News & Insights  |  Newsletters

Wiley Rein Spotlight Interview: Duane Pozza on the FTC’s Approach to Privacy

April 2019

Privacy in Focus®

In this Spotlight, partner Megan Brown interviews partner Duane Pozza about his views on the Federal Trade Commission’s approach to privacy.

Megan: I know you recently came to Wiley Rein from the FTC. What do you think of the FTC’s latest moves on privacy?

Duane: Well, the FTC has been busy. We’ve been following its latest hearings on Competition and Consumer Protection in the 21st Century, including its recent two-day hearing on privacy. By the Commission’s own account, the current hearings are designed to help the agency re-evaluate its approach to privacy. The agency has long been the primary privacy regulator for most of the economy –it issues reports with detailed recommendation on best practices, it engages in rulemaking in certain limited areas (like children’s privacy), and it brings enforcement actions. It put out a comprehensive report on privacy practices in 2012, but it’s now questioning whether technological change has undermined some of its conclusions.

Megan: Accounting for technological change is definitely a tricky issue. How does an agency like the FTC put out guidance on privacy issues when tech is constantly evolving?

Duane: It’s tough. The agency often focuses on high-level principles rather than tech-specific recommendations. But consumer expectations about data-sharing change all the time, and research tends to show that consumers are willing to share certain kinds of data if it means getting ad-supported services for free. And also, data that was collected for one reason may end up being useful for other purposes – in a way that’s helpful for the consumer. AI systems, for example, can analyze large sets of data for goals like improving public health, even though the data may not have been originally collected for that purpose.

Megan: What about enforcement? Some argue that the FTC has gone too far in bringing privacy and data security actions where it’s not clear that consumers have actually been injured by the alleged law violation.

Duane: The current Commission, led by Chairman Simons, has reiterated that it will “vigorously” enforce the law in the areas of privacy and data security. Privacy cases are often based on a theory that consumers have been deceived by a privacy policy or other statements about what information will be collected and shared. Data security cases often involve actions against a company that has suffered a breach, based on a theory that the company had “unreasonable” data security practices. The Chairman has noted that injury in these cases can be hard to quantify, but it appears the Commission will continue to pursue them.

Megan: What other issues has the FTC signaled that it will take up in the near future?

Duane: The FTC has always focused on deceptive advertising, and it has signaled that it will look much more closely at social media, particularly when it comes to properly disclosing endorsements. It’s also stepped up enforcement in the area of financial technology – fintech – where it can enforce consumer protection laws against non-bank companies involved in financial practices. In fact, the agency is currently considering whether to impose additional data security requirements on those companies, under its Safeguards Rule. 

Megan: Many of the bills proposed in Congress would give the FTC more power in the area of privacy. If that happens, how do you think the FTC would use that power?

Duane: There does seem to be a trend in proposed federal legislation of giving greater authority to the FTC, though the scope of that varies by the bill. The Chairman has suggested that if the FTC is given greater rulemaking authority, it should be directed to implement what Congress wants, rather than rulemaking that would require the agency to make a bunch of complicated policy judgments and trade-offs. But, what Congress does remains to be seen. The agency certainly wants more funding, greater authority over certain entities like common carriers and nonprofits, and greater authority to impose penalties. If those end up included in any federal legislation, you can expect even more FTC policing on privacy and security issues in sectors all across the economy.   

© 2019 Wiley Rein LLP