Co-authored by Professor Woodrow Hartzog
The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?
1. The FTC will shift in a more Republican direction, but the shift will not be radical.
The FTC is run by a bipartisan panel of five Commissioners, one of whom is Chairperson. Commissioners vote on the actions that the FTC will take on various consumer protection matters. But now, only two Commissioners remain and there are 3 vacancies. The Trump Administration will thus have an enormous impact on the agency because it will choose the majority of Commissioners plus the Chairperson.
The five Commissioners must be a bi-partisan panel, with no more than three being from the same party. The bi-partisanship of the FTC is mandated by statute.
The current FTC has been vigorous over the past eight years in protecting privacy and security, though most of these cases were not very controversial because they involved relatively clear cases of deceptive acts or practices—the Commission’s bread and butter. The Commissioners who departed recently include Joshua Wright, a conservative who believes in dialing back aspects of the FTC’s approach to privacy and security. He recently wrote an article criticizing the FTC’s view of harm as being too broad. Commissioner Julie Brill also left to chair Hogan Lovells’ privacy practice – Brill consistently pushed for strong enforcement of privacy and security protection. And recently, Chairwoman Edith Ramirez announced that she will be stepping down. We would also put her in a similar camp as Brill as one who favored the current strong enforcement role for the FTC. The remaining Commissioners include Terrell McSweeny, who has supported the current posture of the FTC, and Maureen Olhausen, who, like Wright, has expressed concern at times about FTC overreach in privacy and security, but largely joined with the rest of the commissioners in supporting the FTC’s current approach.
So now, there will likely be two new Republican Commissioners (including the Chairperson) and one Democratic one. McSweeny is a Democratic Commissioner and Olhausen is a Republican one. The new balance of power will be three Republicans and two Democrats.
2. The FTC will likely stop bringing some of its more cutting-edge cases, but its enforcement will not change dramatically.
As we noted in one of our articles, the FTC has been generally conservative in its enforcement of privacy and security, rarely pushing radically new norms and instead enforcing well-established industry norms.
Even Republican Commissioners have supported most of the FTC’s privacy and security enforcement actions. Olhausen has publicly supported most of the recent complaints, though she issued a strong dissent in Nomi and was critical of the FTC’s recommendation in its report on the Internet of Things for baseline privacy legislation and strong data minimization practices. Wright, though critical of the FTC’s view on harm, supported the FTC’s Wyndham case and even wrote the Commission’s opinion rejecting LabMD’s arguments that its Section 5 unfairness authority excludes data security.
Perhaps the most significant change to the FTC will occur as a result of changes at other agencies shift authority and leave gaps to be filled. Chris Hoofnagle, who has written an excellent book about the FTC, opines that the agency with the most to fear is the FCC. Chris says: “[T]he FTC is less politicized and less lobbied than the FCC. I think the FCC is going to get a real thrashing. There’s even talk of eliminating the FCC’s consumer protection mission and assigning it to the FTC.” If the FTC were to inherit some of the FCC’s authority, we would expect an initial showing of strength with a surge of action in the area, yet we doubt the actions would be very controversial. The FTC would likely be motivated to demonstrate its competence with its new authority but also show that it would not rock the boat.
Chris also notes: “The FTC is an independent agency and it will keep chugging on; it usually is ignored by the White House. Commissioner Olhausen supports 95% of the cases—even Commissioner Wright did. And there will be two years of cases under Obama leadership that are in the pipeline, and those probably will not go away.”
For more on Chris’s thoughts about the FTC’s internal dynamics, you should read his recent piece on the subject. Chris says: “To the conservatives, Nomi is the worst example of reading out ‘materiality’ in deception cases. So, expect the Trump FTC to tighten the reins on deception. They see it as a strict liability offense as used under Ramirez.” In addition to demanding more evidence that deceptive representations were material to users, we would also expect a greater emphasis on the cost/benefit analysis required for unfairness actions, given Commissioner Olhausen and Wright’s exhortations to that effect and mounting criticism and pressure from industry.
3. The FTC will continue to grow in its role as enforcer of privacy and security.
FTC privacy and security enforcement began during the Clinton Administration. That is when the FTC forged ahead in its role and grew its footprint significantly in the privacy and security domain.
During the Bush Administration, the FTC didn’t reverse course. It still broadened its role. Possibly because privacy norms were more in flux, the FTC started bringing more data security enforcement cases, and it took some bold actions. In several cases – Microsoft Passport and Guess – the FTC brought enforcement actions for inadequate data security despite the fact that there had been no data breach.
During the Obama Administration, FTC privacy and security enforcement were stepped up a few notches. The FTC brought more cases that were controversial and that pushed more aggressively on the emerging norms of privacy and security.
Although FTC enforcement during the Bush Administration was less aggressive than during Obama’s Administration, the differences are not that huge. During the Bush years, the FTC continued to bring privacy and security enforcement actions. The number of actions didn’t dramatically increase – the FTC has ended up with about ten to fifteen consent decrees each year – and that number has been fairly consistent. Writing for InsideCounsel, Janis Kestenbaum, a former FTC attorney and now a partner at Perkins Coie, speculated, “While the transition to the Trump Administration creates significant uncertainty, it is likely that the FTC in the Trump years will continue with an active privacy agenda. The FTC is known as a consensus-oriented independent agency that does not dramatically change direction with shifts in political leadership—as reflected by the history of the FTC’s privacy program itself.”
4. International and state privacy law pressures will keep the FTC’s current role intact.
Some might wonder if the Trump Administration would want to push the FTC out of the privacy and security space for the benefit of companies. Wouldn’t corporations see this time as a great opportunity to get the FTC off their backs?
We actually think that the status quo with the FTC greatly benefits companies compared to likely alternatives. Upsetting the balance will create a void that would in the long run likely prove to be worse for companies.
Suppose the FTC were to see its privacy and security enforcement significantly diminished. The EU would not sit idly by given this void. Enforcement of Privacy Shield depends upon FTC enforcement. The FTC and the U.S. Department of Commerce have devoted years of work to convince EU regulators that the US has meaningful privacy protection based upon FTC enforcement. All that would be lost.
Certainly, some way of data transfer mechanism would exist between the US and EU, but without a vigorous FTC, there would be more regulatory hoops to jump through and more time and expense to do so.
And don’t expect a diminished FTC to just leave an open void. Nature abhors a vacuum. States like California would start to become more aggressive in their lawmaking and enforcement. Many states have their own laws patterned on the FTC Act, and state attorneys general might start stepping into the void. As the FTC’s enforcement has generally been conservative, it likely will be the case that those entering into the void will be more progressive in enforcing.
True, in the short term, there might be a void if the FTC were to be pushed out of privacy and security enforcement, but in the long term, companies will not find themselves freed of regulation and enforcement. The situation will likely be worse.
We think that companies with a long-term view, especially large multinationals, will recognize that weakening the FTC is not the right strategic move. So they likely won’t be lobbying hard to knock the FTC down a few pegs. While some change is certainly coming for the FTC, the Commission will likely be relatively stable compared to other changes we’ll see in the next four years.
Some of our Previous Work on the FTC
The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014) (2013)
The Scope and Potential of FTC Data Protection, 83 George Washington Law Review 2230 (2015)
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.