The Evolution of Privacy and Security Regulation by the FTC
The Federal Trade Commission (FTC) plays a pivotal role in privacy and security regulation in the United States. Through enforcing Section 5 of the FTC Act, they target deceptive practices that may harm consumers. With a focus on creative enforcement methods, the FTC is reshaping traditional regulatory approaches. Notable cases like the BJ's Wholesale Settlement and the Wyndham dispute highlight the FTC's expanding reach and commitment to protecting consumer data. Understanding their evolving strategies is crucial for both students and practitioners in the field.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
The FTCs Ongoing Revolution In Privacy And Security Kirk J. Nahra WilmerHale Washington, D.C. 202.663.6128 Kirk.Nahra@wilmerhale.com @kirkjnahrawork
WILMERHALE The Federal Trade Commission The FTC is the most visible and (probably) most significant privacy and security regulator in the United States Their path to regulation/enforcement is very much up in the air Their tools clearly are limited But that isn t stopping them at all 2
WILMERHALE The Federal Trade Commission They are looking for creative and aggressive ways to use the tools they have in more extensive ways They are making new law regularly and not in traditional ways Understand what they are doing and think about whether it s the right approach Really interesting issues for students and practitioners 3
WILMERHALE The Federal Trade Commission The basic consumer protection statute enforced by the FTC is Section 5(a) of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act. 4
WILMERHALE The FTC Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 5
WILMERHALE Some History: Security is for Everyone BJ s Wholesale Settlement Settlement with the FTC about security practices Extended FTC reach because (1) there were no legal requirements to make security promises; and (2) no promises had in fact been made Creates a general duty on everyone to protect individually information with reasonable security practices 6
WILMERHALE Wyndham Many prior FTC cases, all with settlements Wyndham chose not to settle Court decision (3rd Circuit) Rejected Wyndham argument that conduct is only unfair when it injures consumers through unscrupulous or unethical conduct. 7
WILMERHALE Wyndham A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business. 8
WILMERHALE Wyndham We thus conclude that Wyndham was not entitled to know with ascertainable certainty the FTC s interpretation of what cybersecurity practices are required by 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute. 9
WILMERHALE Wyndham One sentence in Wyndham s reply brief says that its view of what data-security practices are unreasonable . . . is not necessarily the same as the FTC s. Too little and too late. 10
WILMERHALE LabMD Lab MD Case was a big wild card 4 issues (1) Overall authority over data security; (2) Authority over HIPAA covered entities; (3) Consumer harm element; (4) was this result right? 11
WILMERHALE LabMD Decision turned on 5thissue - Was the relief sought by the FTC appropriate? In the case at hand, the cease-and-desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable. 12
WILMERHALE LabMD FTC order which dictates a compliant information security program going forward does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. 13
WILMERHALE Security So that s largely the background They are continuing to refine what appropriate security practices mean but likely little ability for companies at this point to challenge their basic authority Still not at all clear what their overall standards are 14
WILMERHALE Privacy But we know how they built their authority Making new law through consent orders and settlements And then using the principles of these settlements to define a new body of law on appropriate practices because there was no challenge 15
WILMERHALE The FTC So what are they doing today? How are they trying to build a law of: Privacy Artificial Intelligence 16
WILMERHALE The FTC Today Aggressive regulatory positions Aggressive enforcement cases Pursuing a rulemaking on overall privacy Pursuing additional regulations (health data breach notification) Bringing cases as if these new rules exist 17
WILMERHALE They aren t shy Chair Khan and staff Leadership setting out an agenda 18
WILMERHALE Khan Article The last time we found ourselves facing such widespread social change wrought by technology was the onset of the Web 2.0 era in the mid-2000s. New, innovative companies like Facebook and Google revolutionized communications and delivered popular services to a fast-growing user base. 19
WILMERHALE Khan Article Those innovative services, however, came at a steep cost. What we initially conceived of as free services were monetized through extensive surveillance of the people and businesses that used them. The result has been an online economy where access to increasingly essential services is conditioned on the widespread hoarding and sale of our personal data. 20
WILMERHALE Khan Article The trajectory of the Web 2.0 era was not inevitable it was instead shaped by a broad range of policy choices. And we now face another moment of choice. As the use of A.I. becomes more widespread, public officials have a responsibility to ensure this hard- learned history doesn t repeat itself. 21
WILMERHALE Khan article Khan made a point of noting that AI represents nothing special in the eyes of the law. "Although these tools are novel, they are not exempt from existing rules," she wrote, "and the FTC will vigorously enforce the laws we are charged with administering, even in this new market." 22
WILMERHALE FTC - Consumer Protection Head There s a widespread misconception about whether or not federal law protects your privacy. It doesn t, at least not explicitly. Congress has managed to squander a decade s worth of bipartisan agreement about the internet s data problems. In the absence of legislation, one group of regulators recently stepped in to fill the void. It s a ragtag group of government cowboys that calls itself the Federal Trade Commission. What do you think of this positioning? 23
