The following article was contributed by Stacey Brandenburg, shareholder, and Marc Zwillinger, founder and managing member at ZwillGen PLLC.
Privacy remains a hot issue in 2022, particularly as companies prepare for compliance with various state privacy laws and Congress examines tech companies’ data collection and use practices.
In the alternative data space, we typically focus on the Securities and Exchange Commission’s activities. However, another federal regulator – the Federal Trade Commission (FTC) – oversees many data sources, and its 2022 priorities may profoundly affect the availability of alternative data.
With no disrespect intended for other state and federal agencies, the FTC is the nation’s top regulator on U.S. federal privacy and data-related issues, and its recent public statements signal an assertiveness and urgency that companies are likely to feel this year through increased enforcement activities, new rulemakings, and a greater public presence. We anticipate that these activities will impact some alternative data sources or, at a minimum, influence the diligence considerations for consumer-soured data, such as apps.
Here are three trends to watch — (a) Topics; (b) Tools; and (c) Tech.
The FTC has yet to directly address the alternative data industry by name, but its privacy enforcement actions and policy initiatives signal increased attention to the adequacy of consent for consumer data, especially where the data is used for an unexpected or less-implicit purpose.
The FTC’s 2021 PrivacyCon opened with strongly-worded concern around current data-collection and sharing practices, urging data minimization to “ensure that companies can collect only the information necessary to provide consumers with the service on offer…” See Opening Remarks by Commissioner Slaughter.
The conference also focused on the adequacy of privacy disclosures, risks around use of algorithms and dark patterns, the internet of things, and adtech. While the FTC’s concerns may be, in the first instance, around identifiable personal information, which excludes the content of many alternative data products purchased by the financial community, it still may scrutinize the process of obtaining the data and the transparency of the secondary use, which would directly affect data sources.
When considering what form enforcement in these areas might take, the FTC’s end-of-year settlement with OpenX, a prominent ad exchange, could be informative.
The FTC alleged that OpenX collected precise geolocation data from consumers without sufficient consent and failed to comply with the Children’s Online Privacy Protection Act. Among the more interesting statements in the complaint is that OpenX’s wrongful activities and misstatements about its privacy practices caused many other companies to make misstatements about their activities, including that they did not receive precise geolocation data. See, e.g., Paragraphs 44 and 45.
Although the FTC did not allege any misconduct by the companies that received data in good faith, reliance on OpenX’s representations about its privacy practices and similar issues may come up in vendor diligence and could have a trickle-down effect on available data sources. This is not entirely unlike the SEC’s App Annie case – in which the company’s misrepresentations to its data sources caused the promises App Annie made to its data recipients to be untrue. If data sources misdescribe their data collection process, it can cause difficulty for the entire data ecosystem.
The FTC, a bipartisan agency, traditionally achieved its consumer protection objectives through a combination of rulemaking, select and instructive enforcement actions, and educational or policy-oriented activities.
Recently, the Commission voted 3-2 to revise its rulemaking procedures and remove some of the procedural constraints, claiming that the changes would make it easier and faster to issue rules in relevant areas ranging from “data abuses to dark patterns to other unfair and deceptive practices…” The FTC contends that clearer rules will enable well-meaning companies to better comply with best practices.
This decision occurred, despite two Commissioner’s dissenting votes, and suggests an increasingly prominent divergence among Commission leadership. Taken in conjunction with the Commission’s Statement of Regulatory Priorities for privacy and competition in 2022, these statements suggest a roadmap for soon-to-be-issued or revised regulatory rules, including on information security topics such as the Identity Theft and Health Breach Notification rules.
The Commission also, partly in response to the loss at the Supreme Court regarding its penalty authority, has resurfaced its authority under the Notice of Penalty Offenses. In essence, the FTC is claiming the right to obtain civil penalties (up to $43,792 per violation) where it can show that
- a company knew conduct was unfair or deceptive in violation of the FTC Act and
- the FTC had already issued a written decision (regarding a third party) that such conduct is unfair or deceptive.
To lay the groundwork for exercising this authority, the FTC has been sending hundreds of letters to companies noting conduct that would violate the FTC Act, focusing so far on endorsements, and certain educational and money-making activities. We anticipate that the FTC will try to use this authority wherever possible, so it may be helpful to monitor those industries that receive notice letters in case they may impact your activities.
Tempering all this, however, is a pending challenge to the FTC’s Administrative processes that has been taken up by the Supreme Court. In a fairly surprising move, the Supreme Court granted review in the Axon Enterprises v. FTC case in which a police body camera manufacturer sued the FTC in federal court, arguing that the FTC’s administrative enforcement process – a process by which it can bring claims against entities for violating the FTC through its own administrative forum, with the FTC Commissioners serving as the ultimate authority – violated due process and that the FTC’s entire agency structure is unconstitutional.
These claims were initially denied by lower courts, which ruled that the challenger (here, Axon) first had to pursue these claims within the very FTC process it was alleging to be illegal (a process known as claim exhaustion). The Supreme Court’s grant of review suggests that it is likely to reverse the lower court’s decision, thus allowing the constitutionality of the FTC to be challenged in some future action in the lower courts. This development may put some countervailing pressure on the FTC to take on less controversial actions in 2022 in an effort to preserve its own authority.
In recent years, the Commission has taken a more aggressive look at technology companies and the role they play in society, including in market competition. FTC Chair, Lina Kahn, articulated a similar charge in her Vision and Priorities for the FTC.
She also made an interesting comment, more broadly for those in the investment space than about alternative data specifically. She stated, “[T]he growing role of private equity and other investment vehicles invites us to examine how these business models may distort ordinary incentives in ways that strip productive capacity and may facilitate unfair methods of competition and consumer protection violations.”
While this comment does not appear to link to data collection or privacy issues as directly as some of the other comments noted above, it is a signal that the FTC seeks to scrutinize all aspects of the marketplace in achieving its 2022 agenda, and regardless of where one fits in the ecosystem, it will be helpful to pay attention.
In sum, this year is likely to be a significant one for the FTC, both on account of its robust agenda and the external challenges to its process and structure. Additionally, the FTC’s actions may offer a roadmap for other regulators, especially state Attorneys General, on various issues. Ultimately, even if the FTC does not regulate your activities and historically has not been on prominent on your radar, you might want to keep a closer watch on them in 2022.
Stacey Brandenburg advises clients on privacy, data security, and a range of emerging technology and data-related issues. A veteran of the Federal Trade Commission’s Division of Privacy and Identity Protection, Stacey regularly represents companies in FTC investigations involving Section 5 of the FTC Act, endorsement and testimonial guidelines, and the Children’s Online Privacy Protection Act. She also helps clients navigate State Attorneys General inquiries regarding consumer protection laws, and has favourably negotiated resolutions of these matters.
Marc Zwillinger is the founder and managing member of ZwillGen PLLC. Marc counsels on issues related to the laws governing Internet practices, including issues related to the Electronic Communications Privacy Act, the Foreign Intelligence Surveillance Act, data privacy, use of alternative data for investment evaluation and fantasy sports and Internet gambling. He also helps Internet Service Providers and other clients with their compliance obligations pertaining to the use and disclosure of customer and subscriber information
Photo by Giammarco Boscaro on Unsplash