If the Federal Trade Commission were a major-league baseball team, it would be fair to see 2022 as the year it regains its privacy powers. On the other hand, 2023 could be the season that marks the FTC’s long-awaited return to its winning streak as a privacy authority.
The FTC has spent 2022 recalibrating after its privacy plan failed due to low morale, conflicting views and a lack of resources.
To be clear, the FTC is still underfunded, but 2023 could still be an extremely productive year for the privacy watchdog. The strengthening of the Federal Trade Commission with a deadlocked group of commissioners could reach new heights, especially with the possible passage of new privacy rules and bipartisan support for proposed federal privacy legislation
2023 could be a landmark year for the Federal Trade Commission’s law enforcement efforts, particularly in the areas of algorithmic enforcement, children’s online privacy, unfair data processing and deceptive digital patterns.
Legal practitioners should be aware of a new trend from the Federal Trade Commission: using the disgorging algorithm as a powerful deterrent against illegal data collection and as a powerful tool for consumer redress in 2023.
Algorithmic disgorging, which involves the destruction of AI-based algorithms, is a legal tool used by the FTC to require companies to give up the “fruits” of illegally obtained data, including the very algorithms developed or used with such data. Armed with this veritable weapon of enforcement, the FTC has shown resourcefulness in using its privacy powers to punish companies for allegedly deceptive data practices.
Any baseball enthusiast — or privacy professional — should be impressed with the agency’s 3-for-3 record of securing injunctions against companies investigated for developing artificial intelligence models or algorithms using allegedly tainted, illegally obtained data. The latest evidence of this is the FTC’s March 2022 settlement with WW International, formerly Weight Watchers, which follows earlier algorithm-related settlements with Everalbum in 2021 and Cambridge Analytica in 2019.
In a particularly ingenious maneuver, the FTC demanded the removal of all illegally obtained data that WW International allegedly obtained from children without their parents’ consent, and demanded the destruction of any algorithms trained, derived or developed from such data, along with a hefty civil penalty of 1, 5 million US dollars.
While questions remain about exactly how the FTC will implement and monitor disgorging algorithms, these recent settlement precedents suggest that the agency will continue to pursue companies that deceive consumers by illegally collecting personal data in inventive ways. Since the Supreme Court in 2021 removed the FTC’s ability to obtain equitable monetary relief under Section 13(b) of the FTC Act in AMG Capital Mgmt. v. FTCit is clear that the FTC will likely use this non-monetary mechanism to seek redress for aggrieved consumers in the future.
Aggressive “unfair” application
In 2023, the FTC is also likely to continue to make aggressive political claims and increase its “unfairness” enforcement under Section 5 of the FTC Act.
In May, the agency published an interesting blog post that argued that Title 5 could require companies to notify individuals of a breach of their personal data, even if there is no specific breach notification requirement under state or other federal data breach laws. A bit out of left field, the post explained that failure to provide breach notices can “increase the likelihood that parties will be harmed” and that in such cases the FTC Act creates a “de facto breach disclosure requirement.”
This is somewhat notable, but also in line with the FTC’s tendency to issue confusing and opaque guidance, which I previously wrote about regarding the agency’s ambiguous “dark patterns” guidance. Ironically, however, this vagueness can serve as a useful tool, giving the agency some policymaking flexibility and giving it relatively broad discretion in identifying potentially unfair or deceptive breach notification practices.
In 2022, the FTC similarly demonstrated an increasingly aggressive stance against “unfair” data security practices. Under Section 5’s “bad faith powers,” the agency can use its ability to enforce a greater scope of wrongful conduct through data privacy and security enforcement. In 2023, expect the FTC to continue to establish strong precedent in this area that will protect the agency from potential constitutional challenges to its authority.
“Advanced” application of dark templates
According to Forward-Looking Enforcement Trends, practitioners should expect the FTC to “step up” its enforcement efforts in 2023 targeting digital dark patterns, challenging the legitimacy of these deceptive interfaces that are prevalent in mobile apps, websites, and e-commerce. platforms.
The Federal Trade Commission (FTC) announced these increased controls in a September staff report, Detecting Dark Patterns. The report clarified many of the ambiguities and ambiguities presented in the agency’s negative option marketing policy statement, cited applicable precedents and case law regarding the FTC’s continued use of dark templates, and delved into how deceptive digital templates can undermine, manipulate, or cloud consumer choice.
While this is not mandatory guidance, the staff report demonstrates how strongly the FTC considers the enforcement of dark patterns to be a key priority. The companies said the agency intends to strongly back its bold enforcement claims, particularly regarding dark patterns designed to manipulate children and teens. And as recently as this November, the Federal Trade Commission imposed a dark-patterning permit order, fining telecom service Vonage $100 million for the company’s illegal use of littering fines and near-impossible reversal options.
New privacy rules
If Congress passes the American Data Protection and Privacy Act in 2023, it will dramatically change the FTC’s privacy rules. As currently drafted, the ADPPA would give the FTC new rulemaking authority and would clearly designate the agency as the primary enforcement agency.
But regardless of whether such federal legislation passes, the Federal Trade Commission has shown more plans for an aggressive data privacy and security agenda with the release of its latest rulemaking, covering all of its bases. The new Advance Notice of Proposed Rulemaking covers most industries and addresses a range of online data processing practices, including harm to children, algorithmic discrimination, and possible expansion of protections.
Overall, in 2023, practitioners should see a strong, aggressive Federal Trade Trade (FTC) that focuses on key privacy priorities and plays hardball in scrutinizing and policing the data security and privacy breaches covered by its mandate.
Access additional analysis from our Bloomberg Law 2023 series here, covers trends in litigation, transactions, ESG and employment, technology and the future of the legal industry.
Users who subscribe to Bloomberg Law can find related how-to guides, tools for tracking new laws, and detailed reference materials on our site. Data Privacy and Security Practice Center resource.
Top privacy and cybersecurity experts talk about how to keep up with changing compliance standards at Bloomberg Law 2022 Internal Forumnow available on demand to all readers who register online.
If you’re reading this on a Bloomberg terminal, please run BLAW OUT