Judging that the "narrow, hollowed out, ideologically inflected conception" of Reagan-era privacy enforcement limited to deceptive conduct could no longer protect American consumers in the modern digital economy, former US Federal Trade Commission Chair Lina Khan led what she and other former FTC officials called a “paradigm shift” in enforcement. In a Stanford University law review article and an interview with MLex, Khan said the generational pivot away from the previous “ideologically cramped view” of the FTC’s enforcement powers is unlikely to be fully dialed back, even by the FTC's current conservative leadership.
Between 2022 and this January, the US Federal Trade Commission carried out an unprecedented burst of data protection enforcement, with many of those cases based on the agency’s powers to police “unfair” business practices under the FTC Act.For the first time in the FTC’s nearly 30 years of data privacy enforcement, the commission didn’t just go after firms that deceived consumers. Instead, it called for baseline protections against unchecked collection and monetization of data and the limitless warehousing of it, former FTC Chair Lina Khan and former consumer protection chief Samuel Levine argue in a new academic article.
The past four years were a “paradigm shift” in how the agency had, since the Reagan administration in the 1980s retreated from using its regulatory authority over unfair practices, they said in the Stanford law review piece (see here). The change was a generational “pivot” away from the previous “ideologically cramped view” of the FTC’s enforcement powers — one that Khan, Levine and Stephanie Nguyen, the FTC’s chief technologist under Khan, say is unlikely to fully snap back, even under conservative leadership.
In an interview with MLex this week, Khan said that almost from the beginning of her term as chair, she and Levine had a plan to transform privacy and other consumer protection enforcement beyond policing deceptive conduct — “an investigative strategy” — that would move the FTC beyond the traditional “notice and choice” enforcement in which companies must only disclose their practices to avoid regulatory trouble.
“You know, when I came in, Sam and I had a lot of conversations about what the kind of programmatic consumer protection agenda would be,” Khan told MLex. “Underlying a lot of it was this idea that we needed to do away with this conception of consumer protection that it’s first and foremost about making sure companies aren't lying, and that’s it.”
Elements of what the Stanford article described as a “coherent framework for law enforcement in the digital economy” were discussed in FTC policy speeches in recent years. Khan said the former FTC officials wrote the article to connect the dots between enforcement actions and to lay out the full framework she and Levine began discussing soon after she took the reins of the FTC in the summer of 2021.
“What we were looking to do these past few years was a much more significant break with that narrow, hollowed out, ideologically inflected conception of what consumer protection is about, in favor of actually using the tools that Congress has given us, including unfairness authority,” the former chair said.
— New framework —
The Reagan-era view, Khan said, was that “the only role for consumer protection, more or less, is to make sure that businesses are not lying to you, and outside of that, the markets will self-correct. And so it was just an extremely hollowed out conception of what consumer protection is about and what it stands for.”
Khan sees the transformation on data privacy and other consumer protection enforcement as being as significant as the pivot the FTC made on antitrust — “a durable blueprint for substantive consumer protection in the digital age,” the former FTC officials called it in the Stanford article. Compared to antitrust, the consumer protection shift has been less thoroughly assessed by commentators, she said, and that was one reason to write the Stanford piece.
Two “pillars” of that blueprint include enforcement actions that put “baseline limits on data collection,” and tackling “design tactics like dark patterns” that could coerce consumers to make bad privacy choices. A third pillar was the FTC's focus on the privacy of children and teens, harnessing “its tools to take on exploitative and unfair practices targeting minors,” Khan, Levine and Nguyen said in the Stanford article.
Khan and her team believed, they wrote, “that certain online business practices expose young people to injury. The Commission mapped out a case-by-case approach that was grounded in specific evidence of harms,” using the FTC’s then-rarely used power to police “unfair” business practices under Section 5 of the FTC Act to account for non-monetary harms such as mental health problems for teens.
Two cases that the former officials said best illustrate that part of the plan were a $520 million settlement with Epic Games in late 2022 (see here) that included a record $275 million civil penalty for a violation of the Children’s Online Privacy Protection Act, or COPPA; and a 2024 action against NGL (see here), a highly popular social media app with high school students that Khan said marketed to kids and teens despite knowing that it was exposing them to cyberbullying and harassment.
“Faced with these facts, the FTC brought a novel claim: that the company’s marketing of anonymous messaging apps to teens was unfair. And the agency’s order was equally novel — banning the company from marketing or offering its app to teens,” the former FTC officials wrote.
Since 2021, the FTC has also prioritized seeking fines — civil penalties — when they are available under the law, they said. That switch by the FTC helped fuel a global acceleration of large data privacy fines in recent years (see here), which an MLex analysis found has now eclipsed $18 billion.
— How durable? —
By August 2023, two years after Khan took leadership of the FTC, the agency had completed privacy enforcement actions against Meta Platforms, the former Twitter (now X), Microsoft, Amazon, Kochava, Edmodo and other lesser-known companies (see here).
The FTC sued Kochava using its “unfairness” powers under Section 5, saying the Idaho data broker harmed millions of US consumers by tracking their geolocation data collected by their phones, and selling that information to marketers and others.
When a federal judge last year denied Kochava’s motion to dismiss the unfairness claims (see here), the FTC officials wrote, it was “a watershed development for privacy enforcement at the FTC — and a direct rejection” of the more limited view of privacy that held there was no harm unless downstream effects such as identity theft or financial costs to consumers could be shown.
“Just as key tenets of the FTC’s 1980s approach — such as the agency’s abdication of its unfairness and rulemaking authorities — lasted decades beyond the Reagan-Bush era, it appears unlikely that the FTC will return to an entirely hands-off approach to consumer protection in the digital age,” Khan, Levine and Nguyen argue in the Stanford law review piece.
Two Republican members of the current commission, Chairman Andrew Ferguson and Commissioner Melissa Holyoak, have supported the legal thrust of the Kochava case, as have some populist Republicans, such as former Congressman Matt Gaetz. That’s one data point, Khan said, for the view that the changes in privacy enforcement the FTC ushered in over the past four years will abide.
“Of course, I hope that the work that we continued at the FTC will be institutionally durable, and at least a whole bunch of the votes over the last few years suggest that it could be,” Khan told MLex. “But obviously it's not the independent decision making of the current FTC commissioners that is the final word on what this FTC will be doing. So, it's just part of a broader political environment, and much more deferential to the White House's whims. ... It’s just hard to tell.”
The focus on children’s privacy and online safety in areas such as the addictive design of social media platforms is certainly one element of FTC enforcement, however, that is likely to carry over from Khan’s leadership to Ferguson’s. At a day-long FTC conference this month on how the “attention economy” harms children and teens, Ferguson noted that he voted for tougher enforcement rules for COPPA and said the FTC needs “to be aspirational” to find new ways to protect kids online (see here).
Ferguson and other commissioners have said repeatedly that the FTC is a law enforcement agency — not a regulator — in the sense that unlike European data protection agencies, the FTC must rely on Congress to dictate its enforcement authority and not seek to expand its authority (see here).
Khan said, however, that one element of her consumer protection work that hasn’t been fully appreciated is that the FTC didn’t get new regulatory enforcement tools during her leadership. It simply rediscovered authority, such as the Health Breach Notification Rule (see here), that it already had.
“What the last few years demonstrated was that there were a lot of dormant authorities just lying on the books, and actually, without Congress doing much new at all, we were able to pretty significantly change how the FTC was enforcing the law, and notch some pretty significant, important victories in court, and start shifting how businesses were collecting and using people data,” Khan said. “So big picture, I think it underscores the importance of agencies canvassing and fully using all of the authorities that they already have.”
Please email editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers.