On Wednesday, May 11, after a lengthy delay, the US Senate voted 51-50 to confirm Alvaro M. Bedoya as a Commissioner of the Federal Trade Commission (“FTC” or “Commission”), and he was sworn in on May 16. Bedoya fills the seat left open by former Commissioner Rohit Chopra, who left the FTC in October of last year and now heads the Consumer Financial Protection Bureau. Chopra’s departure left the Commission with an open seat and in a partisan deadlock on a number of issues, as the FTC consisted of two Democratic appointees (Chair Lina M. Khan and Rebecca Kelly Slaughter), and two Republican appointees (Noah Joshua Phillips and Christine S. Wilson). The confirmation of Bedoya gives the Democratic appointees a 3-2 majority, which will enable Chair Khan to pursue privacy reforms and to take meaningful enforcement actions without the need for bipartisan support. Businesses that are potential targets for FTC scrutiny should pay particular attention now that the agency is at full strength and will be looking to flex its enforcement, rulemaking, and policy-making muscles and pursue Chair Khan’s aggressive (and progressive) agenda.
We anticipate that Democrats’ ability to control the agenda could result in significant movement on the privacy front, with the potential for privacy rulemaking, including a comprehensive privacy rule, increased enforcement of rules in order to obtain civil monetary penalties, and what results in “informal rulemaking” with potential enforcement consequences through the repeal or issuance of agency policies and guidance documents (although enforcement actions taken in reliance on these informal approaches face a meaningful likelihood of being challenged by an enforcement target). Bedoya’s past work also signals that the Commission may focus on issues like facial recognition, artificial intelligence, and the effect of location data on civil rights—all areas Chair Khan has expressed interest in previously.
The following areas are likely to be high on the FTC’s list of priorities over the next year as a newly motivated (and now fully staffed) agency looks to implement creative remedies and take aggressive action.
- Focus on Meaningful Enforcement, Including Civil Penalties: Since Chopra’s tenure, the FTC has been focused on crafting remedies that deter and punish companies for their conduct, even in the absence of the FTC’s ability to get civil monetary penalties for most violations of its Section 5 authority. We saw this trend continue in recent enforcement actions, including against an online merchandise platform and a weight loss company. The FTC also changed its policies last summer to make it easier to bring investigative actions in certain areas. This policy change, coupled with a 3-2 majority, means that we can expect enforcement actions to increase in number and scope. We also expect to see investigations that cover a broad range of conduct, especially where antitrust and data protection intersect, and a focus on dominant digital platforms and intermediaries that may facilitate what the FTC believes to be unlawful conduct on a massive scale. The FTC will also continue to look for ways to expand its ability to seek civil penalties by promulgating new rules (like the Made in U.S.A. Labeling Rule) and then pursuing violations as a response to the Supreme Court’s decision in AMG Capital Management, which foreclosed the FTC’s ability to obtain equitable monetary relief under the FTC’s Section 13(b) authority. A bill being considered in the Senate, the Consumer Protection Remedies Act of 2022 (S. 4145), would amend Section 13 to allow the FTC to obtain equitable relief.
- Privacy Rulemaking: In the absence of federal privacy legislation, FTC Commissioners, including Chair Khan, have been supportive of the use of rulemaking authority under Section 18—also known as Magnuson-Moss rulemaking—to bolster privacy protections. Chair Khan and Commissioner Slaughter began paving the way for the increased use of the agency’s rulemaking power last year. In March 2021, then-Acting Chair Slaughter announced the creation of a new rulemaking group within the FTC’s Office of the General Counsel, charged with helping the FTC to “strengthen existing rules and to undertake new rulemakings to prohibit unfair or deceptive practices and unfair methods of competition.” The FTC also sought to make the rulemaking process more streamlined, including by implementing a change that would provide for an informal hearing at the request of an interested person in response to a notice for proposed rulemaking or at the Commission’s discretion. Chair Kahn and Commissioner Slaughter have both suggested that the FTC should think beyond procedural protections for data privacy and consider adopting “substantive limits.” [Commissioner?] Bedoya’s expertise with privacy issues makes it more likely that the FTC could begin the lengthy process of rulemaking under Section 18 and seek to promulgate a comprehensive privacy rule that is not sector specific. At the very least, it makes it more likely that the FTC will pursue its Advanced Notice of Proposed Rulemaking from December of 2021, where it noted that it was considering a rulemaking to address lax security practices, privacy abuses, and algorithmic decision-making.
- Children’s Privacy: Another area of likely focus will continue to be children’s (and, potentially, teen) privacy, with enforcement and rulemaking under COPPA or under the FTC’s general Section 5 authority. Children’s privacy rights have frequently been an area for bipartisan collaboration, with Commissioner Wilson expressing an interest in working with Bedoya on the issue. COPPA—which applies to operators of websites directed to children under the age of 13, or operators that have actual knowledge they are collecting personal information from a child younger than 13—has been actively enforced by the FTC recently, in part because the FTC can obtain civil monetary penalties for violations. The FTC is also reviewing a broader range of issues with teens as well as with younger children where conduct might fall outside of COPPA but has otherwise raised the interest of the agency.
- Safeguards Rule Enforcement: Last year, the FTC updated the 2002 Safeguards Rule under the GLBA, requiring non-banking financial institutions to adopt certain safeguards, such as establishing a written information security program, or implementing multifactor authentication for individuals accessing networks with consumer information. As many of the Rule’s requirements are already in place (and many other requirements will become effective later this year), companies should ensure compliance due to the potential for increased enforcement.
- Regulation of Health Apps and Connected Devices: Already, the FTC has offered policy statements and guidance that appear to have expanded the reach of the Health Breach Notification Rule (“HBNR”). The FTC has clarified that the HBNR—which applies to “vendors” of “personal health records,” “PHR related entities,” and “third party service providers”—would likely also cover many types of health applications and connected devices, such as wearable fitness devices, even though many of these devices may not consider themselves to be vendors of personal health records. Under a Democratic majority, the FTC likely will be looking for ways to increase its enforcement of health applications under the HBNR going forward, perhaps testing the limits of how far the Commission can change policy through statements rather than revised rules.
Last summer, Chair Khan began holding regular open meetings (you can find our coverage of these meetings here and here). On Thursday, May 19, the FTC will be holding its next open meeting and its first meeting with Commissioner Bedoya. The tentative agenda includes: (1) a policy statement announcing the FTC’s prioritization of COPPA enforcement as applied to education technology; and (2) a request for public comment on proposed amendments to guides regarding advertising endorsements and testimonials. Our team will be covering this meeting and will report back on any significant actions taken at that meeting and what they could mean for your business.