Keynote address delivered at the October 16, 2020 conference of New York University School of Law’s Program on Corporate Compliance and Enforcement, titled, Confronting Cybersecurity and Data Privacy Challenges in Times of Unprecedented Change.
Over the past year, our entire world has shifted. How we work, how we connect, how we learn, and how we shop have all changed. These changes were abrupt, unwelcome, and in many instances devastating. I am by nature an optimistic person, but it is hard to use the term “silver lining” in connection with events that have threatened or stolen the health and livelihoods of so many. Instead, I think often of Mary Oliver’s famous words: “Someone I loved once gave me a box full of darkness. It took me years to understand that this too, was a gift.”[2] When I think of the darkness that this year has given us, I draw the most hope from the awakening across so many spheres of life that things must change. My mother used to joke that my motto should be “change is bad,” because I am personally so resistant to change; to be clear, this was not a compliment. But my personal and our collective resistance to trying new approaches is, thankfully, waning. In the years to come, I hope that this collective opening up to change is the gift we bear forward out of today’s darkness.
As a Commissioner at the FTC, I want to embrace this openness to change and commit to exploring new approaches across our mission areas. And I want to focus my remarks today on opportunities for change in how we approach data privacy enforcement. To maximize the FTC’s enforcement effectiveness in data privacy, there are three areas in which I believe we need to shift our approach: (1) remedies, (2) case prioritization, and (3) more comprehensive use of our existing authority.
I. Improving the Effectiveness of Our Remedies
In enforcing data privacy, the Commission does not have the most straightforward tools. The FTC has done an impressive job of attempting to curb the worst abuses in this space without the benefit of a federal privacy law, civil penalty authority, or anywhere near the dollars or the bodies that other countries devote to data privacy protection. The FTC relies primarily on its general consumer protection authority and its litigated and stipulated enforcement resolutions to create what is essentially a common law of U.S. data privacy enforcement. Because so much of our enforcement regime hinges on these resolutions, the remedies we are able to achieve form the bedrock of our data privacy authority.
As such, I believe that the Commission must be engaged in a constant assessment and refinement of the remedies that we seek, to ensure that we are reaching the strongest possible outcome for consumers in every case we pursue. When I think about where the Commission should focus in crafting more effective remedies, I have several priorities.
Focus on Specific and General Deterrence
First, the FTC must ensure that its orders achieve both specific and general deterrence against future law violations.[3] By that I mean that the resolution to an enforcement action should both chill future violations by the particular defendant and send a signal to the market that the violative conduct is not worth the risk. This approach requires a careful analysis of the specific facts of each case and a nuanced understanding of the market or industry in which the law violator competes—there is no one-size-fits-all remedy. Meaningful remedies can include some combination of injunctive relief, monetary payments, notice to wronged consumers, admissions of liability, and corporate accountability measures.
One change at the FTC that could help improve our ability to achieve meaningful deterrence is to reexamine the focus of our Bureau of Economics in consumer protection cases. Our economists routinely help assess consumer harm, but I would like to see them also devote time to estimating the full range of benefits that accrue to companies from the actions and inactions that give rise to law violations. Those benefits include growth, opportunity, goodwill, and competitive advantage, among others. Our economists should focus their efforts on calculating the requisite remedy that would ensure that individual defendants avoid risking future violations and that the market concludes that the defendant’s action or inaction is not profitable. Additionally, we know that some harms are neither quantifiable nor felt immediately by individual consumers—increased research and scholarship regarding the long-term risks and costs to consumers, markets, and society from data collection, manipulation, and abuse would be welcome.
Increasing Corporate Accountability
Second, for compliance to be lasting, FTC investigations and remedies must also be structured to increase corporate accountability. In many ways, our data privacy orders already seek to do this by imposing requirements that companies adopt data security programs and undergo third-party assessments.[4] But there are two areas in which I think the FTC should refine its approach to further incentivize corporate accountability for data privacy practices: expanding our imposition of individual accountability and increasing transparency requirements.
Investigating the role of corporate executives and, where appropriate, naming them in a complaint can go a long way toward increasing accountability. That is not to say that I believe every case requires naming individual defendants. To establish liability, the FTC must show that the individual defendant directly participated in the illegal practices or had authority to control them. I believe that this is a threshold inquiry that we should make in all cases: Our investigations should include questions to determine the involvement of senior leaders in the alleged wrongdoing and the internal compliance culture that allowed the wrongdoing to occur.[5]
If the legal threshold for liability is met, enforcement teams should evaluate whether naming senior leaders is necessary for a resolution to achieve specific and general deterrence and ensure ongoing compliance. In making this determination, I am particularly interested in the extent to which the alleged law violations permeated a core aspect of the business and whether executive accountability would incentivize a change in corporate culture.
