On Feb. 10, 2021, Acting Federal Trade Commission (FTC) Chairwoman Rebecca Kelly Slaughter offered a glimpse of where the FTC may be headed under the Biden administration and confirmed that privacy remains among the Commission’s top priorities.
In her keynote address to the Future of Privacy Forum, Slaughter shared her views on the FTC’s role in privacy and data security, and her priorities for the coming years. While among the first in her new role, Slaughter’s remarks contain familiar themes, including innovative approaches, greater transparency, and comprehensive use of FTC authority – hallmarks of her tenure on the Commission.
This GT Alert provides key points from Acting Chairwoman Slaughter’s remarks and some takeaways.
Effective Enforcement: Deterring Problematic Privacy and Data Security Practices
Before diving into the substantive priority areas, Slaughter set the tone by emphasizing her interest in making the FTC’s enforcement efforts “more effective” – similar sentiments to those she expressed in her October 2020 remarks at the Cybersecurity and Data Privacy Conference. The FTC has arguably been aggressive in bringing enforcement actions, so how are Slaughter’s priorities different? The answer lies in her call for “stronger relief for consumers.” In particular, Slaughter identified the following types of relief that she would like the FTC to pursue.
- Meaningful Disgorgement. Slaughter highlighted the FTC’s recent settlement with photo app developer Everalbum as an example of the type of innovative disgorgement remedy she hopes to see more of. In Everalbum, the FTC alleged that the app developer deceived consumers about its use of facial recognition technology and its retention of the photos and videos of users who deactivated their accounts. As part of the settlement, the FTC required the company to delete not only the photos and data that was collected, but also the facial recognition models and algorithms the company developed using such data. Slaughter explained that “[w]here companies collect and use consumers’ data in unlawful ways: we should require violators to disgorge not only the ill-gotten data, but also the benefits…generated from that data.”
- Effective Consumer Notice. Slaughter pointed to another recent case involving Flo Health, a fertility-tracking app, in which the FTC alleged that the company shared the health information of users with outside data analytics providers after promising that such information would be kept private. The settlement required the company to provide notice to consumers of its false promises. Given the lessons learned from Flo Health, Slaughter emphasized that she will “be pushing staff to include provisions requiring notice in privacy and data security orders as a matter of course.”
Protecting Privacy During the Pandemic: Health Data and Children’s Privacy
It is no surprise that COVID-19-related privacy and security issues made the short list of priorities. Slaughter emphasized the following areas of focus.
- Health Data. With fewer in-person doctor visits and more consumers turning to health apps to help manage their health issues, health data privacy is a key area of concern. In addition to asking staff to “take a close look at health apps, including telehealth and contact tracing apps,” Slaughter expressed interest in broader applicability of the FTC’s Health Breach Notification Rule.
- Ed-tech and COPPA. Another trend born out of the pandemic has been the proliferation of distance learning and education technology (ed-tech). Slaughter noted that the FTC is in the process of reviewing the Children’s Online Privacy Protection Act (COPPA) rule in response to numerous public comments, but stated that “we don’t need to complete our rulemaking to say that COPPA absolutely applies to ed-tech, and companies collecting information from children need to abide by it.” This follows a series of FAQs the FTC released in 2020, entitled “COPPA Guidance for Ed Tech Companies and Schools during the Coronavirus,” which addressed, among other things, how an ed-tech service provider could obtain consent from a school instead of from a parent.
Promoting Racial Equity: Algorithmic Discrimination and Location Data
Slaughter acknowledged the overlap between racial equity and COVID-19-related privacy issues and emphasized how the FTC is engaged in the nationwide work of combating racial injustice. In addition to equity concerns like the “digital divide,” Slaughter identified the following areas to focus on in closing the equity gap.
- Algorithmic Discrimination. Slaughter discussed the plethora of potential harms associated with artificial intelligence (AI) and algorithmic decision-making, including discrimination. “As sophisticated algorithms are deployed,” she explained, “it is vital to make sure that they are not used in discriminatory ways.” To that end, Slaughter said that she had asked staff “to actively investigate biased and discriminatory algorithms.” This aligns with the FTC’s April 2020 guidance on AI and algorithms. Additionally, she noted that while the FTC has challenged illegal practices related to facial recognition technology, she intends to “redouble our efforts to identify law violations in this area.”
- Location Data. Slaughter also addressed the issue of mobile apps’ use of location data to identify Black Lives Matter protesters. She expressed concern about misuse of location data, particularly with regards to tracking “Americans engaged in constitutionally protected speech.”
Beyond Enforcement: Events, Reports, and Policy Ahead
- Report on Broadband Privacy Practices. With the ever-increasing reliance on connectivity and reliable internet, as accelerated by the pandemic, large Internet Service Providers now have record numbers of subscribers. As a follow-up to the FTC’s industry-wide study of broadband privacy practices, Slaughter has asked the FTC to issue a report on the subject in 2021 to provide the public with more transparency.
- PrivacyCon 2021. On July 27, 2021, the FTC will host its sixth annual PrivacyCon, where a diverse group of stakeholders, including researchers, academics, industry representatives, consumer advocates, and government regulators will discuss the latest research and trends relating to consumer privacy and data security.
- Workshop on Incentivizing Market Players to Protect Privacy. Slaughter has asked the FTC to host a workshop “aimed at increasing our understanding of the incentives in the marketplace and how best to ensure market players do a better job of protecting privacy and securing consumer data.”
- Slaughter’s track record and recent remarks suggest increased FTC scrutiny and enforcement efforts with respect to privacy issues associated with key technology trends, including AI and facial recognition technologies, education technologies, and telehealth and contact tracing apps.
- The FTC may expand its activities in health data privacy, including broader application of the FTC’s Health Breach Notification Rule in cases involving health data that falls outside of the scope of HIPAA.
- In light of Slaughter’s call for “stronger relief for consumers” in privacy and data security cases, we may see more “innovative disgorgement” remedies like the settlement in Everalbum, including requirements that companies “disgorge” not only the ill-gotten data but also the benefits derived from the data.