Hashed & Salted | A Privacy and Data Security Update
2022 promises to be an active year for privacy and data security regulation in the U.S. While comprehensive federal privacy legislation is unlikely to pass this year, privacy and data security remain key priorities for the Biden administration, Congress and the Federal Trade Commission. We expect that most developments around privacy will occur at the FTC, as the agency becomes the de facto privacy regulator. With the confirmation of Lina Khan as chair of the FTC this past year, the FTC’s priorities and agenda have shifted to focus more on the intersection of privacy, antitrust and Big Tech. In 2022, we’ll continue to see the FTC take a more activist approach to privacy. While the FTC has, arguably, been somewhat limited by its enforcement budget and the current state of the law regarding its enforcement and penalty authority, we expect that the FTC will try to use some of the lesser-known tools in its toolbox to push for changes in the areas of privacy, competition and platform regulation.
Where We Left Off in 2021
The Biden Administration’s Efforts to Prioritize Privacy and Competition
President Joseph Biden issued an Executive Order “to promote the interests of American workers, businesses, and consumers,” aimed at promoting a fair, open and competitive marketplace.
The July Executive Order recognizes the importance of data collection and its impact on the overall marketplace. The Executive Order states:
It is also the policy of my Administration to enforce the antitrust laws to meet the challenges posed by new industries and technologies, including the rise of the dominant Internet platforms, especially as they stem from serial mergers, the acquisition of nascent competitors, the aggregation of data, unfair competition in attention markets, the surveillance of users, and the presence of network effects.
The Executive Order also encourages the FTC to consider exercising its Section 5 and Section 18 rule-making authority to combat “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy” and to fight “unfair competition in major Internet marketplaces.” The FTC’s Section 5 authority has historically been used to address sector-specific data collection and use practices (for example, through issuing business guidance, enforcement actions and consent orders), while the FTC’s Section 18 authority is used to address unfair or deceptive acts or practices.
The FTC Takes a More Activist Role
Along with the Biden administration, consumer advocates and other regulators have also called on the FTC both to increase the scope and consequence of its enforcement activity and to step in to provide rules around privacy and security in lieu of a federal privacy bill. Over the course of 2021, the FTC responded by taking a number of actions that indicate a willingness to use the full scope of regulatory and enforcement tools at its disposal to put pressure on Big Tech and regulate perceived privacy abuses. The FTC has issued notices of penalty enforcement, the violation of which would allow it to seek civil penalties; issued orders to certain industry sectors requiring reports and responses to questions about their practices; and started the rule-making process. In 2022, we expect to see the FTC initiate rule-makings and potential investigations and issue more notices of penalty enforcement.
Below is a quick recap of the various enforcement tools the FTC may deploy:
- Section 5 enables the FTC to prohibit “unfair or deceptive acts or practices.”
- Section 5(b) allows the FTC to initiate an administrative proceeding for unfair or deceptive practices and unfair methods of competition. Administrative complaints are adjudicated by an administrative law judge, where parties can seek injunctive relief.
- Section 5(l) allows the FTC to seek civil penalties, equitable monetary relief or other injunctive relief in a federal court, if a defendant violates a previous administrative order issued by the Commission.
- Section 5(m) permits the FTC to seek civil penalties in federal court (the Build Back Better Act would amend Section 5(m)(1)(A) of the FTC Act to expand the FTC’s ability to seek civil penalties for Section 5 violations—unfair or deceptive acts or practices—and not just violations of FTC rules).
- Section 6(b) provides the FTC with the authority to require reports and answers to specific written questions from a company about specific business practices (but doesn’t necessarily require the FTC to have a specific law enforcement goal).
- Section 13(b) grants the FTC the ability to seek injunctive relief in federal district court to halt unfair and deceptive practices. Section 13(b) does not authorize the FTC to seek court-ordered monetary relief (as was decided in AMG Capital Management).
- Section 18 grants the FTC rule-making authority and allows the Commission to promulgate trade regulation rules concerning unfair or deceptive acts or practices affecting commerce (commonly referred to as “Magnuson-Moss” rule-making). Section 18 also requires a hearing, with an opportunity for cross-examination.