Another way to use our remedies to increase corporate accountability is to require greater transparency from companies that are under order. There are a range of ways we can foster increased transparency, including by requiring that data privacy assessments be made public and requiring public reporting of consumer complaints and company responses. Additionally, in some instances, the FTC should consider requiring companies to establish whistle-blower protections and invite outside reporting to third-party monitors or assessors if employees feel problematic data security practices occur unabated.[6]
Help for Consumer Victims
Finally, in our efforts to craft remedies that protect future consumers by preventing repeat law violations, we must not forget to do all we can to help current victims. I believe all of our orders should include remedies designed to mitigate consumer harm. Across our consumer protection cases, the FTC seeks to provide monetary redress to consumers wherever possible— primarily in the form of repaying money lost. Fashioning an equitable remedy to provide monetary relief can be more challenging in data privacy actions, particularly where consumers spent little to no money to use the service that led to the law violation.
In some instances, our data privacy orders lack remedies that would directly help consumer victims. If monetary relief is not possible, consumers should still receive direct notice of the law violation, its possible impact, and any mitigation options available. If refunds and notice are both impossible, the Commission should employ creative approaches to mitigate consumer harm through admissions of liability, requiring opt-in regimes for existing customers, funding of education campaigns, disgorgement of data, or other creative solutions that might vary case by case.
II. Prioritizing Data Abuses
In addition to refining our approach to remedies, we must also critically examine to how the Commission decides which enforcement actions to bring. Our data privacy enforcement efforts should prioritize conduct that inflicts the most harm on our most vulnerable consumers. When I talk about data privacy, I am including both the narrow view—have you kept my data safe?—as well as a broader view—are you using data in a way that is harmful and goes beyond my reasonable expectations?[7] Effective data privacy enforcement today must place as much emphasis on eliminating abusive data practices as we have traditionally placed on promoting data security. Two areas where I believe the Commission should focus its efforts to curb abusive data practices are AI-based decision-making and the use of data to increase levels of kid and teen engagement on social media platforms.
In a speech earlier this year,[8] I laid out my concerns about disparate data harms that can arise from artificial intelligence and machine learning. We know that, when the training data does not reflect population diversity, disparities get baked in to algorithms—“garbage in, garbage out” is a real problem, and so is “disparities in, disparities out.” As algorithms are given increasing decision-making power over essential human needs such as employment, health care, housing, and credit, we must be vigilant to ensure that outcomes are fair and just. Unfair practices in these areas can deprive vulnerable consumers of critical benefits and opportunities, and should be priorities for enforcement.
Another area in which I believe we need to be vigilant in stopping abusive data practices is in the use of data to increase kid and teen engagement on social media platforms.[9] It is critical for the Commission to use its expansive powers to study certain markets to develop a richer understanding of how data is used to target kids and teens and keep them online. We do not know enough about the strategies tech companies use to keep kids and teens online, and we certainly do not know enough about the effects these interactions can have in the long run. The Commission must do all it can to identify and eliminate abusive data practices that harm our kids and teens, including by turning them into addicts for profit.
III. Comprehensive Use of Current Authority
Striving to add additional priorities to our already over-extended resources and staff is not without its challenges. Indeed, the most dramatic change to the FTC’s data privacy enforcement will have to come from Congress in the form of increased resources and authority. I believe the FTC makes its strongest case for such expansion by using its current authority fully and creatively, including by dusting off overlooked or under-utilized tools. Two areas in which I believe we could expand the way we use our current authority are through the use of our unfairness authority and through the use of our Magnuson-Moss rulemaking authority.
Increased Use of Unfairness Authority
When you look at our history of pleading privacy law violations, we rely heavily on our deception authority. Very often defendants make promises to consumers about how they will treat consumer data and then break those promises. Our deception authority can be the cleanest and most efficient way to tackle such cases, and I expect we will continue to rely on it.
But the manner in which defendants treat our data is often also unfair. Failing to implement necessary safeguards is unfair,[10] and using or sharing data beyond what a reasonable consumer would expect is unfair. I believe we should be pleading unfairness in every case where we see such conduct, because it sends a unique and important signal to the market separate from a deception count: Failure to take proper care of consumer data is illegal even if you do not lie about it.
It can be more challenging to prove unfairness. We must demonstrate that the action or inaction causes significant injury that consumers cannot reasonably avoid and that this injury is not outweighed by countervailing benefits to consumers or competition. Proving that a company made a promise and broke it is obviously more straightforward. But the only way for the Commission to develop jurisprudence that defines what I think most consumers would agree are plainly unfair practices is for us to try. And if we try and fail—if courts determine that high risks of data exposure or data abuses are not significant injuries, or are avoidable, or are somehow justified by countervailing benefits—then the case for a federal privacy law that defines prohibited practices will be strengthened.
Reviving Magnuson-Moss Rulemaking
In addition to deploying our unfairness authority more frequently, I believe the Commission should also revive its Mag-Moss rulemaking authority and take steps to make it less burdensome. Unlike many of our sister agencies, the FTC does not have general authority to promulgate rules under the Administrative Procedure Act, which provides a relatively efficient mechanism for rules to be proposed with a notice in the Federal Register, commented on by the public, and then finalized after careful consideration of those comments. In the 1970s, Congress removed the FTC’s general ability to issue consumer protection rules under the APA; instead, that rulemaking authority is authorized by the Magnuson-Moss Act.