WILMERHALE FTC - Consumer Protection Head Over the past year, the FTC picked up the few meager laws on the books that have anything to do with privacy and repackaged them into a way to address big data s worst offenders. Through innovative legal arguments and landmark settlements, the FTC is rewriting the rules of the internet just in time to usher in a platform shift as AI and other technologies spark a new era of the web. In the meantime, it is changing tech policy by stretching existing regulations to places no one believed they could go. 24
WILMERHALE FTC - Consumer Protection Head We re done preaching this fiction that the markets can self correct, or that consumers can protect themselves by reading privacy policies. For the last two decades we ve had a regime where companies felt like they could put anything in their privacy agreements and get away with it if consumers say yes. 25
WILMERHALE FTC - Consumer Protection Head Big picture, the shift we ve made as an agency is stating plainly what I think many people already knew, but hasn t really been said by anyone in government: the notice and notice and choice regime is not working. It might have made sense two decades ago, but it does not make sense today. It s unreasonable to put the burden on consumers to be reading hundreds of thousands of pages of privacy policies, let alone to understand them. 26
WILMERHALE FTC - Consumer Protection Head We also have authority to prohibit and take action against unfair practices which are defined in our statute as practices that cause injury, that are not reasonably avoidable by consumers, and that don t have countervailing benefits to consumers or competition. If a company s data practices harm people, we re prepared to take action, even if those practices are accurately disclosed. In other words, we re not just looking at whether companies are telling the truth about how they re using people s data, we re thinking about whether companies are using people s data in a way that is likely to harm us. 27
WILMERHALE FTC - Consumer Protection Head The reality we find ourselves in now is directly attributable to that this has been a Wild West for so long. Looking forward, we need to be thinking about this kind of situation where companies can make assumptions about people without collecting new information about them. In fact, that s something we already talk about in our rule-making. It s uncharted, but it s increasingly becoming a part of the common model for larger firms. However, I don t think it goes beyond the FTC jurisdiction. 28
WILMERHALE FTC and AI Very explicit about its intentions Essentially saying we missed our chance to do better on the Internet generally and are not going to miss our chance again Page 29
WILMERHALE AI Development Chair Khan - Sensitive personal data related to health, location or web browsing history should be off limits for training artificial intelligence models. (WHY?) The FTC is working to create bright lines on the rules of development, use and management of AI inputs. Khan said. On the consumer protection side, that means making sure that some data particularly peoples sensitive health data, geolocation data and browsing data is simply off limits for model training. Khan said that companies that want to use data they ve already collected for AI training also must actively notify users of the change. 30
WILMERHALE FTC Artificial Intelligence AI highlights Big Data; the potential for discrimination/bias and fraud/deception; and the agency s focus on data governance more broadly Agency wants to lead in regulating and shaping policy early to ensure its position and prevent mistakes made with social media Anticipate active investigations and enforcement as the agency attempts to understand the technology and make new law/policy FTC v. Rite Aid Rite Aid allegedly failed to take reasonable measures to prevent harm to consumers from its use of facial recognition technology and violated a 2010 FTC order relating to data security and vendor management Factors supporting unfairness determination align with Biometric Information Policy Statement Rite Aid is prohibited from using facial recognition for five years; data and model deletion; consumer notice and redress; data retention According to Commissioner Bedoya, settlement offers a strong baseline for what an algorithmic fairness program should look like
WILMERHALE FTC Location Data Triggered by confluence of Roe being overturned and Biden Executive Order, as well as Markup article Explosion of business models that monetize people s personal information has resulted in routine trafficking and marketing of Americans location data General claim is that sale can allegedly expose people to harassment, stigma, discrimination or even physical violence Remedies in In the Matter of X-Mode Social, Inc. and Outlogic, LLC and InMarket Media illustrate continued focus on substantive limitations on data collection and use In FTC v. Kochava, Case No. 2:22-cv-00377-BLW (D. Idaho), the court denied Kochava s motion to dismiss, finding that Kochava arguably invades consumers privacy and exposes them to significant risks of secondary harms
WILMERHALE New KOCHAVA Complaint Defendant s violations are in connection with acquiring consumers precise geolocation data and selling the data in a format that allows entities to track the consumers movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at risk populations, and addiction recovery. Think about compliance issues here 33
WILMERHALE EVERALBUM The FTC finalized a settlement with the developer of a photo app that allegedly deceived consumers about its use of facial recognition technology and its retention of the photos and videos of users who deactivated their accounts. the FTC alleged that Everalbum, Inc. misled users of its Ever mobile app that it would not apply facial recognition technology to users content unless they affirmatively chose to activate the feature. The company, however, automatically activated its face recognition feature which could not be turned off for all mobile app users except those who lived in three U.S. states and the European Union, according to the FTC s complaint. 34
