Cybersecurity 2022 – The Year in Preview: Privacy Regulations at the FTC

As we think about what 2022 may hold with regard to privacy and data security regulation by the Federal Trade Commission (FTC), we should first look back at some of the developments from last year that set the stage for this year. Just like 2021, it appears that the regulatory culture at the FTC this year will be heavily entangled with the political environment. Recent events suggest that while privacy and data security related reforms previously enjoyed bipartisan support, there are limits to that bipartisanship and not everyone agrees on the FTC’s role in crafting new privacy and data security regulations. One thing that remains to be seen is will the partisan disagreements derail the FTC’s efforts to draft new regulations or will the FTC press ahead anyway.

The Politics of Filling the Fifth Seat

To start the new year, President Biden renewed his nomination of Alvaro Bedoya, founding Director of the Center on Privacy & Technology at Georgetown Law School, to fill the vacancy at the FTC created by Rohit Chopra’s departure last year to take over as Director of the Consumer Financial Protection Bureau. The nomination had to be renewed because it hit an unexpected delay at the end of last year in the Senate Commerce Committee, when what many expected to be an unremarkable vote, instead turned out to be a party line vote with all of the Republicans voting against Bedoya’s nomination.

Earlier in the year, during Bedoya’s confirmation hearing, only a handful of Republicans expressed concern over his nomination and most Senators appeared content with Bedoya’s privacy expertise. Among those who expressed concern at the hearing was Sen. Ted Cruz (R-TX) who criticized Bedoya for tweets that Cruz insisted show Bedoya to be “a left-wing activist, a provocateur, a bomb thrower, and an extremist.” Despite these accusations, Bedoya repeatedly expressed his support for collaboration and highlighted his previous bipartisan successes as a Senate staffer, but that was apparently insufficient in assuaging the concerns because no Republicans voted in favor of confirmation and the committee deadlocked at 14-14.

After the vote, the Committee’s ranking member, Sen. Roger Wicker (R-MS), echoed Sen. Cruz’s concerns when he summed up the opposition to Bedoya by stating that there “has been a troubling trend of politicization at the FTC, which is different from how it has been in previous years.” Sen. Wicker went on to express a concern that Bedoya may not bring “the cooperative spirit to the commission” that has historically set the FTC apart from other agencies.

The deadlocked vote is even more remarkable when considering that Chair Khan, who has since become a source of controversy during her tenure at the FTC, was voted out of the same committee and confirmed by the full Senate earlier this year with significant Republican support.  (Only four Republicans on the Commerce Committee voted against sending her nomination to the full Senate and 22 Republicans ultimately voted in favor of her confirmation.)  However, now that Bedoya’s nomination has been renewed and despite a delay caused by the need for an extra procedural vote to clear the full Senate, his nomination is not dead. Since the Democrats control the Senate, Bedoya is still likely to be confirmed early this year.

The Winds of Change at the FTC

This shift towards partisanship is another signal that support for new federal privacy and data security regulations, which once seemed unified and bipartisan, may become a victim of the partisan divide. But the deadlocked vote over Bedoya’s nomination was not the first sign of trouble. Instead of a bipartisan Commission unified in its goal “to engage in sound, vigorous privacy and data security enforcement,” Bedoya may be joining a Commission already divided by partisan conflict over the very nature of what privacy and data security enforcement should look like.

There is bipartisan support for the FTC’s mission to “protect consumers from harms caused by unfair and deceptive data security and privacy practices,” and there is also agreement amongst the Commissioners that Congress needs to enact new legislation to enable the FTC to better protect the privacy and security of consumers.  However, there has been little progress on new legislation from Congress and Chair Khan appears unwilling to continue waiting.  In her statement regarding the FTC’s Report to Congress on Privacy and Security, Chair Khan stated that now is an “opportune time for the Commission to examine how we can best use our tools and update our approach in order to tackle the slew of data privacy and security challenges we presently face.”

