For Immediate Release:
November 17, 2022
Contact: Jerri Mares — (505) 321-4372

Letter Highlights Sensitivity of Consumer Information Collected Online, Including Medical, Biometric, and Location Data; Addresses Dangers of Data Brokers

ALBUQUERQUENew Mexico Attorney General Hector Balderas today joined a bipartisan group of 33 attorneys general in calling on the Federal Trade Commission (FTC) to consider the consumer harms caused by the prevalence of commercial surveillance and data security practices when creating new rules to prevent misconduct and promote transparency and accountability around online data collection. 

In a comment letter, filed today in response to the FTC’s Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security, the attorneys general urge the FTC to acknowledge the heightened sensitivity around consumers’ medical data, biometric data, and location data, along with the dangers that arise from data brokers and the surveillance of consumers. The coalition also asked that the FTC consider data minimization, which limits the amount of data collected by businesses to only what is required for a specific purpose, to help mitigate concerns surrounding data aggregation. 

“New Mexican’s privacy and security should not be a trade-off for digital innovation, and I urge the legislature to strengthen data privacy protections and make meaningful change to the way Big Tech companies are regulated,” said Attorney General Balderas.

Location Data

According to the letter, many consumers are not even aware that their location information is being collected, and when a consumer wishes to disable location sharing, their options are quite limited. The attorneys general recognize the sensitive nature of this information, which can reveal intimate details of daily life—such as where they live and work, their shopping habits, their daily schedule, or whether they visited the doctor or pharmacy. Laws passed in states like California, Connecticut, and Virginia that restrict the use and collection of location data can provide a framework to inform the FTC through the rulemaking process.

Biometric Data

The coalition urges the FTC to consider the risks of commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting, or other biometric technologies. Many consumers provide this information to companies for security purposes or to learn about their ancestry, but consumers are not always made aware of when their data is collected, how it is used, or if it is resold for purposes to which they never meaningfully consented.

Medical Data 

The FTC should also consider the risks of practices that use medical data, regardless of whether the data is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule. Medical data not necessarily covered by HIPAA is referred to as “health adjacent data,” which can be collected by many devices—for instance, smartwatches, heart monitors, sleep monitors, and health or wellness phone applications. The letter also highlights medical information risks through examples such as the storage of health-related internet searches, or appointment scheduling information being passed to others through online tracker tools. 

Data Brokers 

The attorneys general reiterated to the FTC the persistent dangers of data brokers. Data brokers profile consumers by scouring social media profiles, internet browsing history, purchase history, credit card information, and government records like driver’s licenses, census data, birth certificates, marriage licenses, and voter registration information. Data brokers also use this information to create profiles of certain consumers—which can be purchased by almost anyone—based on susceptibility to certain advertising or likelihood to buy certain products. This scale of aggregation of anonymously gathered information can identify consumers and put consumers at risk of scams, unwanted and persistent advertising, identity theft and lack of consumer trust in the websites they visit.

Data Minimization 

The attorneys general say that it is vital that the FTC consider data minimization requirements and limitations. With respect to data collection and retention, the letter encourages the FTC to examine the approach taken in the California, Colorado, Connecticut, Utah and Virginia consumer privacy laws which mandate that businesses tie and limit the collection of personal data to what is “reasonably necessary” in relation to specified purposes. Limiting the collection and retention of data by businesses will improve consumer data security as businesses will have less data to protect and less data potentially available to bad actors. 

Today’s letter was co-led by Connecticut Attorney General William Tong, Illinois Attorney General Kwame Raoul, Massachusetts Attorney General Maura Healey, New Jersey Attorney General Matthew Platkin, North Carolina Attorney General Josh Stein, and Oregon Attorney General Ellen Rosenblum and joined by the attorneys general of Arizona, Colorado, Delaware, Washington D.C., Hawaii, Idaho, Indiana, Iowa, Maine, Maryland, Minnesota, Michigan, Montana, Nebraska, Nevada, New Hampshire, New York, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, Vermont, Washington, and Wisconsin.