Deeper Dive: FTC Continues Aggressive Privacy Path in 2024 – But Don’t Forget This Rulemaking

In 2024, we saw a staggering number of privacy actions by the Federal Trade Commission (FTC or Agency), with a focus on the collection and sharing of health data, browsing and geolocation data, and children’s data. Today, we’ll take a look at some of the FTC’s notable privacy actions from the past few months and discuss what to watch for in the coming months.

The FTC continues to closely examine the collection of health data, how companies obtain consent to use and share health data, and what information consumers are told about the use of that health data. The agency is taking a particularly close look at whether and how that data might be used for targeted advertising. And we’re seeing similar cases on the geolocation side, with a close look at how companies obtain consent and provide information to consumers about the collection and use of that geolocation data.

Browsing data was also the subject of a recent law enforcement action against Avast. In February, the agency continued its crackdown on “bulk data collectors” as part of a settlement with software vendor Avast. The agency demanded that the company pay $16.5 million and, significantly, prohibited Avast from selling or licensing any web browsing data for advertising purposes. The agency alleged that Avast and its subsidiaries sold detailed consumer web browsing data to third parties after promising consumers that their products would do the opposite and protect consumers from online tracking. The FTC’s specific claims included allegations that Avast unfairly collected consumers’ browsing information through browser extensions and antivirus software, stored the data indefinitely, and sold the data without proper notice and without consumer consent. The FTC also alleged that Avast deceived users by claiming that its product blocked third-party tracking but failed to properly inform consumers that it would sell their detailed, re-identifiable browsing data. This settlement follows earlier actions against two data aggregators alleging that they improperly handled consumer location data and further underscores the FTC’s focus on protecting confidential location and geolocation data.

One case we’re following closely is the ongoing litigation against Kochava; that is, the FTC alleges that Kochava engaged in an unfair practice by allegedly collecting and disclosing to third parties geolocation data and other confidential consumer information. FTC privacy cases are rarely litigated, and this is a significant case in which the court is assessing the limits of the FTC’s authority to assess unfairness. The FTC’s lawsuit survived a second motion to dismiss, and the complaint was recently amended to name a Kochava subsidiary. Notably, Commissioner Holyoak issued a statement supporting the case and the FTC’s focus on geodata. As we consider what might happen to the FTC in the next few months and into 2025, Commissioner Holyoak’s statement deserves careful consideration.

As we consider the rest of 2024, let’s not forget the 2022 Advanced Notice of Proposed Rulemaking (ANPRM) on commercial surveillance, which the FTC announced with great fanfare. We haven’t really heard anything about it for the past two years, and last month, 30 consumer and privacy groups also wondered what was going on and sent the FTC a letter urging the agency to issue a proposed rule. The FTC has not yet responded, but we expect to see some movement on this ANPRM in the near future. To be clear, the FTC doesn’t have to issue a massive rule that addresses all of its concerns about how data is used for marketing purposes and the dozens of other topics that were raised in the ANPRM. It’s more likely that the proposed rule would address a subset of the agency’s concerns. Given the current composition of the FTC, we can also safely assume that the vote on such a rule would be along party lines.

And the latest enforcement action against NGL Labs shows that the FTC is still focused on teens as well as children. In July, the agency, along with the Los Angeles County District Attorney’s Office, announced a settlement against NGL Labs, LLC and two of its co-founders over their anonymous messaging app. The settlement included a $5 million cash payment and an injunction barring the company from marketing their “NGL: ask me anything” app to children and teens under 18. The numerous allegations in the case included that the defendants falsely claimed that their AI content moderation program filtered out cyberbullying and other harmful messages targeted at children and teens, and that the app caused fake messages to be sent to users.

Of course, the recent decision of the Supreme Court in the case Loper Light will have some impact on the FTC’s privacy agenda, particularly when it comes to areas where the FTC is expansive in how it interprets its authority or jurisdiction. Loper LightThe Supreme Court overturned Chevron doctrine that generally held that when a statute is ambiguous, a court will defer to a reasonable interpretation provided by an appropriate administrative agency, such as the FTC. Although Chevron has not been cited frequently in FTC case law, will be important as the FTC continues to engage in aggressive rulemaking like the ANPRM. It could also become an issue if, for example, the FTC’s recent amendments to the Health Breach Notification Rule are challenged, especially given that both of the new Republican commissioners have expressed concerns about the FTC’s broad interpretation of its own authority.

Finally, we shouldn’t rule out the possibility that Congress will surprise the FTC with additional authority. Congress is still considering national privacy legislation, and there has been significant movement on the children and teen front. In late July, the U.S. Senate voted to advance a proposed bipartisan bill combining the proposed Kids Online Safety Act (KOSA), the Children and Teen’s Online Privacy Protection Act (COPPA), and the Filter Bubble Transparency Act. Each piece of legislation is designed to address online safety goals for different age groups. COPPA 2.0 covers children under 17, while KOSA covers children under 13. Both statutes would provide additional protections for children and additional authority for the FTC.

Of course, what happens in the election with less than 100 days left will have a huge impact on the direction the FTC takes in 2025. But we’ll leave that for a future blog.

(Show source.)