Under Lina Khan, the FTC has begun to take a harder line on privacy and consumer protection. TerraTrue’s own Angelique Carson recently sat down with Gabe Maldoff, an associate at Goodwin Proctor, to discuss the FTC’s new priorities, GDPR tips, and how companies can strive in an era of stricter digital enforcement. Here are a few of the highlights, or you can watch the video in full.
FTC enforcement strategy and priorities
- While Chair Khan has made significant changes to the FTC, her priorities continue a decades-long trend towards increasing privacy and cybersecurity focus.
- One of the biggest changes is in how the FTC enforces compliance. The organization has historically taken an educational role, using negotiated settlements to demonstrate FTC requirements and priorities. Cambridge Analytica forced lead the FTC to take a more muscular position, which has solidified under Lina Khan’s leadership
- Commissioner Alvaro Bedoya has the strongest privacy background of any FTC commissioner, complimenting Khan’s antitrust bona fides with expertise in data security and consumer privacy.
- Heavy media coverage and growing consumer privacy awareness are driving stronger FTC enforcement, and increasing concern over consumer impact — particularly on children and other vulnerable groups.
Defining the role of the FTC
- Over the past several years, both Congress and the FTC itself have pushed for legislation to better define the agency’s role.
- In 2019, Commissioner Rebecca Kelly Slaughter dissented from the FTC’s $5 billion Facebook settlement because she felt the FTC should litigate the case to hash out the “rules of the road,” demonstrate the limits of FTC enforcement, and pressure Congress to legislate consumer privacy.
- With a Democratic majority in the FTC, Maldoff sees that viewpoint is gaining traction. However, it’s unclear how FTC rulemaking or possible congressional legislation will play out.
Personal liability in data breaches
- There are signs the FTC may hold the C-suite personally available for breaches in the future. For example:
- Uber’s former CSO Joe Sullivan is currently on trial over Uber’s data breaches.
- The recently proposed American Data Privacy and Protection Act included provisions to hold executives personally liable for data violations.
- Part of the rationale is to inspire companies to fill in gaps in tracking and protecting their data. A similar approach has been fairly successful in Europe under the GDPR.
- The future of this approach is unclear. There are concerns about the fairness of holding one executive personally responsible for data breaches, as well as the political viability of liability rules.
Children’s privacy
- The FTC attempted to limit advertising directed towards children in the late 70s, but retreated in the face of public and Congressional backlash. This made the FTC more cautious about avoiding perceived overreach. But increasing public and legislative concern over children’s privacy is leading the FTC to break with this tradition.
- COPPA has traditionally set the standard for FTC privacy enforcement in the U.S., but it only protects children under 13 and only covers data collected directly from children. Legislators have been actively working to strengthen the law.
- California’s recent Age-Appropriate Design Code Act tightened protection for children, and extended it to any child under 17. Other states are considering providing similar protections.
- Businesses should look for greater enforcement and stricter standards for children’s privacy.
Reproductive privacy after Dobbs v. Jackson Women's Health Organization
- The Dobbs ruling has made reproductive health privacy a major focus for the FTC and other regulators.
- States reacted quickly to the ruling, with some criminalizing abortion and others passing laws to protect reproductive health care seekers. This has created uncertainty in tech companies, which may find themselves required to protect reproductive health data in one state, and pressured to disclose it in another state.
- The FTC is moving in, requiring stricter safeguards and more explicit consent for reproductive data collection and sharing.
Check out the full interview to learn more about the FTC’s priorities and GDPR developments.