Privacy & Information Security Law Blog

On April 11, 2022, Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals’ Global Privacy Summit. This speech marks Khan’s first major privacy address since her appointment last June.

In her remarks, Khan stated that the FTC has been focused on adapting its existing authority to address and rectify unlawful data practices. She noted a few key aspects of the FTC’s current approach:

• The FTC focuses its “scarce resources to maximize impact,” with a particular focus on dominant firms with business practices that cause widespread harm and intermediaries that “may facilitate any unlawful conduct on a massive scale.”
• The FTC takes an interdisciplinary approach by “assessing data practices through both a consumer protection and a competition lens.”
• The FTC has been building up its team of technologists (including data scientists, user experience designers, AI researchers etc.) to work alongside skilled lawyers, economists and investigators to lead the FTC’s enforcement work.
• When addressing violations, the FTC focuses on “designing effective remedies that are informed by the business incentives that various markets favor and reward,” with the intention of “pursuing remedies to fully cure the underlying harm and deprive lawbreakers the fruits of their misconduct.” She cited the FTC’s recent settlement with WW International Inc. and Kurbo, Inc. as an example of such approach. Moreover, the FTC also is focused on ensuring that remedies “reflect the latest best practices in security and privacy.” She cited the FTC’s recent settlement with CafePress as an example, where as part of the proposed settlement CafePress must implement a comprehensive information security program, with measures such as multi-factor authentication.

Due to the “realities of how firms surveil, categorize and monetize user data in the modern economy,” however, the FTC is considering how it might need to update its approach. For example, the FTC is “considering initiating a rulemaking to address commercial surveillance and lax data security practices.” Khan stated that the FTC also needs to “reassess the frameworks it presently uses to assess unlawful conduct” and specifically expressed concern that “the present market realities may render the present notice and present paradigm outdated and insufficient.” Khan urged that, going forward, the FTC should approach privacy and data security protections by considering “substantive limits” rather than procedural protections. She reasoned that the latter tends to create “process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place.” Lastly, Khan stated that privacy legislation from Congress also may help “usher in this new paradigm shift” at the FTC.