The procedures required to issue a rule under Mag-Moss are substantially more detailed than under the APA. Mag-Moss requires the additional steps of a pre-rulemaking advance notice and comment period, notice to Congress with attendant waiting periods, and public hearings with oral argument, among other logistical constraints. The Commission has shied away from extensive Mag-Moss rulemaking as not worth the trouble and from fear that the proceedings would not progress quickly enough to produce a timely and relevant rule. While the additional statutory burdens are significant, the Commission’s Rules of Practice compound the problem by imposing additional, unnecessary procedural hurdles that could be streamlined by Commission action.[11] With revised Rules of Practice, the Commission would be well positioned to initiate Mag-Moss rulemakings designed to curb problematic data abuses.
Conclusion
Each of the ways I have outlined for the Commission to consider recalibrating its approach comes with trade-offs. Tougher remedies may lead to fewer settlements and more litigation, limiting the number of enforcement actions we can pursue at any given time. Shifting our focus to prioritize certain data abuses will require either more staff or difficult decisions about which investigations to pursue. And embracing our unfairness authority while reviving our dormant rulemaking authority will demand careful strategy and valuable staff time that in the short term could otherwise be devoted to law enforcement actions. I cannot emphasize enough how additional resources and clear authority would strengthen our data privacy enforcement more than any other change. But one benefit of the strategies I have proposed is that by making better use of our current tools, we may be able to achieve more deterrence and therefore better consumer protection—even if we are bringing fewer cases. I also know that the Commission, like all of us right now, is capable of exploring and embracing change despite difficult conditions, especially to build a chance at better outcomes in the future.
Footnotes
[1] The views expressed in these remarks are my own and do not necessarily reflect the views of the Federal Trade Commission or any other commissioner.
[2] Mary Oliver, “The Uses of Sorrow,” Thirst (2007).
[3] See Dissenting Statement of Commissioner Rebecca Kelly Slaughter Regarding the Matter of FTC vs. Facebook, Fed. Trade Comm’n (July 24, 2019), https://www.ftc.gov/system/files/documents/public_statements/1536918/182_3109_slaughter_statement_on_facebook_7-24-19.pdf (PDF: 131 KB).
[4] See, e.g., Final Order, In re Lightyear Dealer Techs., LLC (Sept. 6, 2019), https://www.ftc.gov/system/files/documents/cases/172_3051_c-4687_dealerbuilt_decision_order.pdf (PDF: 61 KB) (ordering that any business that Respondent controls directly, or indirectly, shall not process personal information unless it establishes a comprehensive information security program).
[5] See Joint Statement Of Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter Regarding the Matter of United States v. Musical.ly, Inc., Fed. Trade Comm’n (Feb. 27, 2019), https://www.ftc.gov/system/files/documents/public_statements/1463167/chopra_and_slaughter_musically_tiktok_jo int_statement_2-27-19_0.pdf (PDF: 29 KB).
[6] See Concurring Statement of Commissioner Rebecca Kelly Slaughter Regarding the Matter of FTC vs. Equifax, Inc., Fed. Trade Comm’n (July 22, 2019), https://www.ftc.gov/system/files/documents/public_statements/1536660/commissioner_slaughter_statement_regardi ng_equifax_settlement_7-22-19.pdf (PDF: 45 KB).
[7] See Remarks of Commissioner Rebecca Kelly Slaughter, The Near Future Of U.S. Privacy Law, Silicon Flatirons—University of Colorado Law School (Sept. 6, 2019), https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6- 19.pdf (PDF: 86 KB).
[8] See Remarks of Commissioner Rebecca Kelly Slaughter, Algorithms and Economic Justice, UCLA School of Law (Jan. 24, 2020), https://www.ftc.gov/system/files/documents/public_statements/1564883/remarks_of_commissioner_rebecca_kelly_ slaughter_on_algorithmic_and_economic_justice_01-24-2020.pdf (PDF: 139 KB).
[9] See generally, Dissenting Statement of Commissioner Rebecca Kelly Slaughter in the Matter of Google LLC and YouTube, LLC, Fed. Trade Comm’n (Sept. 4, 2019), https://www.ftc.gov/system/files/documents/public_statements/1542971/slaughter_google_youtube_statement.pdf (PDF: 66 KB).
[10] I should note that three of our recent cases do include an unfairness count for failure to employ reasonable security practices: FTC v. InfoTrax (PDF: 94 KB), FTC v. Clixsense (PDF: 41 KB) and FTC v. Dealerbuilt (PDF: 66 KB).
[11] For example, the FTC could select presiding officers well situated to run an efficient rulemaking process and can remove self-imposed, additional comment periods.
Rebecca Kelly Slaughter is a Commissioner of the United States Federal Trade Commission.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.