At the IAPP Global Privacy Summit, the Chair of the Federal Trade Commission, Lina Khan, gave her first public address since taking over as chair. Her remarks provide some key insights into the FTC’s areas of focus, including activities ripe for enforcement. Those insights are particularly valuable for U.S. businesses, as the FTC is often the vanguard among U.S. privacy and data security regulators. This post provides a roadmap to where the agency could be headed based on Chair Khan’s speech.
Focus on Widespread Harm and Intermediaries
Chair Khan’s comments make clear that the FTC’s primary focus will remain on business practices that cause widespread harm. That idea is not particularly notable, and it’s unsurprising that companies with high-visibility, consumer-facing practices will be more likely draw the attention of the FTC. But Chair Khan explained that the FTC would also be focusing on “intermediaries that may facilitate unlawful conduct on a massive scale.” Among other industries, she is focused on data brokers and the ad tech ecosystem. As an example, Chair Khan cited the FTC’s recent enforcement action against OpenX, an online ad exchange. There, OpenX allegedly collected personal information from websites directed to children in violation of the Children’s Online Privacy Protection Act.
An Interdisciplinary Approach that Includes a Focus on Fair Competition
Chair Kahn stated that the FTC will be “taking an interdisciplinary approach” to its privacy and data security work, “assessing data practices through both a consumer protection and competition lens.” Her comments show a skepticism of “dominant firms” that have access to or control large troves of personal information. She pointed out that the market incentives to maximize data collection and retention can lead to “systemic risk, increasing the hazards and costs of hacks and cyberattacks.”
The Chair also suggested that she may be sympathetic to the view that the “opacity and complexity of the digital ad markets could be enabling widespread fraud and masking a major bubble.” Under Chair Khan, privacy and data security will likely be an important issue in connection with merger review. It will be interesting to see if the competition considerations also arise in connection with the agency’s traditional privacy and data security enforcement activities.
A Creative Approach to Remedies
The FTC will be taking a more creative approach with its remedies to deter unlawful conduct. In doing so, Chair Khan explained that her agency would account for the market forces that incentivize unlawful conduct and pursue “remedies that fully cure the underlying harm and, where necessary, deprive lawbreakers of the fruits of their misconduct.” In that regard, Chair Khan cited the FTC’s recent enforcement action against Kurbo. In that case, which arose from a weight loss app’s allegedly wrongful collection of children’s personal information, the settlement required Kurbo to destroy any illegally collected data and any algorithms derived from that data, in addition to paying a $1.5M penalty. The remedies that the agency pursued in the Kurbo case are particularly notable because the loss of a crucial dataset, an important algorithm, or another business asset that the FTC alleges is tied to a privacy violation could be extremely damaging to many companies.
The Chair’s comments indicated that the agency would also focus on executive accountability as a remedy. She highlighted the agency’s 2021 enforcement action against SpyFone (probably not a great name for your company if you want to avoid scrutiny by privacy regulators). That case arose from SpyFone’s sale of apps that allowed users to secretly collect data on other people’s physical movements, phone use, and online activities through a hidden device hack. The FTC permanently banned the company’s CEO from engaging in business involving tracking or monitoring a user’s activities on a mobile device.
Other Notable Points
Chair Khan indicated that the FTC is considering issuing privacy and data security rules, alluding to the notice issued by the agency late last year. Her comments suggest the rules will be focused on “commercial surveillance” in addition to data security.
Chair Khan’s focus on the harms associated with “surveillance” and the “surveillance economy” is noteworthy. Her comments reflect a deep distrust of industries that rely on large-scale or intensive data collection and tracking. They also suggest that she is skeptical of data aggregation as a strategy for addressing privacy harms in certain contexts—a potentially concerning position for companies that rely heavily on data aggregation to develop and improve their products and services.
From a policy perspective, Chair Khan also opined that “present market realities may render the “notice and consent” paradigm outdated and insufficient.” According to Chair Khan, the “procedural” protections of lengthy privacy policies and consent may be inadequate when users cannot reasonably avoid the use of certain technologies that are critical to “navigating modern life.” She also called on Congress to enact legislation creating substantive limitations on “commercial surveillance.”
Takeaways for Business
Going forward, companies operating in the U.S. should evaluate whether their operations may expose them (or their executives) to increased risk given Chair Khan’s policy positions.
Companies engaged in large-scale tracking of consumers, or that could otherwise be considered part of the surveillance economy, should keep in mind that their business model is likely to be an area of emphasis for the FTC.
Companies assuming they are safe from FTC enforcement because they fly under the radar should reconsider that assumption in light of Chair Khan’s speech—particularly data brokers and other “intermediaries.” And in the context of M&A, and similar transactions, acquiring companies will want to be sure that the target’s assets, including data sets and algorithms, are not clouded by unlawful practices.
Finally, and as always, U.S. companies should keep a close eye on the FTC’s enforcement actions, which often provide the best evidence of the FTC’s expectations in the absence of formal rulemaking.
