With a new administration and a new Congress come key leadership changes and new priorities at the Federal Trade Commission (FTC). The change in administration paves the way for a Democratic-led Commission, though a permanent FTC Chairman and a successor to Commissioner Chopra (who has been nominated to head the Consumer Financial Protection Bureau) might not be confirmed for several months. In the meantime, President Biden has appointed sitting Commissioner Slaughter to serve as Acting Chair.
Until all new Commissioners have been confirmed, including possibly a new permanent Chair, the Commission will be split 2-2 between Democrats and Republicans. Although this split could hamper the Commission’s ability to vote out new cases or approve settlements—as such actions must be approved by a majority of the sitting Commission—we expect the Commission, under Acting Chair Slaughter, to remain active in the realm of data privacy and security. While changes to the makeup and leadership of the Commission may result in some adjustments to the FTC’s approach to data privacy and security issues (such as remedies for consumer harms), these issues will likely continue to be a focal point in the FTC’s enforcement agenda.
Here is what the changes at the FTC may mean for the agency’s enforcement agenda:
- The FTC may show even greater interest in companies’ use of artificial intelligence and big data, and the potential harms these innovative technologies can inflict on consumers. In a January 2020 speech, then-Commissioner Slaughter observed that while AI-powered algorithms offer the possibility of eliminating biases in human decision-making, there is “mounting evidence of AI-generated economic harms in employment, credit, healthcare, and housing.” Then-Commissioner Slaughter advocated for the FTC to use its broad deception and unfairness authority under the FTC Act to pursue companies that make deceptive claims about their algorithm-based products or whose AI technologies harm consumers. We predict that the FTC will be taking a closer look at the use of AI and big data, drawing on a variety of statutory tools—such as the FTC’s Section 5 unfairness authority, the Equal Credit Opportunity Act, and the Fair Credit Reporting Act—to address issues of algorithmic bias.
- The FTC also is likely to remain focused on children’s privacy issues, with particular attention on social media and educational technology. Last fall, the FTC held a workshop examining the Children’s Online Privacy Protection Act (COPPA) Rule and how the agency can continue to preserve children’s privacy in light of new and evolving technologies in the market. And at the end of 2020, the FTC issued orders under Section 6(b) of the FTC Act to nine social media and video streaming companies, requesting information on each company’s services and products directed to children and teens, among other items. In a joint statement, Commissioners Chopra and Wilson and then-Commissioner Slaughter characterized the requests as “push[ing] to uncover how children and families are targeted and characterized.” The Commissioners’ statement, coupled with the Commission’s evaluation of the COPPA Rule in light of rapid changes in technology, may signal more regulatory interest to come.
- More generally, data privacy and security likely will remain hot button issues at the FTC. Consumer privacy and data security issues have been top priorities for the FTC in recent years, with the Commission reporting a record year for enforcement actions aimed at protecting consumer privacy and data security in 2019. Under former Chairman Simons, the FTC also prioritized strengthening data security orders in an effort to improve companies’ data security practices and increase deterrence. We expect that the FTC’s enforcement activity in these areas will only increase under a Democratic-led Commission.
A Democratic-led FTC likely also means more attention on the use of remedies—including the invention of new remedies—to protect and compensate consumers and improve compliance:
- The FTC may increase its scrutiny of the role of corporate leaders in data privacy and security investigations. Acting Chair Slaughter and Democratic Commissioner Chopra both have been vocal in calling for officers and directors—including leaders of large, publicly-traded companies—to be held individually accountable for alleged misconduct that took place on their watch. With a Democratic majority, the Commission could place even greater emphasis on individual accountability in data privacy and security cases—a major shift in longstanding FTC policy.
- The FTC will likely continue to seek significant civil penalties for violations of Commission rules and statutes subject to fine (such as the COPPA Rule and the Fair Credit Reporting Act), and knowing violations of FTC cease-and-desist orders. Recent enforcement actions in the data privacy and security arena have resulted in record fines. With the looming uncertainty of the FTC’s restitution and disgorgement authority in light of the Supreme Court’s consideration of AMG Capital Management, LLC v. Federal Trade Commission, we anticipate the FTC’s trend of pursuing large civil fines where possible will continue.
- Finally, we expect that we will continue to see a push from the Democratic Commissioners to use novel remedies to address consumer privacy harms and to further strengthen deterrence:
- Commissioner Chopra’s and then-Commissioner Slaughter’s dissenting statements in the Zoom matter are two examples of the Democrats’ recent emphasis on finding new ways to remedy the harmful effects of data security and privacy violations on consumers and the marketplace. In response to the proposed settlement the Commission voted out in November 2020, Commissioner Chopra advocated for the agency to take novel approaches to providing relief to consumers, such as requiring companies to respond to complaints or to release consumers from long-term contracts that they would not have entered into absent the company’s alleged deception. Then-Commissioner Slaughter similarly took issue with the settlement, observing that the order did not require Zoom to take steps to mitigate the impact of its conduct. Following final approval of the settlement, then-Commissioner Slaughter dissented from the Commission’s decision to finalize the order in light of calls from consumers and consumer advocacy groups for the FTC to do more to strengthen Zoom’s privacy program and help impacted Zoom customers. And Commissioner Chopra again dissented, appealing for the FTC to seek accountability from Zoom and other companies.
- Acting Chair Slaughter also has emphasized the importance of maximizing the impact of the Commission’s limited budget and ensuring that corporate defendants do not become repeat offenders. With a Democratic majority forthcoming, the Commission likely will continue to press for the use of existing remedies such as civil penalties and individual liability to incentivize companies’ compliance, as well as consider creative, new remedies to address the effects of data privacy and security harms on consumers and competition.
Recent statements from Acting Chair Slaughter and Commissioner Chopra signal potential shifts in the FTC’s approach to data privacy and security issues. We will continue to monitor these enforcement trends at the FTC in the years to come.