The Report to Congress and Chair Khan’s Statement set off alarm bells for the Republican FTC Commissioners about what she may be planning. They expressed concerns in their dissents to the Report objecting to the extent that “the Privacy Report that could be construed as exceeding the agency’s statutory authorities” and warning that Khan’s proposed reforms may be guided by “misplaced priorities, a disregard for statutory boundaries, and the replacement of market preferences with regulatory fiat.”

The Return of Rulemaking at the FTC

One part of the FTC’s Report that caused the biggest concerns was the suggestion that “the Commission should deploy all of its tools to protect Americans’ privacy” including its rulemaking authority under Section 18 of the FTC Act, which has been largely dormant since the 1980s.  Instead of waiting for Congress to act, the Report seems to suggest that the FTC may use Section 18 to go around Congress and make up its own regulations.

The FTC as the primary federal regulator in the privacy and data security space has relied upon its authority under Section 5 of the FTC Act, which prohibits deceptive or unfair commercial acts or practices. The FTC has broad authority under Section 5, but there are limitations including the evidence that is required to prove a violation and the availability of certain remedies for violations, including civil fines. In contrast, if the FTC were to promulgate new regulations under Section 18 prohibiting certain privacy and data security practices, the FTC would need only to demonstrate that the practices to be prohibited are “prevalent” and then the FTC could seek civil penalties by filing suits in federal district court against violators of the rule.

Earlier last year, the FTC released a Statement Regarding the Adoption of Revised Section 18 Rulemaking Procedures, supported only by the Democratic Commissioners, in which the FTC announced that it was changing its Rules of Practice to remove what it called “extraneous and onerous procedures that serve only to delay Commission business.” In effect, the changes made it much easier for the FTC to issue new regulations under Section 18. In response, the Republican Commissioners objected that the reforms make it too easy to impose new regulations and in a dissent by Commissioner Wilson, she expressed concern that the reforms would open the door to “aggressive, unbounded rulemaking efforts.” Commissioner Phillips, along with the Ranking Members of the Senate and House Commerce Committees, warned in an op-ed that the FTC’s “lone ranger approach” to new privacy and data security regulations “would be a blatant overreach” and “a recipe for bad policy.”

Undeterred by Republican criticism, the FTC released a Statement of Regulatory Priorities in December announcing that in the coming year the FTC would prioritize new privacy regulations. In particular, the FTC intends to focus on developing regulations under the Section 18 rulemaking process that “allow the agency to recover redress for consumers who have been defrauded and seek penalties for firms that engage in data abuses.”[14]

The New Commissioner Likely Means New Regulations

New privacy or data security regulations would fit squarely within Bedoya’s area of expertise, considering his previous work to ban so-called stalking apps that have been used to target victims of domestic violence and his stated concerns regarding the U.S. Immigration and Customs Enforcement’s policies regarding the use of facial recognition technology and the detention of children at the Mexican border. Given his pending nomination, it is highly unlikely that the FTC would start the rulemaking process on any new privacy or data security regulations without his involvement. If Bedoya is confirmed, there would presumably be three votes in favor of new regulations, even if the Republican Commissioners are less inclined to support them.

Predicting what new regulations the FTC might put forward under a seldom used rulemaking authority may be difficult, but in its Statement of Regulatory Priorities, the FTC identified the need to curb the abuses stemming from surveillance-based business models as one of the most pressing issues consumers confront in the modern economy. In addition, the FTC has indicated that it is considering new regulations designed to curb lax security practices, limit intrusive surveillance, and ensure that algorithmic decision-making does not result in unlawful discrimination. In other contexts, the FTC said that it intends to “spend more time on the overlap between data privacy and competition” to ensure that they use “both privacy and competition lenses” when addressing problems that arise in digital markets.

The specifics of those regulations and how aggressive they may be remains to be seen, and it is possible that concerns over the FTC going it alone might be enough to prompt Congress into action. One thing is certain though, privacy and data security is becoming more partisan and is going to be a hot topic next year at the FTC.

Leave a Reply

Your email address will not be published. Required fields are marked *