Policy Briefing — FTC Opens Commercial Surveillance Rulemaking

Executive briefing: On 11 August 2022 the U.S. Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security, seeking public comment on a wide range of practices including data minimisation, dark patterns, biometric surveillance, algorithmic discrimination, and children’s privacy. The ANPR signals potential comprehensive FTC rulemaking under Section 18 (Magnuson-Moss) to establish enforceable standards beyond case-by-case enforcement. Organisations must assess data governance, consumer consent, security controls, and algorithmic accountability frameworks to prepare for potential rule obligations and heightened enforcement.

Scope of inquiry

The ANPR poses 95 questions across topics such as:

• Collection, use, retention, and transfer of consumer data, including sensitive categories like geolocation, health, and biometric information.
• Automated decision-making systems, machine learning transparency, and discrimination impacts.
• Child and teen surveillance practices, including education technology and targeted advertising.
• Data security safeguards, breach notification, and accountability mechanisms.
• Consumer consent design, dark patterns, and manipulation in user interfaces.

While the FTC has not proposed specific rules, the breadth of questions suggests future obligations around data minimisation, access controls, algorithmic impact assessments, and consumer rights.

Governance and compliance implications

Organisations should proactively strengthen governance:

• Data inventories. Maintain comprehensive data maps covering collection points, processing purposes, retention periods, and sharing relationships.
• Risk assessments. Conduct privacy impact assessments (PIAs) and algorithmic impact assessments (AIAs) focusing on discrimination, fairness, and transparency.
• Consent and choice management. Review consent flows for clarity, avoid dark patterns, and provide granular controls over data use.
• Security controls. Implement technical safeguards such as encryption, multi-factor authentication, zero trust architectures, and continuous monitoring. Align with NIST Cybersecurity Framework and FTC data security orders.
• Governance structures. Establish cross-functional privacy and AI governance committees with board oversight, ensuring accountability for compliance.

Outcome-focused controls should measure effectiveness of consent interfaces, detect algorithmic bias, and validate security posture.

Algorithmic accountability

The ANPR emphasises algorithmic discrimination and transparency. Organisations deploying automated decision-making should:

• Document model purposes, training data sources, preprocessing steps, and performance metrics.
• Implement fairness testing (e.g., disparate impact analysis, equalised odds) across protected classes.
• Maintain human-in-the-loop review for high-risk decisions, with appeal mechanisms.
• Track model drift, retraining frequency, and post-deployment monitoring.
• Provide meaningful explanations to consumers about automated decisions.

Outcome testing should capture bias metrics, false positive/negative rates, and remediation effectiveness. Organisations should integrate NIST AI Risk Management Framework concepts and upcoming state-level laws (e.g., Colorado AI Act proposals).

Children’s and teens’ privacy

The FTC signalled concern about surveillance of minors, including education technology. Companies should review compliance with the Children’s Online Privacy Protection Act (COPPA), emerging state laws (e.g., California Age-Appropriate Design Code), and consider enhanced safeguards such as parental consent verification, age assurance, and default privacy settings.

Data security and breach response

The ANPR contemplates codifying security requirements. Organisations should align with FTC consent order expectations:

• Risk-based security programs with executive oversight.
• Access controls, patch management, vulnerability assessments, and penetration testing.
• Incident response plans with tabletop exercises and clear notification procedures.
• Vendor management programs ensuring third parties meet equivalent security standards.

Outcome testing should measure incident detection times, patch timelines, and vendor compliance rates.

Preparing for potential rulemaking

Although rulemaking will take time, organisations should develop positions for public comment, engage industry associations, and monitor FTC workshops. Compliance teams should scenario-plan for obligations such as:

• Data minimisation mandates with strict retention limits.
• Algorithmic transparency reports and consumer rights to opt out of profiling.
• Mandatory risk assessments for high-risk processing.
• Breach notification rules with specific timelines.

Organisations should benchmark against state privacy laws (California CPRA, Virginia VCDPA, Colorado CPA, Utah UCPA, Connecticut CTDPA) to harmonise controls.

Implementation roadmap

1. 0–90 days: Conduct gap analysis of current privacy, security, and algorithmic governance against FTC questions. Prioritise high-risk areas such as biometric surveillance and dark patterns.
2. 90–180 days: Implement enhancements to consent management, security monitoring, and algorithmic impact assessment processes. Develop public comment responses and advocacy strategy.
3. 180–365 days: Establish continuous monitoring dashboards, integrate privacy-by-design into product development, and prepare evidence repositories for potential investigations.