WILMERHALE EVERALBUM The FTC alleged that the company also failed to keep its promises to delete the photos and videos of Ever users who deactivated their accounts and instead retained them indefinitely. As part of the settlement with the FTC, Everalbum, Inc. must obtain consumers express consent before using facial recognition technology on their photos and videos. The proposed order also requires the company to delete the photos and videos of Ever app users who deactivated their accounts and the models and algorithms it developed by using the photos and videos uploaded by its users. In addition, if the company markets software to U.S. consumers for personal use, it must obtain users express consent before using biometric information it collected from them. 35
WILMERHALE Disgorgement Since this case FTC has brought a series of cases where disgorgement of models has been a remedy A major impact on companies clearly changes the risk management profile This is a real sanction 36
WILMERHALE FTC - Privacy ANPRM FTC also developing an approach to a potential commercial surveillance rule going forward A long process because of the relevant laws They have started the process They are taking action independent of this process 37
WILMERHALE FTC Overview Tremendous volume of activity in 2023 relating to privacy and data security compared to prior years (and in the consumer protection space overall) Unchecked corporate surveillance continues to drive enforcement, rulemaking and policy Broad interpretation of unfairness authority to curb allegedly harmful practices Active rulemaking on health data, children s privacy and commercial surveillance, generally Continued focus on substantive limitations and remedies that raise reputational/business issues for companies Playbook: public statements favorable settlements policy guidance new status quo and/or rulemaking
WILMERHALE FTC Overview Emerging as a leader in health privacy enforcement Broad definition of health data anything that conveys information or enables an inference about a consumer s health Broad interpretation of unfairness authority to curb allegedly harmful practices Multiple policy statements over the past year around health data, as well as active rulemaking Continued focus on substantive limitations and remedies that raise reputational/business issues for companies Playbook: public statements favorable settlements policy guidance new status quo and/or rulemaking
WILMERHALE FTC Health Data and AdTech FTC is aggressively pursuing the use of tracking technologies that collect personal health data Through GoodRx and BetterHelp, FTC has established that the failure to obtain affirmative express consent from consumers before transferring health information to third parties for advertising purposes and the third parties own purposes (e.g., developing their own products) is an unfair business practice Remedies include permanent ban from disclosing consumer health information to advertisers, directing third parties to delete data Companies need to understand tracking technologies on their websites, how they work, and what contractual arrangements are in place (easier said than done)
WILMERHALE Biometric Data Policy Statement on Biometric information and Section 5 Using biometric information to identify consumers in certain locations could reveal sensitive personal information about them for example, that they have accessed particular types of healthcare Expansive view of biometric information Provides overview of factors supporting an unfairness determination FTC v. Rite Aid Rite Aid allegedly failed to take reasonable measures to prevent harm to consumers from its use of facial recognition technology and violated a 2010 FTC order relating to data security and vendor management Rite Aid is prohibited from using facial recognition for five years; data and model deletion; consumer notice and redress; data retention
WILMERHALE Genetic Data Genetic data reveals sensitive information not only about consumers health, characteristics, and ancestry, but about their families Where sensitivity of the data is high, so too is the risk of harm therefore, greater protections are warranted Trio of FTC enforcement actions involving sellers of genetic testing products provide the following lessons: Secure genetic data Secure customer accounts Claims about genetic testing must be substantiated Avoid dark patterns Obtain consent for material retroactive changes Orders required financial settlements; deletion of biometric data or materials; notice to consumers; affirmative express consent for future use or disclosure of genetic data
WILMERHALE FTC Health Breach Notification Rule (the leading edge) Health Breach Notification Rule requires vendors of personal health records (PHRs) or PHR-related entities to notify consumers, the FTC, and sometimes the media, when they discover certain data breaches Through guidance in 2021 and 2022, the FTC made clear that it planned to take a broad view of what constitutes a (1) PHR, and (2) a breach GoodRx and Premom establish that the FTC views disclosures of consumer health information to third parties without authorization to be an HBNR violation Proposed HBNR amendments to establish the FTC s position are pending Illustrative of how FTC defines appropriate privacy practices through guidance, enforcement actions, and rulemaking
WILMERHALE Key Questions Going Forward Are there any real limitations on what the FTC can do here? Will someone challenge their activities? Will national privacy legislation curtail/impact these activities? What is your view on their activities generally? 44
WILMERHALE Questions? Kirk J. Nahra WilmerHale Washington, D.C. 202.663.6128 Kirk.Nahra@wilmerhale.com @kirkjnahrawork 45