CPW has been tracking Federal Trade Commission (“FTC”) activity in the realm of privacy and cybersecurity in 2021. Last Friday, the FTC issued a notice (“Notice”) that it was “considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” Although unsurprising, this development is extremely significant and posed to reshape the regulatory landscape going forward.
By way of reference, under Section 18 of the FTC Act, 15 U.S.C. Section 57a, the FTC is authorized to prescribe “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce” as described within Section 5(a)(1) of the Act. Among other things, the statute requires that the FTC’s rulemaking proceedings provide an opportunity for informal hearings at which interested parties are accorded limited rights of cross-examination. Moreover, before commencing a rulemaking proceeding, the Commission must have reason to believe that the practices to be addressed by the rulemaking are “prevalent.” 15 U.S.C. Sec. 57a(b)(3). As such, in contrast to rulemaking under the Administrative Procedures Act (“APA”), rulemaking under Section 18 of the FTC Act has been heavily constrained and infrequently used. The FTC has completed the Section 18 rulemaking process only seven times since the law was enacted in 1975.
In July of this year the FTC voted to update its rule making procedures to streamline its process under Section 18. This was in large part a response to the Supreme Court’s ruling in AMG Capital Management, LLC v. Federal Trade Commission that courts could not award refunds to consumers in FTC cases brought under Section 13(b) of the FTC Act (which had been relied upon by the FTC for decades to collect billions of dollars from wrongdoers). This decision shifted the FTC’s attention to Section 18 as an alternative vehicle to seek redress and other relief on behalf of consumers. However, notwithstanding these new measures, the FTC cannot override the statutory limits on rulemaking embedded in Section 18.
There are a range of privacy, cybersecurity and AI issues that the FTC may seek to regulate as previewed by its Notice. For instance, as seen in an April 2021 release the FTC has increasingly cautioned that AI may be utilized and “inadvertently introduce[e] bias or other unfair outcomes” to medicine, finance, business operations, media, and other sectors. In addition, the FTC declared algorithmic and biometric bias as a focus of enforcement in resolutions passed this Fall. The Notice builds upon this focus, with its reference to “unlawful discrimination” likely signaling rulemaking directed at AI. Separately, since 2002 the FTC has brought nearly 100 cases against companies that have engaged in unfair or deceptive practices involving inadequate protection of consumers’ personal data. Clarification on what constitutes “reasonable and necessary” cybersecurity measures may also result.