Recent moves from the US government agency have laid the groundwork for significant changes to businesses’ compliance obligations, writes US attorney David Oberly

FTC set to ramp up privacy and security rule-making activity in 2022

ANALYSIS The Federal Trade Commission (FTC) overhauled its rule-making process last year, streamlining its ability to implement new rules and regulations related to privacy and security.

Subsequent developments provide a strong indication that the agency will embark on an aggressive rule-making campaign in 2022.

Importantly, the FTC’s ambitious wish list of rule-making initiatives for the coming year may transform the privacy and security legal landscape by creating significantly enhanced, more complex compliance obligations for businesses that collect and use personal data.

The changes could be especially significant if the FTC fundamentally alters how it approaches its treatment, and enforcement, of key issues.

AI privacy threat

In July 2021, the FTC finalized changes to its rule-making procedures under Section 18 of the FTC Act that are aimed at streamlining – and giving the FTC more control over – the rule-making process.

Prior to the changes, the FTC had only used this process seven times over the course of more than three decades. The agency has previously been particularly hesitant to leverage the process to promulgate privacy and security rules due to its impractical complexity and duration.


RELATED FTC implements tougher data protection rules to safeguard customer information


But with a more relaxed rule-making process in place, the FTC is poised to become much more active in regards to rule-making on privacy and security matters.

Indeed, at the end of 2021 the agency signaled such intent by issuing an advance notice of proposed rule-making on privacy and artificial intelligence (AI) “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination”.

This move was presaged by an FTC press release issued in April 2021 that warned of AI’s potential for “inadvertently introducing bias or other unfair outcomes” in “medicine, finance, business operations, media, and more”.

Regulatory priorities

In a Statement of Regulatory Priorities (PDF) that set out a 2022 roadmap for new rules, the FTC said the impetus for increased rule-making activity stemmed from “changed circumstances” that included a 2021 Supreme Court ruling (PDF) that significantly limited the agency’s ability to seek redress against companies engaging in improper privacy or security practices, the insufficiency of the agency’s “case-by-case approach to promoting competition”, and the FTC’s streamlining of its Section 18 rule-making process.

Importantly, the FTC’s authority to seek customer redress and/or civil penalties when enforcing the agency’s own rules was not impacted by the aforementioned Supreme Court decision (AMG Capital Management vs FTC).


Read more of the latest cybersecurity policy and legislation news


The FTC’s statement of regulatory priorities further explained that the FTC will seek to implement new rules that “define with specificity unfair or deceptive acts or practices; that “curb […] lax security practices, limit […] intrusive surveillance, and ensure […] that algorithmic decision-making does not result in unlawful discrimination”; and that define “certain ‘unfair methods of competition’ prohibited by Section 5 of the FTC Act would promote competition and provide greater clarity to the market”.

The FTC has also signaled its intention to focus on – primarily through the promulgation of new rules – the Children’s Online Privacy Protection Act (COPPA), endorsement guides, and rules around health breach notifications, identity theft, negative options, and safeguards.

Keeping a watchful eye

All this forthcoming rule-making activity could cause sizeable changes to the US privacy and security legal landscape.

It comes at a time when privacy compliance is being complicated by the enactment of comprehensive consumer privacy statutes by Virginia and Colorado, as well as similar legislation being considered by a majority of other states that currently lack such laws.

As such, all businesses that collect or use personal data of any kind are well-advised to monitor FTC developments throughout the year. The agency will likely have an outsized impact on their compliance obligations in 2022 compared to prior years.


YOU MIGHT ALSO LIKE Equifax finalizes data breach settlement with US regulators