Industry-wide problems such as data security and privacy require industry-wide solutions. While there is broad consensus that it is time for comprehensive federal privacy legislation, Congress has been struggling over the specifics given the complexity of the issue.
But controversial Federal Trade Commission Chair Lina Khan is impatient with the pace of legislative progress. Last year, Chair Khan took it upon herself to launch a sweeping new rulemaking on data security using the FTC’s limited Magnuson-Moss authority. Given the numerous legal, analytical and procedural infirmities with Chair Khan’s expansive regulatory efforts, the FTC’s ultimate success on judicial review for its desired privacy regime remains very much in doubt.
Apparently worried that her rulemaking overreach is likely to face judicial defeat, Chair Khan is hedging her bets. Taking a “belt and suspenders” approach, Chair Khan is now also attempting to institute her expansive vision of privacy regulation through unprecedented enforcement proceedings against individual companies. The problem is that by using the case-by-case adjudication process, we end up with a patchwork of asymmetrical regulations among assorted firms.
Take the FTC’s recent actions against Facebook.
In 2020, the FTC and Facebook (now Meta) entered into a consent decree settling a complaint that Facebook had allegedly misrepresented its efforts to protect the privacy and security of its users. As part of its negotiated 2020 Consent Decree, Facebook agreed, among other things, to obtain user’s affirmative express consent before sharing their information with third parties “in a manner that materially exceeded their privacy settings.” In addition, Facebook agreed to prevent anyone from accessing a user’s information more than thirty days after the user deleted their account. Finally, Facebook agreed to establish and maintain a comprehensive privacy program and to obtain independent third-party assessments of their program.
In a surprise move, on May 3, 2023, the FTC dropped a heavily redacted Order to Show Cause accusing Facebook of repeatedly making false and misleading statements about its compliance with the 2020 Consent Decree. Invoking its authority under 47 U.S.C. § 45(b), the FTC announced that it was unilaterally re-writing the 2020 Consent Decree and imposing draconian new restrictions that go far beyond the conditions to which Facebook originally agreed and appear unrelated to any alleged legal violations.
Among other new mandates, the FTC plans to (a) impose strict limitations on Facebook’s ability to use information it collects from children and teens (i.e., users under the age of 18); (b) prohibit Facebook from releasing any new or modified product, service, or feature until it can demonstrate through written confirmation from an independent third-party assessor that its privacy program has no material gaps or weaknesses; and (3) impose stringent new revisions to Facebook’s existing privacy program provisions relating to privacy risk assessments and safeguard adjustments; privacy review; third-party monitoring; data inventory and access controls; and employee training. Facebook has thirty days to respond.
Given that the May 23 Order is highly redacted, how Facebook will respond (and how the FTC will treat Facebook’s response) is anyone’s guess. That said, given the FTC’s attempt to radically (and unilaterally) restructure Facebook’s privacy policies, it is legitimate to ask whether the punishment fits the crime?
To his credit, Democratic FTC Commissioner Alvaro Bedoya has expressed some skepticism in this regard. As Commissioner Bedoya explains in his concurring statement,
There are limits to the Commission’s order modification authority. Here, the relevant question is not what I would support as a matter of policy. Rather, when the Commission determines how to modify an order, it must identify a nexus between the original order, the intervening violations, and the modified order. Based on the record before me today, I have concerns about whether such a nexus exists . . .
Commissioner Bedoya makes an important point about the need for a “nexus” to the original conditions Facebook agreed to in the 2020 Consent Decree before the FTC mandates wholesale revisions. If the government is going to regulate the terms and conditions of Facebook’s business, then due process requires both adequate notice and specificity. As such, unilateral revisions of consent decrees are not the appropriate mechanism to attempt to impose expansive new regulatory regimes that could not be achieved through the general legislative or, at minimum, public rulemaking process.
The D.C. Circuit confronted this very issue in the case of Competitive Enterprise Institute v. FCC. There, the D.C. Circuit struck down negotiated “voluntary” commitments—wholly unrelated to remedying any specific anticompetitive harm raised by the transaction—that Charter was forced to accept from the Federal Communications Commission in order to get its merger with Time Warner Cable and Bright House Networks approved (a common practice at the FCC up to that point). The D.C. Circuit struck down these “voluntary” conditions, finding that absent any nexus to the case at hand, the FCC’s actions amounted to nothing more than “an out-and-out plan of extortion.”
So is the FTC’s May 2023 Order just another out-and-out plan of extortion? It is difficult to say due to the heavy redactions. What is clear, however, is that given the FTC’s recent spate of multiple losses before the courts (including recently having a federal judge shoot down the Commission’s efforts to block Meta’s acquisition of Within Unlimited), Chair Khan’s escalating efforts to usurp Congress’ role of defining appropriate privacy requirements reeks of desperation and vendetta.
Since assuming office, employee morale at the FTC has plummeted due to staff’s belief that senior leadership lacks honesty and integrity. Now the private sector is discovering what the staff already know: current FTC leadership lacks the integrity to honor their end of the bargain of negotiated orders.
The consequences of Ms. Khan’s destruction of public trust in the Commission will reverberate for years to come. If the FTC cannot be trusted, then negotiated settlements are too risky, and firms will never come to the bargaining table with the agency in future disputes. But Chair Khan needs a win and seems content to sacrifice the agency’s long-term credibility for a short-term victory. Her unilateral efforts to tear up the 2020 Consent Decree with Facebook provide yet more evidence that she wants at least one notch in her belt before she leaves office—regardless of the law or the merits.
Note from the Editor: The Federalist Society takes no positions on particular legal and public policy matters. Any expressions of opinion are those of the author. We welcome responses to the views presented here. To join the debate, please email us at [email protected].