- Section 19 authorizes the FTC to bring civil suits for violations of FTC trade regulation rules regarding unfair or deceptive acts, and violations of an FTC cease and desist order. Section 19 also allows the FTC to seek certain types of consumer redress from the court, such as rescinding or reforming contracts, monetary refunds, and damages.
Congress has also granted the FTC specifically enumerated authority—ranging from enforcement to rule-making—under the Equal Credit Opportunity Act, Health Breach Notification Rule, Children’s Online Privacy Protection Act and Gramm-Leach-Bliley Act.
FTC Enforcement Priorities
FTC Chair Khan issued a memo on the Vision and Priorities for the FTC in September 2021, outlining her strategic approach and listing several policy priorities. Specifically, Khan would like the FTC to focus on “rampant consolidation and dominance” where a lack of competition may make unlawful conduct more likely. Khan cites that key projects for the FTC will include revising the merger guidelines (in conjunction with the Department of Justice) and reviewing “take-it-or-leave-it” contracts that could be viewed as potentially unfair methods of competition or unfair or deceptive practices.
And most recently, in December, the FTC issued a Statement of Regulatory Priorities, citing President Biden’s July Executive Order and affirming that the Commission intends to consider competition rule-makings relating to surveillance, unfair competition in online marketplaces, and noncompete clauses, among others.
We also expect the FTC to continue its focus on children’s data, bias and discrimination in Artificial Intelligence, algorithmic transparency, and dark patterns and negative option marketing as we saw with the FTC’s Enforcement Policy Statement. To learn more about dark patterns, watch our In The Know Video here.
Based on the FTC’s recent Statement of Regulatory Priorities, it’s clear that over the course of 2022, the Commission intends to review a number of FTC rules, including:
- Children’s Online Privacy Protection Rule (16 CFR 312)
- Negative Option Rule (16 CFR 425)
- Telemarketing Sales Rule (16 CFR 310)
- Health Breach Notification Rule (16 CFR 318)
The Commission also intends to review the following FTC guides:
- Endorsement Guides (16 CFR 255)
- Guides Against Deceptive Pricing (16 CFR 233)
- Guide Concerning Use of the Word “Free” and Similar Representations (16 CFR 251)
For additional information about the FTC’s potential actions and goals in 2022, take a look at the Commission’s recently released Strategic Plan for 2022-2026.
The Build Back Better Act
President Biden’s “Build Back Better Framework” is a sweeping legislative package that seeks to grow the U.S. economy and address a number of issues facing Americans, including caregiving, climate change, taxes and affordable health care. Provisions of the Build Back Better Act also seek to address privacy and data security by providing for increased funding for the FTC, which would enable the agency to properly investigate and pursue privacy and data security violations.
The Build Back Better Act would also provide at least $500 million to the FTC through September 2029, and would establish a new privacy bureau. With those funds and the new dedicated bureau, the FTC would be able to hire technologists and other experts to help the agency pursue companies engaged in unfair or deceptive acts or practices related to privacy, data security, identity theft, data abuses and similar matters.
The Build Back Better Act (specifically, Sections 31501 and 31502 in H.R. 5376) would provide the FTC with additional civil penalty authority, allowing the agency to seek monetary penalties of nearly $44,000 (per violation, per consumer) for lawsuits filed in federal district court pursuant to Section 5 of the FTC Act.
The future of the Build Back Better Act remains unclear—it was not brought to a Senate vote during 2021. Over the next few months, we expect that the legislative package will change significantly, as could the provisions pertaining to the budget and enumerated powers of the FTC. Although the act did not see a Senate vote during 2021, the Biden administration will continue to pressure Congress to pass a comprehensive legislative package and is expected to remain focused on issues at the intersection of privacy and civil rights.
Looking Ahead to 2022
Both the Biden administration and the FTC have ambitious privacy agendas for 2022. Here’s what you can do to prepare:
- Understand the tools available to the FTC and the powers and procedures the Commission may invoke to promulgate new privacy rules and pursue alleged privacy violations.
- Review your internal policies and procedures for compliance with the rules and guides that the FTC has said it would review.
- Monitor the FTC’s notices and other activities to understand whether any of your practices have become the subject of the FTC’s focus.
As the Commission begins to review and solicit comments or feedback on various FTC rules and guides, we will keep you updated.
-
Chief Privacy & Security Partner; Chair, Privacy, Security & Data Innovations