December 4, 2022

Volume XII, Number 338


December 02, 2022

Subscribe to Latest Legal News and Analysis

FTC Issues Notice Contemplating Rulemaking for Security, Privacy and AI in 2022

CPW has been tracking Federal Trade Commission (“FTC”) activity in the realm of privacy and cybersecurity in 2021.  Last Friday, the FTC issued a notice (“Notice”) that it was “considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”  Although unsurprising, this development is extremely significant and posed to reshape the regulatory landscape going forward.

By way of reference, under Section 18 of the FTC Act, 15 U.S.C. Section 57a (also referred to as the Magnuson-Moss Warrant Act (“MMWA”)), the FTC is authorized to prescribe “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce” as described within Section 5(a)(1) of the Act.  Among other things, the statute requires that the FTC’s rulemaking proceedings provide an opportunity for informal hearings at which interested parties are accorded limited rights of cross-examination.  Moreover, before commencing a rulemaking proceeding, the Commission must have reason to believe that the practices to be addressed by the rulemaking are “prevalent.”  15 U.S.C. Sec. 57a(b)(3).  As such, in contrast to rulemaking under the Administrative Procedures Act (“APA”), rulemaking under Section 18 of the FTC Act has been heavily constrained and infrequently used.  The FTC has completed the Section 18 rulemaking process only seven times since the law was enacted in 1975.

In July of this year the FTC voted to update its rule making procedures to streamline its process under Section 18.  This was in large part a response to the Supreme Court’s ruling in AMG Capital Management, LLC v. Federal Trade Commission that courts could not award refunds to consumers in FTC cases brought under Section 13(b) of the FTC Act (which had been relied upon by the FTC for decades to collect billions of dollars from wrongdoers).  This decision shifted the FTC’s attention to Section 18 as an alternative vehicle to seek redress and other relief on behalf of consumers.  However, notwithstanding these new measures, the FTC cannot override the statutory limits on rulemaking embedded in Section 18.

There are a range of privacy, cybersecurity and AI issues that the FTC may seek to regulate as previewed by its Notice.  For instance, as seen in an April 2021 release the FTC has increasingly cautioned that AI may be utilized and “inadvertently introduce[e] bias or other unfair outcomes” to medicine, finance, business operations, media, and other sectors.  In addition, the FTC declared algorithmic and biometric bias as a focus of enforcement in resolutions passed this Fall.  The Notice builds upon this focus, with its reference to “unlawful discrimination” likely signaling rulemaking directed at AI. Separately, since 2002 the FTC has brought nearly 100 cases against companies that have engaged in unfair or deceptive practices involving inadequate protection of consumers’ personal data.  Clarification on what constitutes “reasonable and necessary” cybersecurity measures may also result.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 348

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...