Federal Trade Commission (FTC) Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals Global Privacy Summit on April 11, 2022, in Washington, D.C. In her first public speech on privacy issues since her appointment last June, she promised “swift and bold” action by the FTC.

Chair Khan began with her view of the current landscape of data privacy and digital technologies for consumers in the United States. She noted that the landscape has shifted quickly as the COVID-19 pandemic hastened the integration of digital technologies into consumers’ lives. She cautioned that while digital technologies offer tremendous benefits, “dependence” on them also presents risks, such as security vulnerabilities that affect critical infrastructure and privacy violations that affect sensitive data, including health or children’s information.

Against that backdrop, Chair Khan explained how the FTC is using its “scarce” resources to address privacy risks and “rein in” what she called “surveillance-based business models.” Chair Khan highlighted the following:

• The FTC is focusing on businesses that “cause widespread harm,” which she said included tackling conduct by “dominant firms” as well as “dominant intermediaries” that facilitate unlawful conduct on a massive scale.
• The FTC is taking an interdisciplinary approach, examining data practices from both a consumer protection and a competition lens. She further noted that the FTC is increasing its reliance on technologists, including data scientists, user experience  designers, and artificial intelligence  researchers.
• The FTC is focused on designing effective remedies that fully cure the underlying harm and, where necessary, deprive law breakers of the “fruits of their misconduct,” such as through the deletion of unlawfully acquired data and destruction of algorithms that had relied on such data. Chair Khan also explained that the FTC seeks to ensure that remedies evolve to “reflect the latest best practices in security and privacy.” As an example, she cited the requirement to use multifactor authentication in a recent settlement as reflecting “the latest thinking in secure credentialing.”

Finally, Chair Khan referred to the FTC’s anticipated privacy and data security rulemaking as an opportunity to further update the FTC’s approach to data practices. She said the FTC should reassess its framework for evaluating data practices, noting that many had criticized the notice and consent model as insufficient. Chair Khan said the FTC should consider substantive limits and whether certain types of data processing should be permitted in the first place, which suggests that a ban on certain types of data processing may be explored in the FTC’s rulemaking or in future settlements.

© 2022 Perkins Coie LLP