Last week, we wrote about FTC Chair Khan's memo describing her plans to transform the FTC's approach to its work. This week, she followed up with a no-less-ambitious statement laying out her vision for data privacy and security, which she appended to an agency Report to Congress on Privacy and Security ("report"). Together, these documents outline a remarkably far-reaching plan to tackle today's data privacy and security challenges. As noted in the dissents, however, some of the stated goals may exceed the bounds of the FTC's current legal authority.
Privacy/Competition Focus on Tech
First, Khan's statement reiterates her commitment to address privacy through a "cross-disciplinary" approach that uses the tools of competition law, not just consumer protection law, to address privacy harms. She states that "concentrated control over data has enabled dominant firms to capture markets and erect entry barriers while commercial surveillance has allowed firms to identify and thwart emerging competitive threats," resulting in reduced privacy.
To address these concerns, as outlined further in the report, the agency intends to focus "most" of its limited resources against the "data practices of dominant digital platforms," including through additional compliance reviews and order modifications and enforcement, "as necessary," against, for example, Facebook, Google, Microsoft, Twitter, and Uber.
The Report adds that (with more resources from Congress), the FTC also will prioritize:
- Adtech and "Walled Garden" Advertising
- "[B]usiness models that depend on expansive and potentially illegal data collection to fuel targeted advertising and user engagement," and
- "Exclusionary or predatory conduct by dominant digital platforms to defend their data troves, resulting in lower levels of privacy and data protections and more intrusive ads."
- Children's Tech: "Platforms and other online services that are potentially violating COPPA, an area of particular importance given that many children may be increasingly relying on online services for both educational, entertainment, and social purposes during the pandemic."
- Other Privacy Considerations, such as data uses involving health, biometric, or other sensitive data, discriminatory algorithmic practices, or other deceptive or unfair data practices.
- Even More Competition Focus on
- Dominant digital platforms' data practices that present both privacy and competition concerns due to their scope and size, and
- "Acquisitions that allow dominant digital platforms to collect and control ever expanding data from consumers or block the development of more secure data protection policies."
Second, recognizing that competition may not always align with and fully address privacy concerns, Khan emphasizes the need for the FTC to use its rulemaking authority to codify baseline protections. In support of such rules, she cites a variety of factors that may mask how much consumers value their privacy and undermine their ability to make choices to protect it. These include the lack of competition among technology providers, "dark patterns" that manipulate and "nudge" users, and the inadequacies of the notice-and-consent framework. The report elaborates on this topic, stating that the FTC intends to develop new privacy rules (presumably under its inherent "Magnuson Moss" rulemaking authority) and strengthen existing ones, such as COPPA, Health Breach Notification (already expanded via policy statement as we discuss here), Red Flags, and GLB Safeguards. In other words, expect more rulemaking concerning privacy practices affecting children's data, health, identity theft, and financial services (but likely with a much broader view of what these encompass based on the FTC's recent activity).
New Data Use Restrictions
Third, Khan states that the FTC should consider "substantive limits," rather than procedural protections and process requirements, in its privacy work. Here, she also discusses how behavioral ad-based business models can "incentivize constant surveillance, resulting in further mass aggregation of data, potentially heightening the risk of data privacy and security abuses—and further inviting us to consider a market-wide approach." Her provocative discussion of behavioral advertising here (and multiple references to unlawful or intrusive surveillance on this topic) is significant, as it suggests that she intends to issue rules limiting or banning this practice, as urged in a recent petition to the FTC. Relatedly, the report states that the FTC will obtain stronger remedies in enforcement actions, including notifications to consumers when their data has been disclosed; provisions requiring companies to monitor and prevent identity theft and other privacy harms; deletion of algorithms, models, and data created or used illegally; and redress obtained in coordination with other federal and state agencies.
Finally, Khan cites the need for a substantial increase in resources to bring the FTC in line with international counterparts and enable the agency to recruit additional talent. The report elaborates on this goal, comparing the FTC's privacy FTEs (40-45) to the UK's (768) and stating the FTC needs about 100 more. (This point was also discussed in the Congressional hearing last week). According to the report, the FTC would use these resources for all of the activities discussed above, as well as a host of others, including conducting additional industry studies under Section 6(b) of the FTC Act; studying algorithms and bringing enforcement actions against algorithmic discrimination; hiring more technologists and subject matter experts; and addressing privacy and safety issues involving connected cars, health devices, stalking apps, and pornography platforms.
The report also reiterates the FTC's call for federal privacy legislation, legislative clarification of the FTC's authority to obtain consumer redress under Section 13(b), and removal of the common carrier and non-profit exceptions.
Is This News? Yes, and Here's Why.
Many of the goals in Khan's statement and the report are consistent with the FTC's current authority and longstanding support for stronger federal laws and remedies. Robust injunctive and monetary relief, section 6(b) studies, vigorous order enforcement, and enhanced legislative authority and resources are all worthy goals that protect consumers and honest businesses and increase the agency's effectiveness. However, as discussed in Commissioner Phillips' dissent and Commissioner Wilson's concurrence in part, dissent in part, some of them likely exceed the FTC's statutory mandate and will run into serious obstacles when they are tested in court.
For example, as the Phillips and Wilson statements note, competition and privacy are governed by different laws with different remedies. To the extent that Khan seeks to conflate these laws and remedies, it could exceed the FTC's authority. In addition, Phillips emphasizes that many of the goals and remedies cited by Khan and the report – including the references to "tackling [privacy] issues on a structural level" and potentially banning industry-wide practices through rulemaking – could "bar companies from engaging in legal conduct," "let a majority of Commissioners run companies by regulatory fiat," and usurp the role of Congress in weighing the "judgements and tradeoffs that will be required of privacy legislation..."
As mentioned in our blogpost last week, there are also many legal and practical obstacles to engaging in rulemaking of the type and number that Khan and the report appear to contemplate. Under Magnuson Moss rulemaking, the FTC must prove that any practice it seeks to regulate is unfair or deceptive, as well as prevalent. Magnuson Moss rulemaking also contains a slew of procedural steps that the agency must take (hearings, analyses, publications, etc.) and establishes a standard of judicial review that gives very little deference to the agency. These hurdles were imposed by Congress precisely because Congress was concerned about regulatory overreach in the 1970s. (For a little history tour, see "Stoning the National Nanny: Congress and the FTC in the late 1970s," by former FTC Chairman Michael Pertschuk).
For all of these reasons, the FTC's privacy (competition, and tech) agenda is certainly likely to face challenges. Congress could block or delay many of the bold regulatory moves being discussed now, especially as they relate to broad federal mandates banning conduct that, to date, has never been found to be illegal. Will Congress be willing to allocate additional resources to an agency that is reconceiving of itself and its privacy mandate? Will additional resources be enough to empower a new bureau of privacy without additional legal authority? How will the courts respond to the FTC's ambitious efforts? If the Supreme Court's AMG decision is any indication, the agency is likely to face judicial skepticism over some of these positions.
In the meantime, the road ahead appears to be filled with new rulemaking and investigations, potentially novel legal theories, and more litigation. Companies may need to make difficult decisions as they navigate these developments and consider whether to expend the resources necessary to challenge them in court. We will continue to monitor and report on developments as they occur.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.