The Federal Trade Commission published an advance notice of proposed rulemaking on commercial surveillance and data security last week, opening a formal public comment period on whether the agency should issue rules governing how companies collect, use, and share consumer data. This is not a final rule, a proposed rule, or even a draft rule. It is an advance notice — the earliest stage of the federal rulemaking process, asking the public whether rules should be written at all. But it is also the clearest signal yet that the FTC under Chair Lina Khan is prepared to use its rulemaking authority to do what Congress has repeatedly failed to accomplish: establish a federal privacy framework with real enforcement teeth.

The adtech industry has operated for a decade in the regulatory gap between the EU’s General Data Protection Regulation and California’s Consumer Privacy Act. The GDPR’s opt-in consent requirement applies to EU-resident data and has generated significant compliance costs for global platforms. The CCPA’s opt-out model applies to California residents and has created data rights infrastructure but has not fundamentally changed how behavioral advertising operates in the United States. Federal regulation that applies nationally and requires opt-in consent — rather than California’s opt-out model — would be a different order of magnitude.

What the FTC’s ANPR Actually Asks

The advance notice poses 95 questions across a range of commercial surveillance practices, from behavioral advertising to facial recognition to algorithmic decision-making. Several questions are directly relevant to the programmatic advertising industry.

The ANPR asks whether the FTC should require affirmative consent before companies collect and use personal data for advertising purposes. This is the opt-in versus opt-out question that defines the fundamental difference between GDPR and CCPA. Under an opt-in model, you cannot target a user with behavioral advertising unless they have affirmatively consented to that targeting. Under the CCPA’s opt-out model, you can target anyone who has not specifically exercised their right to opt out — and most consumers never do, because the friction of opting out is higher than the default.

The FTC’s full ANPR text also asks about data minimization — whether companies should be limited to collecting only the data necessary for specific disclosed purposes — and purpose limitation — whether data collected for one purpose can be used for a different one. Both concepts are core GDPR requirements that do not have direct equivalents in current US federal law. Real-time bidding, which involves transmitting user data to hundreds of bidders simultaneously and using that data for targeting, modeling, and audience building well beyond the original transaction, sits uncomfortably under both principles.

The Gap Between CCPA and GDPR as the US Adtech Safe Zone

The practical reality of adtech compliance in 2022 is that US operations occupy a relatively permissive middle ground between European and California requirements. GDPR has generated significant compliance complexity for global platforms operating in Europe but has not restructured US-only operations. CCPA has created opt-out rights and data disclosure requirements but has not required the consent management infrastructure that GDPR compliance demands.

This gap has allowed the US adtech ecosystem to continue operating under a largely permissive data collection model — collect broadly, use widely, disclose in privacy policy terms — while European operations have had to build more restrictive consent flows. Federal opt-in consent would eliminate this gap and require restructuring the US data collection and use model to align more closely with GDPR-equivalent standards.

The International Association of Privacy Professionals has documented the compliance cost differential between opt-in and opt-out consent regimes. The short version: opt-in consent management infrastructure is significantly more expensive to build and maintain, and opt-in consent rates in advertising contexts tend to run materially below 100%, meaning reach is structurally reduced relative to opt-out models where most users remain in the addressable pool.

For programmatic specifically, the consequence of opt-in consent at federal scale would be dramatic. Real-time bidding currently involves data transmission that, under a strict GDPR interpretation, has been challenged by European regulators as incompatible with consent requirements — the fundamental problem being that consent for one publisher’s use cannot realistically cover data transmission to hundreds of DSP bidders. IAB Europe’s Transparency and Consent Framework has been under sustained regulatory scrutiny in Europe for exactly this reason. A federal opt-in requirement in the US would trigger the same structural challenge.

The straightforward modeling is this: if opt-in consent rates in the US track opt-in consent rates in Europe under GDPR, the percentage of users whose data can be used for behavioral advertising drops from approximately 90%+ (under opt-out, where non-opting-out users are targetable) to somewhere in the range of 50-70% in optimistic scenarios, lower in privacy-sensitive demographics.

That reduction in addressable inventory does not affect all platforms equally. Walled gardens — Google, Meta, Amazon — have first-party consented data from account registration that survives even strict opt-in frameworks. Users consent to data use when they create accounts and accept terms of service. The consent is arguably more durable and specific than cookie consent, and the platforms have the user relationship to support it.

The open web, which relies on cross-publisher tracking and third-party data to build audience segments for targeting, depends on consent that is harder to obtain at scale because there is no direct user relationship at the network level. Publishers can collect consent for their own use. IAB TCF can aggregate consent across publishers through consent management platforms. But the conversion rates for opt-in consent on cookie consent banners in Europe have been low, and the more prominent the consent request, the lower the opt-in rate.

The walled garden advantage expands under strict opt-in frameworks. This is not a coincidence — it is the structural consequence of a consent model that favors direct data relationships over network-level data compilation.

The Timeline Question

The FTC rulemaking process is slow. An advance notice of proposed rulemaking is followed by a proposed rule, a comment period, analysis of comments, potential modifications, a final rule, and inevitably legal challenges. The FTC’s rulemaking authority in this area may also face challenges based on the major questions doctrine — the argument that Congress, not agencies, should make decisions of this magnitude. The Supreme Court’s recent West Virginia v. EPA decision has created uncertainty about agency rulemaking scope.

Congressional action on federal privacy legislation — the American Data Privacy and Protection Act — is moving separately and may preempt FTC rulemaking if it passes. The ADPPA discussion draft includes both opt-in requirements for sensitive data and preemption of state privacy laws including CCPA, which has created political complications with California’s Congressional delegation.

The immediate practical implication for adtech operators is not operational change — no rule is imminent. The strategic implication is that federal privacy regulation is moving from political aspiration to active regulatory process, and the direction of travel toward stricter consent requirements is clearer than it was two years ago. Building consent infrastructure and data minimization practices ahead of regulation is cheaper than retrofitting after rulemaking forces it.

FAQ

What is the difference between the FTC’s ANPR and an actual privacy rule? An advance notice of proposed rulemaking (ANPR) is the first step in the federal rulemaking process — a formal request for public comment on whether rules should be developed and what form they might take. It has no legal effect on its own. Actual rules require a subsequent proposed rule, additional comment periods, and final rule publication. The process typically takes several years.

How does the CCPA’s opt-out model differ from GDPR’s opt-in model? Under CCPA, companies can collect and use personal data for advertising purposes unless a California resident specifically exercises their right to opt out. Under GDPR, companies must obtain affirmative, informed consent before processing personal data for advertising purposes — consumers must actively opt in rather than failing to opt out.

Would a federal US privacy law preempt CCPA? Proposed federal privacy legislation like the American Data Privacy and Protection Act includes preemption provisions that would override state laws including CCPA. California’s Congressional delegation has opposed preemption provisions, creating a significant political obstacle to final legislation. The FTC’s rulemaking process operates separately from Congressional legislation.

What does the FTC’s commercial surveillance rulemaking mean for programmatic advertisers right now? No immediate operational changes are required. The rulemaking process is in its earliest stage and could take several years to produce enforceable rules if it proceeds. The strategic implication is that the direction of regulation is toward stricter consent requirements, and building first-party data and consent management infrastructure proactively is a lower-risk posture than waiting for mandatory compliance deadlines.