Press Release  AG Healey Co-Leads Bipartisan Coalition Urging the FTC To Account for Consumer Risks of Online Surveillance

BOSTON — Massachusetts Attorney General Maura Healey today co-led a bipartisan group of 33 attorneys general in calling on the Federal Trade Commission (FTC) to consider the consumer harms caused by the prevalence of commercial surveillance and data security practices when creating new rules to prevent misconduct and promote transparency and accountability around online data collection.  

In a comment letter, filed today in response to the FTC’s Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security, the attorneys general urge the FTC to acknowledge the heightened sensitivity around consumers’ medical data, biometric data, and location data, along with the dangers that arise from data brokers and the surveillance of consumers. The coalition also asked that the FTC consider data minimization, which limits the amount of data collected by businesses to only what is required for a specific purpose, to help mitigate concerns surrounding data aggregation.  

“As attorneys general, we have seen firsthand the harms that irresponsibly collected data can have on our residents who are concerned about the privacy and security of their information online,” said AG Healey. “The FTC must consider the heightened risks around these types of data collection as it creates new rules to ensure fairness and prevent consumer harm.”  

Location Data 

According to the letter, many consumers are not even aware that their location information is being collected, and when a consumer wishes to disable location sharing, their options are quite limited. The attorneys general recognize the sensitive nature of this information, which can reveal intimate details of daily life—such as where they live and work, their shopping habits, their daily schedule, or whether they visited the doctor or pharmacy. Laws passed in states like California, Connecticut, and Virginia that restrict the use and collection of location data can provide a framework to inform the FTC through the rulemaking process. 

Biometric Data 

The coalition urges the FTC to consider the risks of commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting, or other biometric technologies. Many consumers provide this information to companies for security purposes or to learn about their ancestry, but consumers are not always made aware of when their data is collected, how it is used, or if it is resold for purposes to which they never meaningfully consented. 

Medical Data  

The FTC should also consider the risks of practices that use medical data, regardless of whether the data is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule. Medical data not necessarily covered by HIPAA is referred to as “health adjacent data,” which can be collected by many devices—for instance, smartwatches, heart monitors, sleep monitors, and health or wellness phone applications. The letter also highlights medical information risks through examples such as the storage of health-related internet searches, or appointment scheduling information being passed to others through online tracker tools.  

Data Brokers  

The attorneys general reiterated to the FTC the persistent dangers of data brokers. Data brokers profile consumers by scouring social media profiles, internet browsing history, purchase history, credit card information, and government records like driver’s licenses, census data, birth certificates, marriage licenses, and voter registration information. Data brokers also use this information to create profiles of certain consumers—which can be purchased by almost anyone—based on susceptibility to certain advertising or likelihood to buy certain products. This scale of aggregation of anonymously gathered information can identify consumers and put consumers at risk of scams, unwanted and persistent advertising, identity theft and lack of consumer trust in the websites they visit. 

Data Minimization  

The attorneys general say that it is vital that the FTC consider data minimization requirements and limitations. With respect to data collection and retention, the letter encourages the FTC to examine the approach taken in the California, Colorado, Connecticut, Utah and Virginia consumer privacy laws which mandate that businesses tie and limit the collection of personal data to what is “reasonably necessary” in relation to specified purposes. Limiting the collection and retention of data by businesses will improve consumer data security as businesses will have less data to protect and less data potentially available to bad actors.  

AG Healey has long been an advocate for upholding the digital privacy and safety of Massachusetts consumers. Earlier this week, AG Healey’s Office joined a multistate coalition of 40 attorneys general in reaching a $391.5 million settlement with Google for misleading consumers about its location tracking practices. Earlier this month, the AG’s Office announced multistate settlements, totaling over $16 million, with Experian and T-Mobile regarding two data breaches that compromised the personal information of millions of consumers nationwide. 

AG Healey co-led the filing of this letter alongside the attorneys general of Connecticut, Illinois, New Jersey, North Carolina, and Oregon. The letter was also joined by Arizona, Colorado, Delaware, Washington D.C., Hawaii, Idaho, Indiana, Iowa, Maine, Maryland, Minnesota, Michigan, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, Vermont, Washington, and Wisconsin. 

This case was handled for Massachusetts by Assistant Attorney General Kaitlyn Karpenko, with the assistance of Division Chief Jared Rinehimer, both of the AG’s Data Privacy and Security Division.   

###