A View from DC: Former FTC Chair Khan reflects on her privacy legacy

In the fields of battle and regulatory enforcement alike, the thoughtful accumulation of incremental victories matters a lot toward shaping final outcomes. Without strategy, there can be no lasting path to victory.

As Sun Tzu wrote, "Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.”

A cohesive strategy matters just as much in the ongoing policy debates over how the U.S. Federal Trade Commission's consumer protection authorities should be used in the effort to influence our understanding of reasonable privacy and cybersecurity practices.

As it happens, not all history is written by the victors. Exercising a solid attempt to shape how academics and practitioners remember her term at the FTC, former Chair Lina Khan has published a major feature in the Stanford Law Review. Alongside Samuel Levine and Stephanie Nguyen, her director of consumer protection and chief technologist, respectively, Khan seeks to explain the cohesive strategy behind the data privacy efforts she oversaw at the commission during her tenure.

On reflection, the trodden path always looks clearer than the path before us. In reality, FTC enforcement always represents the coming together of many factors — from staff interest and expertise to commissioner buy-in and the strategic engagement of agency leadership — all of which evolve and iterate over time. Nevertheless, the authors' accumulated learnings and strategic thinking on privacy provides a meaningful reflection and will serve as an important contribution to the practice of privacy in the consumer protection context. Though echoing the public statements of the authors across their years at the agency, the analysis represents the first time that their final strategies have been so coherently revealed and described.

Overall, Khan, Levine and Nguyen characterize their FTC privacy legacy as one that shifted the agency's focus from "procedural" enforcement of notice and choice to "substantive" interventions into the root harms of the privacy practices undergirding the modern "commercial surveillance" ecosystem.

To illustrate this shift, they focus on four areas of "Biden-era" privacy enforcement priority.

"First, the Commission would examine and target the upstream drivers of data abuses, focusing on the underlying collection of data and the business models driving this unchecked surveillance. Second, the Commission would scrutinize how firms design online architecture, especially 'dark patterns' that manipulate people and cost consumers money or time. Third, the Commission would recognize children and teens as a distinct category of consumers requiring strong protections. Finally, responding to the failures of self-regulation, the Commission would focus on deterrence, crafting remedies that disincentivize lawbreaking rather than encourage it."

To some extent, this may seem like a grab bag of policy achievements, but Khan and her colleagues are careful to explain how each of these four "pillars" relate to what they see as their overall privacy legacy. As they see it, "The FTC's consumer protection work these last few years modeled a break from the laissez-faire framework that had largely persisted since the Reagan revolution. By pursuing an approach rooted in fidelity to the FTC's full suite of authorities and the market realities of the digital age, the agency set out a new paradigm for consumer protection."

The primary tool toward achieving this shift — as I wrote about frequently during the Khan FTC — has been the expanded use of unfairness authority under the FTC Act. With this in mind, a large portion of the meaty analysis in the law review article is focused on the shifting philosophy around the use of unfairness and how it was applied to missteps throughout the data life cycle. The title of the piece, in fact, is "After Notice and Choice: Reinvigorating 'Unfairness' to Rein In Data Abuses."

Beyond these helpful contributions, the law review feature also spends much time contextualizing the Khan FTC's efforts against the backdrop of prior FTC history. It paints a stark picture of the unwillingness of many prior FTC commissioners to take an expansive view of the agency’s authority over privacy practices, especially through the use of unfairness. One quote that was new to me: when in 2001 Commissioner Thomas Leary called concerns around online privacy "a new hysteria."

Overall, Khan believes one of the chief failures of prior FTC privacy philosophies was the "narrow focus on downstream harms rather than upstream data practices." This is best illustrated by the Do Not Call registry and identity theft enforcement efforts, which the authors go so far as to say were a distraction from the potential to shape meaningful data collection and use practices at the outset, by instead focusing on the end harms of an increasingly predatory data ecosystem.

Oddly, the article ignores some of the important precedent-building work for the expanding use of unfairness during the FTC of the 2010s — such as through the landmark Vizio enforcement — but it rightly highlights how the Khan FTC began to bring unfairness to its full potential as a tool to curtail harmful data practices when privacy notices alone are not enough for consumers to avoid injury.

Finally and importantly, the article includes a number of reflections on how to build lasting enforcement capacity at the FTC. Of course, this comes at a time when the extent of privacy's future prioritization at the agency is subject to debate.

Khan raises this uncertainty, even as she highlights the potential of the strategy she helped to oversee. As she succinctly puts it, "The FTC's new strategy remains nascent — and its institutional durability remains an open question."

Please send feedback, updates and legacy reflections to cobun@iapp.org.

Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.