ANALYSIS: FTC Privacy Authority Is Poised for Breakthrough Year
If the Federal Trade Commission were a major league baseball team, it might be fair to view 2022 as a rebuilding year regarding its privacy enforcement authority. 2023, on the other hand, might just be the season that marks the FTC’s long-awaited return to a privacy authority winning streak.
The FTC spent 2022 recalibrating after it suffered setbacks to its privacy enforcement game plan, stemming from low morale, divisive partisanship, and a dearth of resources.
To be clear, the FTC still remains underfunded, but 2023 could nevertheless be a remarkably productive year for the privacy watchdog. A strengthened FTC—with a deadlock-proof panel of commissioners—could reach new heights, especially with the possible adoption of new privacy rules and bipartisan support for proposed federal privacy legislation
2023 could be a banner year for FTC enforcement endeavors, particularly in the areas of algorithmic disgorgement remedies, child online privacy, unfair data practices, and deceptive digital patterns.
Legal practitioners should be aware of a new FTC trend: Utilizing algorithmic disgorgement as a powerful deterrent against unlawful data collection and as a potent tool for consumer redress in 2023.
Algorithmic disgorgement, which involves the destruction of artificial intelligence-powered algorithms, is a legal remedy used by the FTC to require companies to relinquish the “fruits” of ill-gotten data, including the very algorithms developed or utilized with such data. Armed with this veritable enforcement weapon, the FTC has demonstrated ingenuity in exercising its privacy authority to penalize companies’ allegedly deceptive data practices.
Any baseball enthusiast—or privacy practitioner—should be impressed by the agency’s 3-for-3 record in securing settlement orders against companies that were investigated for developing AI models or algorithms through purportedly tainted, ill-gotten data. This is most recently evidenced by the FTC’s March 2022 settlement with WW International, formerly known as Weight Watchers, which followed prior algorithm-related settlements with Everalbum in 2021 and Cambridge Analytica in 2019.
In a particularly resourceful maneuver, the FTC’s court-enforced settlement order mandated the deletion of all ill-gotten data that WW International allegedly obtained from children without their parents’ consent, and required the destruction of any algorithms trained on, derived, or developed from such data—along with levying a hefty $1.5 million civil fine.
While questions remain regarding how exactly the FTC will implement and monitor algorithmic disgorgement, these recent settlement precedents demonstrate that the agency will continue to pursue companies that deceive consumers through unlawful personal data collection in inventive ways. With the Supreme Court’s 2021 gutting of the FTC’s ability to obtain equitable monetary relief under Section 13(b) of the FTC Act in AMG Capital Mgmt. v. FTC, it’s clear that the FTC will likely pursue this non-monetary mechanism to obtain redress for wronged consumers going forward.
Aggressive ‘Unfairness’ Enforcement
In 2023, the FTC will also likely continue to engage in aggressive policy statements and to pursue increased “unfairness” enforcement pursuant to Section 5 of the FTC Act.
The agency in May published a curious blog post asserting that Section 5 may require companies to notify individuals of breaches of their personal data—even where there’s no specific breach notification requirement under state or other federal data breach laws. The slightly out-of-left-field post explained that a failure to provide breach notifications may “increase the likelihood that affected parties will suffer harm,” and that in such cases, the FTC Act creates a “de facto breach disclosure requirement.”
This is somewhat remarkable, but also in line with the FTC’s trend of issuing confusing and opaque guidance—which I’ve previously written about with regard to the agency’s ambiguous “dark patterns” guidance. Yet strangely, that vagueness may serve as a useful tool by giving the agency some maneuverability in its policymaking and affording it relatively wide leeway in defining potentially unfair or deceptive breach notification practices.
In 2022, the FTC has similarly exhibited an increasingly aggressive enforcement stance against “unfair” data security practices. Pursuant to its Section 5 “unfairness authority,” the agency can leverage its ability to enforce a greater scope of unlawful behavior through privacy and data security enforcement. In 2023, look for the FTC to continue to establish strong precedent under this prong, which will serve to armor the agency against potential constitutional challenges to its authority.
‘Ramped-Up’ Dark Patterns Enforcement
In line with forward-looking enforcement trends, practitioners should expect the FTC to “ramp up” enforcement efforts targeting digital dark patterns in 2023 by striking against the legality of these deceptive interfaces, which are prevalent in mobile apps, websites, and e-commerce platforms.
The FTC portended such heightened scrutiny in its September staff report, “Bringing Dark Patterns to Light”. The report clarified much of the vagueness and ambiguities presented by the agency’s policy statement on negative option marketing, cited applicable precedents and case law for the FTC’s continued dark patterns enforcement, and delved into how deceptive digital patterns can subvert, manipulate, or obscure consumer choice.
Although it’s non-binding guidance, the staff report exemplifies how strongly the FTC views dark patterns enforcement as a key priority. Companies are on notice that the agency intends to fiercely back up its bold enforcement statements, especially for dark patterns designed to manipulate children and teens. And as recently as November of this year, the FTC imposed a dark patterns enforcement consent order penalizing telecommunications service Vonage to the tune of $100 million for the company’s unlawful use of junk fines and near-impossible cancellation options.
New Privacy Rulemaking
If Congress passes the American Data Protection and Privacy Act in 2023, it will be a game-changer for the FTC’s privacy authority. As currently drafted, the ADPPA would grant the FTC new rulemaking authority and expressly name the agency as the law’s primary enforcer.
But regardless of whether such federal legislation passes, the FTC has evinced more plans for an aggressive privacy and data security agenda through the unveiling of their most recent rulemaking—thereby covering all its bases. The new Advanced Notice of Proposed Rulemaking encompasses most industry sectors and touches upon a litany of online data practices, including online harms posed to children, algorithmic discrimination, and potential expansion of enforcement remedies.
Overall, practitioners should be on notice in 2023 of a determined, aggressive FTC zeroing in on key privacy enforcement priorities and playing hardball through scrutinizing and policing data security and privacy abuses covered under its mandate.
Access additional analyses from our Bloomberg Law 2023 series here, covering trends in Litigation, Transactional, ESG & Employment, Technology, and the Future of the Legal Industry.
Bloomberg Law subscribers can find related Practical Guidance documents, tools for keeping track of new laws, and in-depth reference materials on our Privacy & Data Security Practice Center resource.
High-ranking privacy and cybersecurity practitioners provided insights on keeping up with evolving compliance standards at the Bloomberg Law 2022 In-House Forum, now available on-demand to all readers who register online.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.