FTC Update

It has been just over one year since Lina Khan was confirmed by the Senate and designated Federal Trade Commission (FTC) chair by the president. At the outset of her tenure, she had a Democratic majority, which ended in October 2021 when former Commissioner Rohit Chopra departed the FTC to take over as director of the Consumer Financial Protection Bureau. But in May, the Senate confirmed Alvaro Bedoya as the fifth commissioner in the narrowest of votes, giving back a Democratic majority to Chair Khan.

Since the Democratic majority has re-formed, not much has changed outwardly at the agency; indeed, almost every consumer protection and privacy case voted out in the past few months has been voted out unanimously, though with occasional concurring statements from some commissioners. But it is likely that we will see more partisan activity going forward, akin to what the agency saw when Chair Khan first took over.

Although much of the privacy attention in this country has been focused on the states for the past few years, we could easily see a shift in focus back to the FTC, and soon. Just a few weeks ago, a discussion draft emerged of bipartisan, bicameral federal privacy legislation, the American Data Privacy and Protection Act (ADPPA), that would keep the FTC quite central on privacy issues, both as an enforcer (along with the states) and as the agency with extensive rulemaking responsibility under the draft legislation. Not surprisingly, factions have already formed on the legislation, with some saying it goes too far and others saying it doesn’t go far enough, but the continued role of the FTC in this significant legislation is noteworthy. And at a recent hearing on the ADPPA, both sides of the aisle appeared committed to federal privacy legislation, but it remains to be seen whether the lingering – but important – issues in dispute will grind this significant development to a halt.

Clearly, if the draft legislation – or anything remotely similar – becomes law, the FTC will be heavily engaged in significant and extensive privacy policy and rule development for the foreseeable future. But even if the legislation does not materialize, we will likely see more FTC activity, most likely through the initiation of a Mag-Moss rulemaking on some privacy issues. Chair Khan has spoken publicly about the possibility of such a rulemaking, and the agency said as much in a December 2021 Statement of Regulatory Priorities. That statement provided that such a rulemaking will focus on what it describes as “abuses stemming from surveillance-based business models” and indicates that the FTC is “considering whether rulemaking in this area would be effective in curbing lax security practices, limiting intrusive surveillance, and ensuring that algorithmic decision-making does not result in unlawful discrimination.” Such a rulemaking would likely be initiated through a partisan vote and would take many years to complete if it can be completed at all. Unlike most rulemaking that is done at the direction of Congress, the FTC’s organic Mag-Moss rulemaking must utilize a far more cumbersome rulemaking process, and you can learn more about some real limitations on the FTC Mag-Moss rulemaking process here.

And on the policy front, it is worth remembering that back in 2020, the FTC initiated a broad study of the privacy practices of nine social media and video streaming services. These studies take significant amounts of time to complete, but it is certainly possible we will see a report on this coming out of the agency in 2022. Such a report would detail, among other things, how these companies collect and use personal information, their advertising practices, and how their practices affect children and teens.

In addition to the potentially extensive rulemaking and policy work, we will continue to see the filing of cases addressing a range of privacy and security issues. Certainly, the Children’s Online Privacy Protection Act will remain an important area of enforcement focus. And just a few weeks ago, the agency issued a policy statement indicating that it intends to focus particularly on whether ed-tech companies are complying with COPPA. Of course, a COPPA rulemaking was initiated back in 2019, and it is certainly possible that we will see proposed COPPA Rule changes this year. Additionally, there will likely be an increased focus at the agency on digital platforms and marketplaces, whether algorithms are being used in potentially discriminatory manners, and violations of the recently amended GLB Safeguards Rule or provisions of the Fair Credit Reporting Act. The agency also continues to focus on sharpening the remedies that it seeks in privacy cases, and in recent cases has required the deletion of algorithms that were developed using unlawfully obtained data and required notice to consumers. And notice will be an interesting area of focus, as the agency’s chief technology officer recently blogged – to the surprise of many – that in some instances the FTC Act has a de facto breach notification requirement.

One additional area of focus will be the convergence of privacy and competition issues. In a 2021 report to Congress on various privacy and security issues, the agency emphasized a strong interest in exploring the overlap between privacy and competition. In particular, the report (over some objections) indicated a desire to “closely examine the consolidation and conduct of big tech companies, which can use their monopoly power to engage in unfettered collection and use of consumer data.”

Whether federal privacy legislation stalls or reaches the finish line, it is quite certain that we will see even more FTC privacy activity going forward.