Sources

• FTC Commercial Surveillance and Data Security ANPR
• FTC press release on ANPR
• FTC fact sheet on commercial surveillance ANPR
• NIST AI Risk Management Framework draft
• California Privacy Rights Act resources

Zeph Tech advises organisations on aligning privacy, security, and AI governance programs with evolving FTC expectations, enabling outcome-oriented controls and defensible documentation ahead of potential rulemaking.

Consumer research and transparency reporting

Companies preparing for potential FTC rules should expand consumer research programs that test comprehension of privacy notices, consent dialogs, and user interface changes. Qualitative interviews and quantitative surveys can validate whether individuals understand data uses and choices. Firms should also publish transparency reports detailing data collection volumes, access requests, algorithmic decision impacts, and security incidents. These reports can serve as evidence of accountability during FTC investigations and help build trust with consumers and advocacy groups.

Outcome testing can include before-and-after assessments of consumer understanding, conversion rates for privacy choices, and reductions in complaints about deceptive interfaces. Firms should maintain artefacts—test scripts, heatmaps, recordings—to demonstrate rigorous evaluation.

Vendor and data broker oversight

The ANPR highlights downstream data flows. Organisations should inventory all third-party data brokers, advertising networks, and analytics providers, ensuring contractual obligations cover permissible data uses, deletion rights, and audit access. Conducting vendor audits, reviewing security certifications, and monitoring compliance dashboards help ensure third parties do not engage in practices the FTC may deem unfair. Maintaining records of vendor remediation demonstrates proactive governance.

Preparing comment strategies

Entities intending to engage in the rulemaking process should coordinate legal, policy, and technical teams to develop evidence-based comments. This includes quantifying compliance costs, describing existing controls, and proposing workable alternatives. Industry groups may develop joint frameworks for algorithmic transparency or consent standards. Documenting these efforts can inform future compliance roadmaps if the FTC codifies new rules.

Organisations should also monitor congressional activity and state privacy rulemaking to anticipate harmonisation opportunities. Building a regulatory horizon-scanning function that feeds insights into product roadmaps helps avoid costly rework as rules evolve.

Preparing for rule text and enforcement scenarios

The ANPR’s 95 questions explicitly probe topics such as biometric surveillance, loyalty programs, targeted advertising, and automated decision-making. Companies should map each question to current business practices, the accountability owner, and existing evidence (policies, DPIAs, user research, vendor contracts). Where gaps appear, schedule remediation sprints now—for example, to implement differential privacy experiments, to document the data lineage of shadow AI models, or to expand children’s privacy notices.

Legal, compliance, and public-policy teams must coordinate on comment submissions, Hill engagements, and coalition strategies. The record will influence eventual rule language and future consent-order negotiations. Maintain a tracker showing which trade associations or civil-society groups your organisation supports, the positions they filed with the FTC, and how those align with internal risk appetite.

Finally, model the operational impact of potential rule options. If the FTC adopts a data-minimisation rule with limited permissible purposes, can engineering teams re-architect telemetry pipelines in time? If the commission mandates opt-in consent for targeted advertising, can marketing produce audited consent receipts? These tabletop exercises become critical evidence that leadership is anticipating regulatory outcomes rather than reacting after the fact.

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 88/100 · January 2, 2022

Policy Briefing — UAE Personal Data Protection Law Commences

The UAE Personal Data Protection Law entered into force on 2 January 2022, triggering enterprise-wide data governance, board oversight, and vendor sourcing programmes ahead of Executive Regulation enforcement.

Policy · Credibility 94/100 · May 17, 2024

Policy Briefing — May 17, 2024

Colorado’s SB24-205 now law demands developers and deployers of high-risk AI systems build risk programs, impact assessments, consumer notices, and incident reporting workflows ahead of the statute’s 1 February 2026…

Policy · Credibility 40/100 · September 4, 2025

Policy Briefing — September 4, 2025

Colorado’s AI Act enters force in February 2026, giving September engineering and compliance teams five months to lock down risk management programs for high-risk automated decision tools.

Policy · Credibility 93/100 · November 14, 2025

Policy Briefing — Colorado AI Act compliance runway narrows ahead of February 2026 enforcement

Colorado’s Artificial Intelligence Act (SB24-205) takes effect on 1 February 2026, leaving November 2025 to finalise high-risk system inventories, impact assessments, consumer notices, and Attorney General registration…

Policy · Credibility 92/100 · August 9, 2022

Policy Briefing — U.S. CHIPS and Science Act Enacted

The CHIPS and Science Act of 2022 authorizes $52.7B for U.S. semiconductor manufacturing and R&D plus tens of billions for AI and emerging technology programs, imposing guardrails, reporting, and supply-chain…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Semiconductor Industrial Strategy Policy Guide — Zeph Tech

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

• Digital Markets Compliance Guide — Zeph Tech

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Export Controls and Sanctions Policy Guide — Zeph Tech

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…