As we look to 2022, a question on many companies’ minds is what actions we will see from the FTC. Two recent developments are important on that front.

First, the FTC recently signaled its intent to initiate rulemaking on issues of privacy and security. The Commission indicated that it wants to curb lax security practices and limit privacy abuses. It is also interested in making sure that algorithmic decision-making does not result in unlawful discrimination. The FTC signaled this intent through an Advanced Notice of Proposed Rulemaking, which has a deadline of February 2022. At that time, interested parties can respond to the proposed rulemaking and provide suggestions or alternative methods for achieving the objectives. The FTC may then decide to begin its rulemaking process.

Second, the FTC recently published its annual Statement of Regulatory Priorities. This statement provided updates on a number of different priorities, including several relating to privacy and security. Topics included issues relating to the collection of information from children, health care privacy, and privacy and data security for those in the financial services space. Each are summarized below:

  • Children’s Online Privacy Protection Act (COPPA). FTC staff are reviewing public comments submitted in response to the agency’s 2019 request for comment to its COPPA Rule.  The FTC had requested comment on all major provisions of the COPPA Rule. For example, definitions and the notice and parental-consent requirement. This also includes exceptions to verifiable parental consent and the safe-harbor provision.
  • Health Breach Notification Rule (HBNR). The Commission initiated a periodic review of the HBNR in May 2020. The comment period then closed in August 2020. The staff intends to submit a recommendation to the Commission by January 2022. In light of some of the controversial and new interpretations to this rule released in 2021, additional clarity about the scope of the rule will be welcomed by industry.
  • Identity Theft Rules. FTC staff is reviewing the public comments to the Identity Theft Rules and anticipates sending a recommendation by January 2022. The Identity Theft Rules includes the Red Flags Rule and Card Issuer Rule.
  • Safeguards Rules. In October 2021, the Commission updated the GLBA Safeguards Rule, providing additional requirements for security programs. It also announced the issuance of a Supplemental Notice of Proposed Rulemaking. That notice sought comment on whether financial institutions should be required to report certain data breaches and other security events to the Commission.
  • Fair Credit Reporting Act Rules (FCRA). On September 8, the FTC approved final revisions that would bring several rules implementing parts of the FCRA in line with the Dodd-Frank Act.

The Commission’s plan to take up additional privacy rulemaking in the new year is unsurprising in light of its vote earlier in the summer to streamline the rulemaking process under Section 18 of the FTC Act. Those changes included giving the FTC chair oversight authority and removing some of the public comment periods.

Putting it into Practice. These rulemaking initiatives may add further complexity in 2022, especially as companies begin to prepare for forthcoming laws in Colorado, Virginia, and updates in California.