Then-FTC Commissioner nominee Lina M. Khan testifies during a Senate hearing. The FTC is considering broad new regulations on privacy and data security targeting commercial surveillance. (Photo by Graeme Jennings/Pool via Getty Images)

The Federal Trade Commission narrowly voted to explore new regulations on commercial data surveillance, saying the growing practice raises the risk of data breaches, manipulation of consumers and other harmful practices.

In a 3-2 vote, the commission voted in favor of beginning a process that could result in some of the most stringent consumer privacy and data security protections ever.

The agency filed an advance notice of proposed rulemaking this week laying out the rationale for new regulations, writing that modern consumers must essentially forfeit their privacy and personal data as the cost of entry into our modern technological society. Devices, applications, browsers and software programs now regularly and routinely collect data points that reveal their habits, hobbies, friendship circles, place of employment, religion and even things like pregnancy status and menstrual cycles.

Meanwhile, industry at large has moved over the years to hoover up and sell as much of that data as possible to ad brokers, marketing shops and other providers. These are often preceded that expansive terms of service agreements that virtually no one reads but are required to access most major products and services that connect to the internet.

“An elaborate and lucrative market for the collection, retention, aggregation, analysis, and onward disclosure of consumer data incentivizes many of the services and products on which people have come to rely. Businesses reportedly use this information to target services — namely, to set prices, curate newsfeeds, serve advertisements, and conduct research on people’s behavior, among other things,” the FTC said in the notice. “While, in theory, these personalization practices have the potential to benefit consumers, reports note that they have facilitated consumer harms that can be difficult if not impossible for any one person to avoid.”

This data collection also means that when these companies are eventually breached, they are able to provide malicious hackers with massive treasure troves of data that can be sold on underground markets, used to craft advanced spearphishing techniques and facilitate fraud and other deceptive operations.

Thus far the FTC’s enforcement of privacy and data security in this sector has been done on a case-by-case basis, but that experience “suggests that enforcement alone without rulemaking may be insufficient to protect consumers from significant harms.” Current rules limit the agency’s ability to punish or fine first-time offenders, nor does it undo the damage to consumer data if there is a breach. The agency also lacks the resources to conduct individual investigations and enforcement action against every violator and believes a proactive regulation would be more effective curbing these practices more broadly.

In a statement, Chair Lina Khan said putting new rules in place was necessary to place meaningful limits on data collectors and give Americans a measure of control over their personal information.

“The data practices of today’s surveillance economy can create and exacerbate deep asymmetries of information — exacerbating, in turn, imbalances of power. And the expanding contexts in which users’ personal data is used — from health care and housing to employment and education — mean that what’s at stake with unlawful collection, use, retention, or disclosure is not just one’s subjective preference for privacy, but one’s access to opportunities in our economy and society, as well as core civil liberties and civil rights,” Khan said.

Underscoring the vast reach that these practices have on consumers, the notice includes an eye-popping 95 separate questions around how the FTC should go about regulating the sector, what kind of restrictions it should be considering to enhance data security and privacy, and what collateral effects they may have on the technology and industry landscape.

A partial list of data security questions the FTC is asking for public input on as it considers broad new regulations on the commercial surveillance sector. (Source: FTC)

Both of the commissioners who voted against the measure (Christine Wilson and Noah Joshua Phillips) were appointed by Republican President Donald Trump. In statements, both Phillips and Wilson said their vote was based, in part, on the belief that such rules should be implemented through legislation.

The question is more than theoretical, as both the House and Senate have put forth their own versions of national privacy legislation that would address many of the underlying issues the FTC is considering.

“National consumer privacy laws pose consequential questions, which is why I have said, repeatedly, that Congress — not the Federal Trade Commission … is where national privacy law should be enacted,” Phillips said. “I am heartened to see Congress considering just such a law today, and hope this commission process does nothing to upset that consideration.”

The commission will also host a virtual public forum on commercial surveillance and data security on Sept. 8.