May 25, 2022

Volume XII, Number 145

Advertisement
Advertisement

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

FTC 2022 Regulatory Priorities to Include Privacy and Security

As we look to 2022, a question on many companies’ minds is what actions we will see from the FTC. Two recent developments are important on that front.

First, the FTC recently signaled its intent to initiate rulemaking on issues of privacy and security. The Commission indicated that it wants to curb lax security practices and limit privacy abuses. It is also interested in making sure that algorithmic decision-making does not result in unlawful discrimination. The FTC signaled this intent through an Advanced Notice of Proposed Rulemaking, which has a deadline of February 2022. At that time, interested parties can respond to the proposed rulemaking and provide suggestions or alternative methods for achieving the objectives. The FTC may then decide to begin its rulemaking process.

Second, the FTC recently published its annual Statement of Regulatory Priorities. This statement provided updates on a number of different priorities, including several relating to privacy and security. Topics included issues relating to the collection of information from children, health care privacy, and privacy and data security for those in the financial services space. Each are summarized below:

  • Children’s Online Privacy Protection Act (COPPA). FTC staff are reviewing public comments submitted in response to the agency’s 2019 request for comment to its COPPA Rule.  The FTC had requested comment on all major provisions of the COPPA Rule. For example, definitions and the notice and parental-consent requirement. This also includes exceptions to verifiable parental consent and the safe-harbor provision.

  • Health Breach Notification Rule (HBNR). The Commission initiated a periodic review of the HBNR in May 2020. The comment period then closed in August 2020. The staff intends to submit a recommendation to the Commission by January 2022. In light of some of the controversial and new interpretations to this rule released in 2021, additional clarity about the scope of the rule will be welcomed by industry.

  • Identity Theft Rules. FTC staff is reviewing the public comments to the Identity Theft Rules and anticipates sending a recommendation by January 2022. The Identity Theft Rules includes the Red Flags Rule and Card Issuer Rule.

  • Safeguards Rules. In October 2021, the Commission updated the GLBA Safeguards Rule, providing additional requirements for security programs. It also announced the issuance of a Supplemental Notice of Proposed Rulemaking. That notice sought comment on whether financial institutions should be required to report certain data breaches and other security events to the Commission.

  • Fair Credit Reporting Act Rules (FCRA). On September 8, the FTC approved final revisions that would bring several rules implementing parts of the FCRA in line with the Dodd-Frank Act.

The Commission’s plan to take up additional privacy rulemaking in the new year is unsurprising in light of its vote earlier in the summer to streamline the rulemaking process under Section 18 of the FTC Act. Those changes included giving the FTC chair oversight authority and removing some of the public comment periods

Putting it into PracticeThese rulemaking initiatives may add further complexity in 2022, especially as companies begin to prepare for forthcoming laws in ColoradoVirginia, and updates in California.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 356
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement