Recently, the U.S. Senate confirmed Alvora Bedoya as the last outstanding FTC commissioner, giving the agency a Democratic majority and clearing the path for it to pursue its agenda. But Republicans tried for months to block the move.
In this webinar with the Future of Privacy Forum Policy Counsel Tatiana Rice, and TerraTrue’s Director of Content Strategy Angelique Carson, learn more about what to expect from a fully-stacked FTC, where the agency might focus, and whether it plans to hold executives liable for privacy violations.
If you’d prefer to watch this webinar in totality, find it here.
Angelique Carson: Why did Republicans fight so hard to keep Bedoya from being appointed? Now that he’s been confirmed, what do you think the impact will be? How does this aid Chairperson Lina Khan’s agenda?
Tatiana Rice: I think a lot of Republicans were saying that he would be too much of an advocate in the space, rather than their idea of the FTC being kind of balanced and apolitical. That was basically their argument.
In reality, we know it’s probably more likely they didn’t want Khan to have a Democratic majority.
So prior to Bedoya’s confirmation, the FTC had been gridlocked with two Republican commissioners, Noah Philips and Christine Wilson, and two democrats with Lena Khan and Rebecca Kelly slaughter.
During Khan’s tenure, for anything that she wanted to do, she needed at least a Republican on board for that. And she obviously has a pretty progressive agenda in terms of enforcement actions, specifically towards Big Tech in the privacy space and the anti-trust space as well.
Now that Bedoya’s been confirmed, the FTC had its first meeting last week. And they actually already approved a policy statement on the children’s privacy, which is kind of indicative of where things are going to be going now that there’s a Democratic majority.
Carson: You think they’ll focus on children’s privacy pretty heavily?
Rice: I think they will, I mean it’s something really easy because there’s already a children’s privacy law. So it’s nothing that they’re going to have to do rulemaking for, and they’re not going to have to reinvent the wheel. They have been doing COPPA revisions and rule-making a little bit. But since there’s already a rule on the book that’s something they can definitely be enforcing. And the policy statement that they put out last week, I recommend people check it out. Not only are frameworks like notice and consent not enough in those spaces, but a lot of those substantive provisions are going to be important to Khan’s agenda – data minimization and making sure that the data that you have is necessary for the purpose of what you’re collecting it for.
Carson: Okay, so, children’s privacy is a priority. Where else might the FTC enforce?
Rice: I think Khan, in particular, has an interest in the ad tech world. Honestly, I think that is going to be a focus of hers, and it’s pretty clearly under the FTC’s purview in terms of unfair and deceptive practices. So I think that’s something to be expected in terms of targeted advertising: Ad Tech in the context of children’s privacy, and what are companies going to be able to target kids for?
Carson: Yes, in her speech at the IAPP Global Privacy Summit, Khan actually mentioned this idea of “I’m not only holding big tech to task but actually potentially holding executives themselves to task,” which can be sort of terrifying if you’re at a company and thinking: I want to do the right thing, I don’t wanna make missteps. But what if I did it, could I be held personally liable? What do you think about this idea of executive accountability? Is that the future?
Rice: if you’re a lawyer, there’s something called “piercing the corporate veil.” Usually, there’s some kind of line between a CEO and the company and what’s personal liability and not. Recently, there was a Supreme Court case called MG Capital Management, where the Supreme Court basically found that the FTC can’t get equitable monetary remedies under the FTC Act.
So Khan herself has started saying that they’re going to get more creative because they do want to crack down on Big Tech more. And like you said, executive accountability is one of the things that they’re that she would like to pursue more of.
The real dividing line of when that is applicable though is when a CEO, according to FTC guidance, is actively involved in it. So I think that there is a difference between a CEO who is, you know, running the business, but not super involved in the technical components of what is happening. There has to be a certain level of knowledge for the FTC to be able to have that executive accountability function.
But CEOs are not completely out of the light for the FTC, and that is something that they’re going to need to be considering. Pleading ignorance is probably not going to be enough. But trying to make sure that you, as a CEO, are telling your company or telling your employees to do these best practices for privacy and data management is going to be important in order to avoid those kinds of issues.
Carson: I’m just thinking as you’re speaking: We know for privacy professionals, it’s long been a struggle to get visibility in front of the C-suite and to get top-down support for privacy. Oftentimes, I think you really need that messaging coming from the C-suite to say it’s a top-down mandate, we’re going to have a culture of privacy. So if we’re saying that the CEO or someone in the C-suite has to have visibility to be held liable, do you think that could create sort of problems? Could that in some ways make a CEO feel like, “I just don’t want to know.”
Rice: Yeah, exactly. It’s a double-edged sword, right? Because, yeah, if you know, then you could be liable. Whereas if you’re ignorant to what’s happening within your company maybe you’ll avoid the liability. My guess is like I said, pleading ignorance is probably not going to be enough, particularly if you’re in a company based on data. If managing or selling or sharing or collecting data is a fundamental function of what you do, then I think it’s going to be really hard to disentangle those things.
Carson: Who do you think this FTC wants to go after?
Rice: One of the things that Khan noted during her IAPP speech was focusing on those that are causing the most harm. I do think anybody in the space knows that privacy is important
Making sure they’re really going after the bad actors that you are really going after the bad actors is going to be important if they’re aiming to have a wide impact on American society. And of course, they aren’t going to want to worry about litigation and having rulings being questioned by the court. So knowing what’s within their purview and what is a direct violation is going to be important.
Carson: What is this news about algorithmic discouragement? Khan mentioned it in her IAPP speech. Algorithms can be really important to a company’s success, and they’re often the “secret sauce.” What do we need to know?
Rice: The premise of algorithmic disbursement is if you create any kind of algorithm or model that’s based on data that was illegally harvested are collected, you must destroy that algorithm in its entirety. And that’s obviously a very potent tool because, as you said, for a lot of companies, their algorithms are their company. Especially if you’re a tech company.
It’s really hard to discern what that really means in terms of functionality because a lot of algorithms depend on others. You have these data sets that comprise a lot of different data, and so if any one data set is tainted, you can have several models that are dependent on that data. So you have all these different models that are potentially up for liability or could be destroyed if you’re not collecting that data correctly.
That’s what happened pretty recently in a Weight Watcher’s case, where the FTC enforced against them.
Carson: We’ve been talking about passing a privacy law for a long time. Who knows if this year is the year. But regardless, what kind of role do you think the FTC might play? Would the FTC enforce it?
Rice: I don’t know how many of us are holding our breath for a federal privacy law this year, but in any event, if there is a federal privacy law, I think we can anticipate with pretty high expectations that it will be the FTC enforcing the law and doing rulemaking.
There’s a good chance there won’t be a lot of guidance on what consent means and whether there’s going to be a global opt out. So I think [lawmakers] are going to allocate that over to the FTC to talk about more of those specifications.
And so under the FTC’s purview is unfair deceptive trade practice. So they’re going to have the authority to not only be enforcing the law as they do a lot of times with cyber security and data breaches already but also probably doing a lot of the rule making as well.
But the ability for the FTC to efficiently do that is going to be very dependent on whether and how Congress allocates any appropriations to them. Because I think every FTC commissioner has said multiple times that they just do not have the resources or staff to be able to handle this in an efficient manner. They need more scientists, and they need more developers. They need more people with technical expertise. So they actually understand how they’re enforcing the law and, you know, making sure they’re doing it the right way.
For more on this new FTC and what it means for companies under its purview, follow our ongoing coverage on our blog.