Amid urgent national security, cybersecurity and data privacy threats, companies require deeply experienced counsel to respond strategically to potentially crippling data incidents, so they can get back to business. Led by the nation’s leading legal advisors on national security and data-related regulatory matters, we help boards and top executives safely navigate high-impact breaches and related cyber incidents, and offer specialized regulatory advice in the transactional and compliance contexts.
In First Major Policy Speech, FTC Chair Lina Khan Highlights Data Privacy and Security Enforcement Priorities
April 18, 2022 Download PDF
On April 11, 2022, Federal Trade Commission (“FTC”) Chair Lina Khan delivered a keynote address at the 2022 International Association of Privacy Professionals (“IAPP”) Global Privacy Summit.[1] This was Khan’s first public address focused on data privacy and security issues since being sworn in as chair of the FTC nearly a year ago. Khan’s remarks foreshadow upcoming rulemaking and enforcement activity targeted at data privacy and security practices of companies and their executives. They also provide the business community and data privacy practitioners a window into Khan’s data privacy and security enforcement perspective and priorities. In a separate panel discussion at the same conference, FTC Commissioner Noah Phillips offered his, at times competing, views on data privacy and the role of antitrust law in data privacy enforcement.
Chair Khan’s remarks
At the outset, Chair Khan observed the shifting landscape of data privacy and security practices, noting that the pandemic has “hastened the digitization of our economy and society, further embedding digital technologies deeper into our lives,” including at schools and workplaces. Chair Khan focused in particular on how companies track, gather, and use consumer data. She noted, for example, that developments in digital technology enable companies to collect “vast” data about individuals “at a hyper granular level,” and that the “availability of powerful cloud storage services and automated decision-making systems … have allowed companies to combine this data across domains and retain and analyze it in aggregated form at an unprecedented scale, yielding stunningly detailed and comprehensive user profiles that can be used to target individuals with striking precision.”
Chair Khan raised a number of potential risks to consumers from these data practices, including:
- Allowing companies to “target scams and deceptive ads to consumers who are most susceptible to being lured” by them;
- Targeting advertisements in certain sectors based on race, gender, and age, resulting in potentially unlawful discrimination;
- Increasing consumer exposure to stalkers, hackers, identity thieves, and other “cyber threats”; and
- Creating or exacerbating “deep asymmetries of information” and “imbalances of power.”
Against this backdrop, Chair Khan described several other ways that the FTC has been refining its approach to data privacy and security enforcement, including:
- Attempting to “maximize impact” of enforcement by focusing the Commission’s limited resources on pursuing potential violations by “dominant” firms whose business practices cause potential “widespread harm,” as well as “intermediary” companies that may facilitate unlawful conduct;
- Taking an “interdisciplinary approach” to enforcement, focusing on data privacy and security practices that raise both consumer protection and competition concerns;
- Supplementing the FTC’s staff of lawyers, economists, and investigators with additional individuals with technology expertise such as data scientists, engineers, user design experts, and artificial intelligence researchers; and
- Seeking to tailor enforcement remedies to address the particular incentives faced by businesses and the “latest best practices” in data privacy and security. By way of example, Chair Khan cited recent FTC settlements with: weight loss app Kurbo, requiring the company not only to delete data collected from children, but also to destroy any algorithms derived from that data;[2] surveillance business SpyFone, requiring the company to delete allegedly illegally acquired data and banning the company and CEO from the surveillance business in the future;[3] and customized merchandise platform CafePress, requiring the company to implement new multifactor authentication methods, as well as reduce and encrypt certain data the company collected and maintained.[4]
Notably, Chair Khan also foreshadowed that the FTC may pursue rulemaking and other efforts to prohibit certain types of data collection practices entirely. Expressing concern that current privacy-related notice and consent requirements may soon become “outdated and insufficient,” she stated: "I believe we should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements, while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place.” Chair Khan also revealed that the Commission may be pursuing rulemaking to address “commercial surveillance and lax data security practices.”
Commissioner Phillips’ remarks
Commissioner Phillips’ remarks covered a broad range of issues, including responding to certain of the statements by Chair Khan related to the intersection of competition law and data privacy and enforcement, enforcement activity focused on “market dominant” firms, and the role of equitable remedies, among other topics.[5]
With respect to the focus on “market dominant firms” and the intersection between competition and data privacy, Phillips asserted that it would be “wrong” for the FTC to pursue an enforcement approach that assumes that “market power enables privacy violations.” He expressed the view that privacy violations are not a “natural result” of competition or a “symptom of monopoly power.”
In response to Chair Khan’s reference to proposed rulemaking related to data collection practices, Commissioner Phillips expressed a preference for national privacy legislation over agency rulemaking to address privacy concerns.
As to equitable remedies, Commissioner Phillips expressed the view that such remedies should be targeted to address consumer harm and recoup ill-gotten gain, rather than simply to punish companies. He noted that the FTC has displayed considerable ingenuity in constructing appropriate equitable remedies in the past, but observed that as data collection practices become more complex (for example, relying on artificial intelligence) “what constitutes the ill-gotten gain can be hard to spot.”
Observations
While Chair Kahn and Commissioner Phillips appeared to offer competing perspectives on certain aspects of the FTC’s role in policing data privacy and security, their remarks confirmed that this area will continue be a key focus for the FTC in the near term. The FTC’s recent rulemaking activity further confirms this focus on data privacy issues. For example, the FTC is currently finalizing rulemaking related to the Children’s Online Privacy Protection Act, which imposes notice requirements on online services that collect personal information from children under 13.[6] Similarly, in April 2020, the FTC initiated a rulemaking proceeding to consider the scope of the Health Breach Notification Rule and its application to certain health-related apps.[7] Going further, under Chair Khan, we can expect further rulemaking and enforcement activity targeted at the data privacy and security practices of companies and their executives. By contrast, the prospects for national legislation addressing data privacy and security issues is more uncertain, given that several bills have been introduced over the last few years, but have not moved forward.[8]
* * *
[1] FTC Chair Lina Khan, Keynote at IAPP Global Privacy Summit 2022 (April 11, 2022), recording available at https://iapp.org/news/video/keynote-lina-khan-chair-of-the-federal-trade-commission-iapp-global-privacy-summit-2022/.
[2] See FTC Takes Action Against Company Formerly Known as Weight Watchers for Illegally Collecting Kids’ Sensitive Health Data (March 4, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive.
[3] See FTC Bans SpyFone and CEO from Surveillance Business and Orders Company to Delete All Secretly Stolen Data (September 1, 2021), available at https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data.
[4] See FTC Takes Action Against CafePress for Data Breach Cover Up (March 15, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover.
[5] See IAPP, FTC Chair Touts ‘Interdisciplinary Approach’ to Data Privacy, Security, (April 12, 2022), available at https://iapp.org/news/a/ftc-chair-touts-interdisciplinary-approach-to-data-privacy-security/.
[6] FTC Seeks Comments on Children’s Online Privacy Protection Act Rule (July 25, 2019), available at https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-seeks-comments-childrens-online-privacy-protection-act-rule
[7] Health Breach Notification, Request for Public Comment, 85 Fed. Reg. 31085 (Apr. 22, 2020).
[8] See IAPP, Muze Fazlioglu, Federal Privacy Bills – 117th Congress, (Aug. 2, 2021), available at https://iapp.org/media/pdf/resource_center/us_federal_privacy_legislation_tracker_117th_congress.pdf (tracking federal privacy bills in Congress).