It has been a while since we last gathered for one of the monthly public meetings of the Federal Trade Commission (FTC or Commission). Clearly, the monthly nature of the meetings is questionable, but then again, there are only so many policy statements that an agency can issue. When we last met in March 2023, former Commissioner Christine Wilson had just loudly announced her exit from the Commission and the agency had launched a few new studies that won’t see the light of day for quite some time. So we return to an agency that – for the first time in decades – has only Democrat commissioners and no Republicans.
And for today’s meeting two items were on the agenda: a new policy statement on biometric information and some follow-up on the Health Breach Notification Rule.
First up on the agenda was the biometric policy statement. The FTC has already engaged in some law enforcement involving how companies use biometric data. Back in early 2021, the agency announced a case alleging that the developer of a photo app had made deceptive representations regarding how it used facial recognition technology. And in an earlier case, the agency had raised concerns about how settings were used in connection with facial recognition technology. And for those keeping track more broadly, policy statements such as these are not legally enforceable and are often issued without the benefit of valuable public input.
So what does the new policy statement tell us about how the FTC is approaching the broader issues of how companies use and share biometric data? Well, the statement was voted out unanimously, and it not only cautions against false or misleading claims, including with regard to the accuracy and fairness of the product, but also addresses any unfair practice that “causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.” What exactly does that mean in this context? The policy statement includes a non-exhaustive list of six factors the FTC may consider:
- Failing to assess foreseeable harms to consumers before collecting biometric information.
- Failing to promptly address known or foreseeable risks.
- Engaging in the surreptitious and unexpected collection or use of biometric information.
- Failing to evaluate the practices and capabilities of third parties.
- Failing to provide appropriate training for employees and contractors.
- Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale or uses in connection with biometric information.
At the meeting, the commissioners all supported the issuance of the statement and provided a few thoughts. Chair Lina Khan noted that the flexible nature of the FTC Act allows it to reach new technologies such as those considered here and allows the FTC to take action even before consumers are harmed. Commissioner Rebecca Slaughter and Commissioner Alvaro Bedoya both emphasized that the FTC is particularly concerned with discriminatory impacts of this technology, considering the potential for bias. Bedoya went a step further to note that companies need to measure their technology’s potential bias and its impact prior to releasing it, reiterating a similar point made by Khan. As evidenced by the commissioners’ comments and the language of the policy statement itself, the Commission is focused on what it views as unfair acts even before harm to consumers occurs. How can you determine that a practice is likely to cause substantial harm if it hasn’t actually caused harm yet? This may be straightforward when it comes to adequate cybersecurity controls considering the known risk of data breaches, but it will be interesting, and contentious, to see how the Commission applies these principles more broadly in untested areas.
For the second item on the agenda, we first return to 2020 when the FTC initiated a rulemaking regarding the Health Breach Notification Rule. Back then, the FTC had stated that the rule “requires vendors of personal health records and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.” That narrow reading of the rule purportedly changed in 2022 when a divided Commission issued a policy statement regarding the rule that argued that the rule had much broader applicability and would apply to most health and wellness apps. Concerns were raised that, rather than issuing a policy statement, the Commission should have better spent its time by moving forward with the rulemaking and that time has apparently arrived.
At the meeting, the Commission unanimously voted for a Notice of Proposed Rulemaking that provided text for a revised Health Breach Notification Rule. In short, the revised rule would clarify the technologies and entities covered by the rule, facilitate electronic breach notices to consumers, and expand the required content of the notices. The FTC press release indicates that the comment period will be open for 60 days.
During the meeting, the commissioners reiterated their concerns regarding how health data is being broadly collected and shared. All the commissioners indicated in their statements that the burden of privacy protections should be shifted from the consumer to the companies collecting the information. Khan pointed to how previous FTC cases go beyond requiring notice and consent – the latter of which she called a fiction – to requiring substantive protections from companies and bright-line rules to regulate them.
And, of course, the meeting did kick off with two-minute comments from members of the public. Today’s topics of concern included a proposed FTC order that would prohibit a company from monetizing the data of users under age 18 as well as the regulation, or current lack thereof, of artificial intelligence.