The FTC convened its eighth annual privacy conference on March 6, 2024.  The full transcript of the event can be found here.   Both Chair Khan and Commissioner Bedoya provided remarks during the event that are likely to be considered provocative by many.

Commissioner Khan’s remarks focused on what she referred to as three key high-level principles that are driving the FTC’s privacy efforts:

  • Business Incentives Driving Unlawful Conduct:  She noted that “enforcement actions are designed to account for how business incentives are driving unlawful conduct,” and she pointed to AI model training and machine learning as “features that could further incentivize firms to be collecting a lot of user data.” 
  • Sensitive Data:  Another principle Chair Khan emphasized was that selling sensitive data can be presumptively off limits in at least some circumstances, referring to the FTC unfairness actions in recent months against companies selling sensitive data without permission.
  • Upstream Liability:  Chair Khan noted that the FTC will look upstream to establish liability and pinpoint actors that “are driving or enabling unlawful conduct on a massive scale.”  As evidence, she pointed to enforcement actions against data brokers and emphasized that the FTC is “looking past the consumer focused applications and zeroing in on the backend infrastructure that is facilitating the commercial surveillance ecosystem.” 

Additionally, Commissioner Bedoya spoke during the conference and emphasized the following themes based on enforcement actions:

  • Outright Bans on Specific Practices:  Commissioner Bedoya reflected a trend where FTC enforcement actions seek “outright bans on specific commercial practices,” referencing model deletion where those models have been built using allegedly illegally obtained data or through illegal practices. 
  • Sensitive Data:  Echoing Chair Khan’s remarks, Commissioner Bedoya noted the FTC’s emphasis on sensitive data.  Importantly, he noted that “sensitive data usually doesn’t require further identifiers in order to be sensitive and require protection” and that this is a “really long way of saying something that our technology blog said much more simply” that “browsing and location data are sensitive, full stop.”
  • Retention:  Commissioner Bedoya also noted that the FTC will be “skeptical” of claims that data needs to be retained for long periods of time.  He stated that data generates value, “whether it’s used for advertising or to train a machine learning model.” 
  • Teen Privacy:  Commissioner Bedoya further stated that he would “press companies to set privacy settings for children and teens, at their maximum.”  Referencing “design practices” that keep teens online longer than they want to or content recommendation systems, he noted that these “merit careful scrutiny.”
  • Algorithmic Discrimination:  The FTC will also continue to scrutinize algorithmic decision-making systems “when they substantially injure people,” such as through biased algorithmic decisions. 

We will continue to cover this and other FTC developments on the blog.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yaron Dori Yaron Dori

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the…

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the firm’s eight-person Management Committee.

Yaron’s practice advises clients on strategic planning, policy development, transactions, investigations and enforcement, and regulatory compliance.

Early in his career, Yaron advised telecommunications companies and investors on regulatory policy and frameworks that led to the development of broadband networks. When those networks became bidirectional and enabled companies to collect consumer data, he advised those companies on their data privacy and consumer protection obligations. Today, as new technologies such as Artificial Intelligence (AI) are being used to enhance the applications and services offered by such companies, he advises them on associated legal and regulatory obligations and risks. It is this varied background – which tracks the evolution of the technology industry – that enables Yaron to provide clients with a holistic, 360-degree view of technology policy, regulation, compliance, and enforcement.

Yaron represents clients before federal regulatory agencies—including the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), and the Department of Commerce (DOC)—and the U.S. Congress in connection with a range of issues under the Communications Act, the Federal Trade Commission Act, and similar statutes. He also represents clients on state regulatory and enforcement matters, including those that pertain to telecommunications, data privacy, and consumer protection regulation. His deep experience in each of these areas enables him to advise clients on a wide range of technology regulations and key business issues in which these areas intersect.

With respect to technology and telecommunications matters, Yaron advises clients on a broad range of business, policy and consumer-facing issues, including:

  • Artificial Intelligence and the Internet of Things;
  • Broadband deployment and regulation;
  • IP-enabled applications, services and content;
  • Section 230 and digital safety considerations;
  • Equipment and device authorization procedures;
  • The Communications Assistance for Law Enforcement Act (CALEA);
  • Customer Proprietary Network Information (CPNI) requirements;
  • The Cable Privacy Act
  • Net Neutrality; and
  • Local competition, universal service, and intercarrier compensation.

Yaron also has extensive experience in structuring transactions and securing regulatory approvals at both the federal and state levels for mergers, asset acquisitions and similar transactions involving large and small FCC and state communication licensees.

With respect to privacy and consumer protection matters, Yaron advises clients on a range of business, strategic, policy and compliance issues, including those that pertain to:

  • The FTC Act and related agency guidance and regulations;
  • State privacy laws, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act;
  • The Electronic Communications Privacy Act (ECPA);
  • Location-based services that use WiFi, beacons or similar technologies;
  • Digital advertising practices, including native advertising and endorsements and testimonials; and
  • The application of federal and state telemarketing, commercial fax, and other consumer protection laws, such as the Telephone Consumer Protection Act (TCPA), to voice, text, and video transmissions.

Yaron also has experience advising companies on congressional, FCC, FTC and state attorney general investigations into various consumer protection and communications matters, including those pertaining to social media influencers, digital disclosures, product discontinuance, and advertising claims.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.