Deeper Dive: FTC in 2024 Continues Aggressive Privacy Path – But Don’t Forget About that Rulemaking

08/02/2024|4 minute read

We have seen a dizzying amount of Federal Trade Commission (FTC or Agency) enforcement on the privacy front in 2024, with a heavy focus on the collection and sharing of health data, browsing and geolocation data, and children's data. Today we are going to explore some of the significant FTC privacy developments from the past few months and discuss what to keep an eye on in the months ahead.

The FTC continues to closely scrutinize the collection of health data, how companies are obtaining consent for the use and sharing of health data, and what the consumer is told about the use of that health data. The Agency is looking particularly closely at whether and how that data might be used for targeted advertising. And we are seeing similar cases on the geolocation side, with a close examination of how companies are obtaining consent and providing information to consumers about the collection and use of that geolocation data.

Browsing data was also the focus of a recent law enforcement action against Avast. In February, the Agency continued its crackdown on "mass data collectors" in its settlement against software provider Avast. The Agency required the company to pay $16.5 million and, significantly, prohibited Avast from selling or licensing any web browsing data for advertising purposes. The Agency alleged that Avast and its subsidiaries sold granular consumer web browsing data to third parties after making promises to consumers that its products would do the opposite and would protect consumers from online tracking. The FTC's specific claims included allegations that Avast unfairly collected consumers' browsing information through the software's browser extensions and antivirus software, retained the data indefinitely, and sold the data without adequate notice and without consumer consent. The FTC also charged that Avast deceived users by claiming that their product would block third-party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. This settlement followed the earlier actions against two data aggregators, which related to allegations of the mishandling of consumers' location data and further emphasizes the FTC's interest in protecting sensitive location and geolocation data.

The case we have been watching most closely is the ongoing litigation against Kochava; that is the matter where the FTC is alleging that it was an unfair practice for Kochava to allegedly collect and disclose to third parties geolocation and other sensitive information about consumers. FTC privacy cases rarely litigate, and this is a significant case where a court is evaluating the outer bounds of the FTC's unfairness authority. The FTC action survived a second motion to dismiss, and the complaint was recently amended to name a subsidiary of Kochava. Notably, Commissioner Holyoak issued a statement supportive of this case and of the FTC's focus on geo data. As we ponder what might happen to the FTC over the next few months and into 2025, Commissioner Holyoak's statement warrants close consideration.

As we consider the rest of 2024, let's not forget the 2022 Advanced Notice of Proposed Rulemaking (ANPRM) on commercial surveillance that the FTC announced to great fanfare. We really haven't heard anything about it in the past two years, and indeed, just last month 30 consumer and privacy groups were also wondering what was going on and sent the FTC a letter urging the Agency to put out a proposed rule. No response yet from the FTC, but we would anticipate seeing some movement relating to that ANPRM in the near future. To be clear, the FTC does not need to put out a huge rule that addresses all of its concerns about how data is used for marketing and the other dozens of topics that were raised in the ANPRM. It is more likely that a proposed rule would address a subset of issues of concern to the Agency. And given the current composition of the FTC, we would also safely guess that the vote for such a rule will be along party lines.

And the recent enforcement action against NGL Labs demonstrates the FTC's continued focus on teens as well as children. In July, the Agency, together with the Los Angeles District Attorney's Office, announced a settlement against NGL Labs, LLC, and two of its co-founders related to their anonymous messaging app. The settlement included a $5 million monetary payment plus a ban against offering their "NGL: ask me anything" app to children and teens under the age of 18. The numerous allegations in this matter included that the defendants falsely claimed that its AI content moderation program filtered out cyberbullying and other harmful messages to children and teens, and also that the app caused fake messages to be sent to users.

Of course, the Supreme Court's recent decision in Loper Bright will have some impact on the FTC's privacy program, particularly when it comes to areas where the FTC is being expansive in how it interprets its authority or jurisdiction. In Loper Bright, the Supreme Court struck down the Chevron doctrine, which stood generally for the proposition that when a statute is ambiguous, a court would defer to a reasonable interpretation set forth by the applicable administrative agency, such as the FTC. Although Chevron was not cited frequently in FTC jurisprudence, it will be relevant as the FTC continues to engage in aggressive rulemaking, such as the ANPRM. It also may become an issue if, for example, the FTC's recent amendments to the Health Breach Notification Rule are challenged, particularly given the fact that both of the new Republican commissioners raised concerns about the FTC's broad interpretation of its own authority.

And finally, we shouldn't rule out the possibility of Congress surprising the FTC with additional authority. Congress continues to consider national privacy legislation, and there has been substantial movement on the children's and teen's front. In late July, the U.S. Senate voted to pass the proposed bipartisan bill combining the proposed Kids Online Safety Act (KOSA), the Children and Teen's Online Privacy Protection Act (COPPA), and the Filter Bubble Transparency Act. Each piece of legislation sets out to accomplish online safety goals for different age ranges. COPPA 2.0 covers children under age 17, while KOSA applies to children under 13. Both statutes would provide additional protections to kids and additional authority to the FTC.

Of course, what happens in the election, which is less than 100 days away, will have an enormous impact on where the FTC goes in 2025. But we will save that for a future blog.

Public link

Please use the above public link if you want to share this noodl on another website.