There has been curiosity about how long it would take the U.S. Federal Trade Commission to delve into privacy matters once it had a full bench of commissioners and a Democratic majority. The answer took only three days as the agenda for the first public session following the swearing in of Alvaro Bedoya as the fifth and final FTC commissioner led off with a privacy vote.
Surprisingly, FTC Chair Lina Khan did not see a party line vote on this first action with the full bench as commissioners voted 5-0 to adopt a policy statement regarding increased scrutiny and focus on Children's Online Privacy Protection Act violations involving education technology companies. The reaffirmation of enforcement against edtech is one of many actions related to privacy and data security expected from the commission moving forward, including a potential privacy rulemaking.
The vote itself showed a unified line of thinking, but comments during the open session revealed doubts, among on-lookers and commissioners, about the path the FTC is taking to address growing privacy issues plaguing consumers.
Strong statement, familiar policy
While it has been clear that Khan's FTC does not see eye to eye on everything, the vote on the edtech policy statement shows commissioners do in fact fall in line with one another on improving children's online protections.
"Today's statement underscores how the substantive protections of the COPPA Rule ensure that children can do their schoolwork without having to surrender to commercial surveillance practices," Khan said while introducing the policy.
The substance within the statement did not include any new enforcement tactics or specifics regarding when and how the commission planned to show its teeth to crack down on collection, use, retention and security requirements for children's data. Despite it coming across as more of a warning shot than anything else, new commissioner Bedoya viewed the policy update as a necessity.
"Chair Khan has wisely urged us to focus on systemic responses to problems," Bedoya said in his first comments since officially joining the FTC. "I see this statement as part of a systemic effort to use the tools we already have in our toolbox that go beyond notice and consent."
Conversations around edtech enforcement are not new for the FTC. More stringent actions against the industry were brought up during a broader COPPA workshop hosted by the FTC in October 2019 that was designed to inform a COPPA rulemaking process previously announced that July. While that rulemaking has yet to hit the finish line, suggestions for increased scrutiny have continued from Capitol Hill. Democratic and Republican members of the U.S. Senate wrote to the FTC at the height of the COVID-19 pandemic in May 2020 urging a renewed focus on edtech companies as their usage skyrocketed, subsequently increasing children's data collection in the process.
Testimony during the open meeting ahead of the vote depicted what considerations might be missing in the current edtech enforcement policy.
"I wanted to raise that it is very important to consider exactly what the repercussions might be in not allowing schools to consent on behalf of parents when it comes to education technology," Public Interest Privacy Consulting founder and President Amelia Vance told commissioners. "The likely impact of such a restriction would be cutting out probably all education technology from schools where students are under the age of 13, and I hope that the commission will spend some time reviewing this issue to ensure that a nuanced and balanced privacy protective solution is available."
Nebraska College of Law assistant professor Elana Zeide spoke about the needs of parents and educators trying to protect kids, but also the needs of the edtech vendors seeking to do the right thing.
"In many cases, they feel uncertain as to whether the schools are in fact doing the due diligence, and again, obtain the consent as they should be doing, leaving vendors in a bit of a bind," Zeide said, proposing a need for balancing parents' "desire to control and govern the information that is disclosed about their children" and "the practicalities of the educational environment."
'Illusion of taking action'
Despite the unanimous vote to adopt the policy statement, the inevitable party-line views on how the FTC was going to go about its business on privacy and other matters after Bedoya sealed the Democratic majority among commissioners showed up during the open meeting.
FTC Commissioner Christine Wilson was very clear that she supported the statement only for its work against children's harms. Wilson did not approve of addressing harms through a policy statement, which she claimed went against FTC processes.
"I believe it is appropriate to issue policy statements in areas where the application of the law may be unclear and the market might benefit from additional transparency," Wilson said. "But I do not believe it is appropriate to issue a policy statement during the pendency of an ongoing rulemaking seeking public comment on the precise issues discussed in the statement."
Wilson referred back to the COPPA rulemaking taken up in 2019 a number of times in her comments and also pointed to other examples of "due process foul" that has shown up during Khan's tenure, including last year's policy statement on health applications' compliance with the Health Breach Notification Rule.
"Issuing policy statements gives the illusion of taking action, particularly where those policy statements break no new ground," Wilson said. "Rather than moving on quickly after the flurry of press coverage that will discuss the Commission’s 'new' policies on edtech and children’s privacy, I hope we turn to the important task of completing the COPPA Rule review."
Eileen Harrington, former executive director of FTC Bureau of Consumer Protection, who spent more than 27 years in different roles at the commission, also chimed in at the meeting with concerns about the current direction of the agency. While Wilson focused on procedural issues, Harrington spoke to how "alarmed and deeply concerned" she is with the political environment being injected into the commission's work.
"The FTC is not a failed agency, but it's on the road to becoming one," Harrington said. "This is a crisis. It's an urgent topic that deserves more than two minutes. It requires the humility to admit to and correct mistakes, a restoration of collegiality, at the commission and throughout the agency, and good management."
Harrington pointed to a stream of staff departures and alleged closed line of communication between FTC leadership and staff members as examples of what's holding the commission back from doing meaningful work in a more timely and bipartisan manner.
"The agency's productivity and effectiveness depend on an engaged career staff, and engagement grows from a culture of mutual respect, collaboration, and inclusion," Harrington said. "For 40 years, this was the culture at the Federal Trade Commission, regardless of the party holding the majority. Today, it is not."
Children’s Privacy and Safety intends to help the practitioner and advocate on their journey to protect children’s data privacy and safety. The privacy laws and safety protections impacting children vary from country to country and across industries and data types, making it hard to apply a singular global approach. This comprehensive treatise is intended to provide reliable and substantive background on children’s privacy, data protection, and safety issues.
If you want to comment on this post, you need to login.