FTC Activities in 2021 and Likely Trends for 2022
2021 saw the kickoff of the Khan era at the Federal Trade Commission (FTC). During FTC Chair Lina Khan’s first nine months on the job, she has announced privacy and security initiatives that offer important insights into her priorities. Companies should pay close attention to FTC activity in 2021 and public statements from FTC’s leadership to prepare for 2022. Here’s a list of 10 likely trends we can expect to see in 2022 (in no particular order):
- New rulemaking proceedings: The FTC is considering a new Rule to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” This rulemaking proceeding is likely to kick off in the coming months. This initiative comes on the heels of the first update in 20 years to the Safeguards Rule under the Gramm-Leach-Bliley Act, which requires non-bank financial institutions (e.g., mortgage companies, tax preparers, debt collectors, fin-tech companies, software providers for financial data) to maintain reasonable security safeguards to protect customer information.
- Focus on digital platforms and marketplaces: In a report to Congress, the FTC noted its interest in focusing on the data practices of dominant digital platforms, and in particular, on enforcement of orders against companies like Facebook, Google, Twitter, Microsoft, and Uber. But we do not expect the focus on “marketplaces” to be limited to the largest tech platforms. For example, last month, the Commission announced an enforcement action against OpenX, an ad exchange.
- More joint competition and privacy activity: In the same report to Congress, the FTC said, “we need to make sure we are looking with both privacy and competition lenses at problems that arise in digital markets.” Notably, the FTC’s industry study on social media and video streaming services includes both competition and consumer protection questions. The FTC’s amended complaint alleging anticompetitive conduct by Facebook includes references to how Facebook interfered with potential competition on privacy.
- Expanded remedies: FTC cases from 2021 continue to reflect the FTC’s bread-and-butter emphasis on issues like children’s privacy, health privacy, data security, identity theft, algorithms, and ad-tech. But while the subject matter may seem familiar, the FTC’s cases from 2021 highlight the panoply of novel remedies the Commission has begun to seek and will likely continue to press for going forward in its privacy enforcement actions. These include deletion of consumer data, deletion of algorithms or models created from consumer data, required notices to consumers, and conduct bans.
- Increased enforcement of the FTC’s health breach notification rule: In 2009, the FTC issued the health breach notification rule, requiring vendors of personal health records and related entities to notify consumers, the FTC, and in some cases, the media when data is disclosed or acquired without the consumer’s authorization. Last fall, by issuing a new policy statement under the Rule, the FTC signaled its intent to step up enforcement efforts under the Rule. Any non-HIPAA covered app, website, or connected device that collects information from consumers should consult the requirements of the Rule, and, where applicable, should comply with its notice and other obligations.
- Continued Fair Credit Reporting Act enforcement: Last month, the FTC and U.S. Department of Justice (DOJ) announced a settlement against a company that claimed its background reports may contain arrest, criminal, and sex offender records—even if it didn’t include such records—to trick consumers into signing up for auto-renewing subscriptions. Among other things, the agencies’ complaint alleged that the company was a consumer reporting agency required to comply with the Fair Credit Reporting Act (FCRA) because it marketed its background reports for employment purposes.
- Focus on racial equity: In April, the FTC issued business guidance to highlight that the use of racially-biased algorithms could be an unfair practice under the FTC Act. In October, it issued a staff report titled, “Serving Communities of Color,” renewing its commitment to efforts related to surveillance, algorithmic bias, and other emerging issues that may disproportionately affect communities of color.
- Emphasis on protecting workers: The FTC required Amazon to pay over $61 million for allegedly deceiving Amazon Flex drivers that they would receive “100% of tips.” Chair Khan has urged Congress to consider passing antitrust legislation that would give workers greater protections to organize under antitrust laws. And at a joint FTC/DOJ workshop on promoting competition in labor markets, Chair Khan discussed her interest in scrutinizing non-compete and non-disclosure agreements.
- Scrutiny of self-regulatory programs: For the first time last year, the FTC kicked a member out of a safe harbor program under the Children’s Online Privacy Protection Act and noted its intent to closely scrutinize other children’s privacy oversight companies.
- New operational priorities: Internally, the FTC is making some changes to the way it does business, including expanding the regional offices, hosting more open meetings, hiring across disciplines (e.g., technology, data analytics), and reducing the number of public appearances by staff. Companies interacting with the FTC are likely to see changes in policies and practices, for example, an emphasis on business and technical questions, in addition to legal ones.
For more information on FTC’s privacy and cybersecurity work, please contact Wilson Sonsini attorneys Maneesha Mithal, Chris Olsen, Lydia Parnes, or Tracy Shapiro.