Last week we wrote about FTC Chairman Khan note outlining his plans to transform the FTC’s approach to his work. This week, she continues with a no less ambitious declaration outlining her vision of privacy and data security, which she annexed to an agency Report to Congress on confidentiality and security (“report”). Together, these documents outline a remarkably ambitious plan to meet today’s challenges in privacy and data security. As noted in the differing opinions, however, some of the stated goals may exceed the limits of the FTC’s current legal authority.
Confidentiality / Competition Focus on technology
First, Khan’s statement reiterates his commitment to tackling privacy through an “interdisciplinary” approach that uses the tools of competition law, and not just consumer protection law, to tackle privacy breaches. . She states that “data-focused control has enabled dominant companies to conquer markets and erect barriers to entry, while trade surveillance has enabled companies to identify and thwart emerging competitive threats.” , which reduced confidentiality.
To address these concerns, as noted later in the report, the agency intends to focus “most” of its limited resources on “dominant digital platform data practices,” including through additional compliance reviews and changes and enforcement of orders, “if necessary,” against, for example, Facebook, Google, Microsoft, Twitter, and Uber.
The report adds that (with more resources from Congress), the FTC will also prioritize:
- Adtech and “Walled Garden” advertising practices, including:
- “[B]Business models that depend on extensive and potentially illegal data collection to fuel targeted advertising and user engagement ”, and
- “Exclusionary or predatory conduct of dominant digital platforms to defend their data treasures, resulting in lower levels of privacy and more intrusive data and advertising. “
- Technology for children: “Platforms and other online services that may violate COPPA, an area of particular importance given that many children may increasingly rely on online services for educational, entertainment and social purposes during the pandemic. “
- Other privacy considerations, such as data uses involving health, biometric or other sensitive data, discriminatory algorithmic practices, or other deceptive or unfair data practices.
- Even more competition on technology:
- The dominant data practices of digital platforms that present both privacy and competition concerns due to their scope and size, and
- “Acquisitions that allow dominant digital platforms to collect and control ever-increasing consumer data or block the development of more secure data protection policies. “
Development of confidentiality rules
Second, recognizing that the competition may not always align and fully address privacy concerns, Khan stresses the need for the FTC to use its regulatory authority to codify basic protections. In support of these rules, she cites a variety of factors that can mask how much consumers value their privacy and undermine their ability to make choices to protect it. These include the lack of competition between technology providers, “dark models” that manipulate and “push” users, and inadequate notification and consent frameworks. The report expands on this topic, indicating that the FTC intends to develop new privacy rules (presumably under its inherent regulatory authority “Magnuson Moss”) and strengthen existing ones, such as COPPA, Health Breach Notification ( already extended via a policy statement as we discuss here), red flags, and GLB backups. In other words, expect more rules around privacy practices affecting children’s data, health, identity theft, and financial services (but likely with a much broader view of what they are). encompass based on recent FTC activity).
New data usage restrictions
Third, Khan says the FTC should consider “substantial boundaries”, rather than procedural protections and process requirements, in its work on confidentiality. Here, she also explains how behavioral business models based on advertising can “prompt constant monitoring, resulting in additional mass aggregation of data, potentially increasing the risk of abuse of privacy and data security, and we further inviting consideration of a market-wide approach ”. Her provocative discussion of behavioral advertising here (and its multiple references to illegal or intrusive surveillance on this topic) is significant, as it suggests that she intends to enact rules limiting or prohibiting the practice, as advocated. a recent petition at the FTC. At the same time, the report says the FTC will get stronger remedies in enforcement actions, including notifications to consumers when their data has been leaked; provisions requiring companies to monitor and prevent identity theft and other privacy breaches; removal of algorithms, models and data created or used illegally; and redress obtained in coordination with other federal and state agencies.
Finally, Khan cites the need for a substantial increase in resources to align the FTC with its international counterparts and allow the agency to recruit additional talent. The report expands on this goal, comparing the FTC’s privacy FTEs (40-45) to those in the UK (768) and stating that the FTC needs around 100 more. (This point was also discussed during the congressional hearing last week). According to the report, the FTC would use these resources for all of the activities outlined above, as well as a host of others, including conducting additional industry studies under section 6 (b) of the FTC law; study algorithms and take coercive action against algorithmic discrimination; hire more technologists and subject matter experts; and address privacy and security issues involving connected cars, healthcare devices, stalking apps and pornography platforms.
The report also reiterates the FTC’s call for federal privacy legislation, legislative clarification of the FTC’s power to seek redress from consumers under Section 13 (b), and the removal of exceptions for public carriers and non-profit organizations.
Is this news? Yes, and here’s why.
Many of the goals of Khan’s statement and report are consistent with the FTC’s current authority and its long-standing support for stronger federal laws and remedies. Strong injunctive and monetary relief, Section 6 (b) studies, rigorous enforcement, and increased legislative authority and resources are all laudable goals that protect honest consumers and businesses and increase profitability. agency efficiency. However, as discussed in Commissioner Phillips’ report contestation and that of Commissioner Wilson partly agree, partly dissent, some of them likely exceed the FTC’s statutory mandate and will face serious hurdles when tested in court.
For example, as Phillips and Wilson’s statements note, competition and privacy are governed by different laws with different remedies. To the extent that Khan seeks to amalgamate these laws and remedies, it could be beyond the authority of the FTC. Additionally, Phillips points out that many of the goals and remedies cited by Khan and the report – including references to “the struggle [privacy] structural level issues ”and potentially prohibiting industry-wide practices through rule-making – could“ prohibit companies from engaging in legal conduct ”,“ let a majority of commissioners lead companies by regulatory decree ”and usurp the role of Congress in evaluating“ judgments and compromises that will be required of privacy legislation… ”
As mentioned in our blog post last week, there are also many legal and practical hurdles to making rules of the type and number that Khan and the report seem to envision. Under Magnuson Moss’ rule-making, the FTC must prove that any practice it seeks to regulate is unfair or deceptive, as well as widespread. Magnuson Moss’ rule making also contains a series of procedural steps the agency must take (hearings, analyzes, publications, etc.) and sets a standard of judicial review that grants very little deference to the agency. These hurdles were imposed by Congress precisely because Congress was concerned about over-regulation in the 1970s. (For a quick history tour, see “Stoning of the National Nanny: Congress and the FTC in the late 1970s,By Former FTC Chairman Michael Pertschuk).
For all of these reasons, the FTC’s privacy (competition and technology) program is certainly likely to face challenges. Congress could block or delay many of the bold regulatory measures currently under discussion, especially with regard to broad federal mandates prohibiting conduct that has never been found to be illegal to date. Will Congress be prepared to allocate additional resources to an agency that is rethinking itself and its privacy mandate? Will additional resources be sufficient to empower a new privacy office without additional legal authority? How will the courts react to the ambitious efforts of the FTC? If the Supreme Court AMG decision is an indication, the agency is likely to face judicial skepticism about some of these positions.
In the meantime, the road ahead appears to be filled with new rules and investigations, potentially new legal theories, and more litigation. Businesses may need to make tough decisions as they navigate these developments and consider whether they should spend the necessary resources to challenge them in court. We will continue to monitor and report on developments as they occur.