowers think that a new roof, new heater or new paint add value, they do not
10. rehab or remodel that brings the standard of the house up to parallel with  newer house or contemporary kitchen can be adjustments
11. A property can be over built or oddly over improved and not have market value
12. Same thing a property in a luxury neighborhood with simple bones may have more value
13. Future improvements have no value
14 Pools aren't a huge adjustment unless you are in the desert then they are the norm
15.Get your Realtor partners to help. They might not be experts but more eyes on the written appraisal can be helpful. Enlist senior NMLS officers in your office to help
16. Everything must be written and organized. You need photos to show rather than tell. 
17. Residential appraisals do not use square foot price
18. Use the form the AMC provides and add pages


Generally it is FREE to submit a rebuttal. (This ought to be a law.)

Ordering a second appraisal does not mean your outcome will improve and does not blind everyone from seeing the first appraisal.
USPAP appraisers are our eyes and unseen partners. A long time ago in a place far away we were all friends.



Caroline Gerardo, 
C G Barbeau
American Financial Network Inc
Mortgage Banker  
NMLS# 324982

There is a huge push after the Black Lives Matter movement to find ways to end discrimination in home lending. Appraisal is one of these pin points of pain.