The new acting FTC chair, Rebecca Kelly Slaughter, recently signaled that the FTC may increase enforcement and penalties in the privacy and data security realm. Slaughter pointed to several areas of focus for the FTC this year, which companies will want to keep in mind:
- Notifying Consumers About FTC Allegations: Slaughter referred favorably to two recent cases: (1) the Everalbum biometric settlement from earlier this year (which we wrote about at the time); and (2) the Flo Health settlement over alleged deceptive data sharing practices (which we also wrote about at the time). In drawing on these two cases, Slaughter indicated that in future cases the FTC intends to include as part of any settlement a requirement to notify customers of any FTC allegations. This, she said, would allow consumers to “vote with their feet” and help them decide whether to recommend their services to others.
- FTC Intent to Plead All Relevant Violations: According to Slaughter, another lesson the FTC is taking from the Flo case is to include in the cases it brings all potentially applicable violations of all relevant privacy-related laws. In the Flo case, Slaughter said the FTC should have pleaded a violation of the Health Breach Notification Rule, which requires that vendors of personal health records notify consumers of data breaches.
- Focus on Ed Tech and COPPA: Given the explosive growth of education technology during COVID-19, the FTC is conducting an industry sweep of the industry. Related to this, the FTC is reviewing its Children’s Online Privacy Protection Act Rule. This goes beyond the refresh the agency did of their FAQs earlier in the pandemic (which we wrote about at the time). For now, Slaughter reminds companies that parental consent is needed before collecting information online from children under the age of 13.
- Examination of Health Apps: The FTC will take a closer look at health apps, including telehealth and contact tracing apps, as more and more consumers are relying on such apps to manage their health during the pandemic.
- Overlap Between Competition and Privacy: Slaughter also indicated that it is worth looking at situations where there may be not only privacy concerns, but antitrust as well. Because the FTC has a dual mission (consumer protection and competition) she notes that it has a “structural advantage” over other regulators in that it can look at these issues, especially since -she states- “many of the largest players in digital markets are as powerful as they are because of the breadth of their access to and control over consumer data.”
- Racial Equity and AI/Biometrics/Geotracking: Slaughter noted that COVID-19 is exacerbating racial inequities. She pointed to the unequal access to technology, as well as algorithmic discrimination (the idea that discrimination offline becomes embedded into algorithmic system logic). The FTC intends to focus on algorithmic discrimination, as well as on the discrimination potentially embedded into facial recognition technologies. (This mirrors concerns that gave rise to the recent Portland facial recognition law, which we recently wrote about). Finally, Slaughter commented on the use of location data to identify characteristics of Black Lives Matter protesters, and said she is concerned about the misuse of location data to track Americans engaged in constitutionally protected speech.
Putting it Into Practice: Companies that operate health apps, that are in the education technology space, or that use algorithms or facial recognition tools will want to keep in mind that these are areas of focus for the FTC. And for everyone, keep in mind that the FTC has indicated it will beef up privacy law penalties and will ask for more notification to injured consumers.