As recently discussed in an article in Law360 (behind paywall), Acting Director of the Federal Trade Commission’s Bureau of Consumer Protection (“FTC” and “BCP,” respectively) Thomas Pahl recently spoke publicly about his thoughts regarding the BCP’s likely upcoming enforcement priorities.
Pahl, whose experience includes a background in consumer financial services, including debt collection and financial privacy, noted several areas in which BCP enforcement priorities may shift. in ways that could be meaningful to practitioners and technology entities. In particular, Pahl signaled that the FTC’s new leadership — including Acting Chairman Maureen Ohlhausen — may narrow its enforcement focus regarding use or misuse of sensitive consumer information. Rather than taking a more general, theoretical approach, Pahl’s comment suggests the agency will prioritize enforcement in situations in which data misuse or privacy breaches lead to tangible evidence of consumer harm. Such an approach would follow closely Chairman Ohlhausen’s stated priority of “deepening the FTC’s understanding of the economics of privacy and consumer harm in the context of information exposure,” which likely also will be a major discussion point at the agency’s next annual PrivacyCon conference in February, 2018.
This tentative shift toward a refined and renewed focus on economic issues surrounding consumer data security follows on the heels of a comment filed on July 17 by the FTC’s constituent bureaus (signed by Pahl on behalf of BCP) in the Federal Communications Commission rulemaking proceeding concerning net neutrality. As endorsed in a separate statement by Chairman Ohlhausen, the FTC staff wrote in favor of a provision included in the FCC’s Notice of Proposed Rulemaking that would return oversight of broadband internet service providers’ privacy and data security practices to the FTC.
In that comment, the FTC staff noted the agency’s extensive experience in protecting consumer data privacy and data security via enforcement actions, including over 500 cases against a wide variety of technology companies. The FTC notes that its enforcement activities have been broad, including targeting social media entities, OEMs, app developers, ad networks, and other entities, in addition to internet service providers. The agency staff went on to argue specifically why jurisdiction over broadband internet service providers — removed in 2015 in favor of the FCC — should be restored to the FTC, highlighting the agency’s dual role as an enforcer and an educator and noting that “businesses often have a one-stop shop when seeking guidance on privacy and security issues.”
Indeed, the potential combination of a return to a “one-stop shop” for privacy guidance and enforcement with a narrowed enforcement focus may provide technology companies — and particularly internet service providers — with a more predictable regulatory landscape regarding data security and privacy issues. Presumably, BCP’s narrowed enforcement focus can be implemented immediately. However, if BCP and the FTC as a whole choose to wait until after PrivacyCon 2018 to fully implement a new philosophy, companies may face several months of remaining uncertainty. Additionally, given the long timelines until the completion of the FCC rulemaking proceeding, the FTC may be many months from its desired renewed jurisdiction over ISPs.
Therefore, despite the stated goals and priorities of BCP and the FTC as a whole, it may be some time before practitioners and industry participants can be sure that change is in the air.