Speaking to the Future of Privacy Forum, Acting Federal Trade Commission (FTC) Chairwoman Rebecca Kelly Slaughter provided insight this week into how the Biden Administration intends to pursue privacy issues at the FTC. These remarks are among her first as Acting Chairwoman—signaling that privacy will continue to be a priority at the agency.
The FTC has a long history of engagement on privacy issues, and the agency continued to be active in this area under previous Chairman Joe Simons. Before closing the 2020 year, for example, the FTC voted with bipartisan support to order nine social media and video companies to provide information and documentation on a broad range of issues, including privacy and data collection and use. However, the nature, scope, and emphasis of FTC privacy activities are subject to change with new leadership. Below, we’ve highlighted some key points in the Acting Chairwoman’s remarks that could signal important policy developments for the agency.
-
Key priorities. At a high level, Acting Chairwoman Slaughter emphasized prioritizing efforts to address privacy issues associated with the COVID-19 pandemic and promoting racial equity through consumer protection activity. One area she highlighted that reaches across both areas is education technology (ed-tech), which is an area where the agency has expressed concern about privacy practices involving children engaged in distance learning.
-
AI and Facial Recognition. As part of her larger focus on addressing racial injustice issues, Acting Chairwoman Slaughter also discussed artificial intelligence (AI) and facial recognition. She noted that she has asked staff to investigate biased and discriminatory algorithms, and she signaled her intention to rethink how the FTC addresses AI-generated consumer harms—a move that we previously previewed. She further noted that she will “redouble” the FTC’s efforts to identify violations of laws related to facial recognition technologies.
-
Health Data. Acting Chairwoman Slaughter also expressed interest in broader applicability of the FTC’s Health Breach Notification Rule, including in cases involving alleged privacy violations involving non-HIPAA health data. The FTC, given its statutory authority to enforce the breach notification rule, may be able to significantly expand its activities in health data privacy, making this a key area to watch. Along the same lines, the Acting Chairwoman said she has asked staff to take a close look at health apps, including telehealth and contact tracing apps.
-
Location Data and the First Amendment. The new FTC head conveyed her “concern[] about misuse of location data,” particularly as it relates to “tracking Americans engaged in constitutionally protected speech.” This statement signals a potential increase in privacy cases or investigations going forward on the use of location data, regardless of disclosures, based on a theory of consumer harm under First Amendment protections rather than a breach of service terms and conditions.
-
Privacy and Data Security Remedies. More generally, the Acting Chairwoman called for “stronger relief for consumers” in privacy and data security cases. She highlighted two types of relief that the FTC should seek: effective consumer notice and disgorgement. On the latter remedy, the FTC could, for example, require companies that it finds to have unlawfully collected and used consumer data to disgorge both the data and the fruits of that collection and usage, as it did in the Everalbum case. In that settlement, the FTC required a photo app company to destroy facial recognition models and algorithms developed using customer photos and data allegedly obtained contrary to its disclosures to consumers. Disgorgement would represent a more aggressive approach in privacy cases, which often (though not always) involve non-monetary remedies.
-
New Workshops and Reports. Looking ahead to privacy events and work product, Acting Chairwoman Slaughter indicated that the FTC will host a workshop examining marketplace incentives for protecting privacy and securing consumer data. This is in addition to planning underway already for its sixth PrivacyCon, which will be held on July 27, 2021. She has also asked that the FTC release a report on broadband privacy practices this year, based on requests for information it sent in 2019.
It remains to be seen whether the Acting Chairwoman will have support for the entirety of this agenda from her fellow Commissioners. But what is certain is that the head of the FTC has significant ability to direct the agency’s resources in investigations and policy matters, so we can expect that activity will ramp up in these prioritized areas in the coming year.