In Washington, just over a month after the presidential election, it was natural that FTC Commissioner Maureen Ohlhausen should be asked about the coming effect of a Trump administration as part of her opening keynote conversation at the IAPP’s Practical Privacy Series event.
In response to Wilmer Hale Partner Reed Freeman’s, CIPP/US, question, however, Ohlhausen evinced a general lack of concern. With a history as a staffer at the FTC going back nearly 20 years, “I have seen other transitions before,” she said. “So, just looking to the past as an indicator, I’d say the FTC is very good at handing the baton from one administration to the next. And there’s been a lot of consistency in data privacy and security issues.”
Whether with the first Geocities case under Chairman Robert Pitofsky, or through data privacy settlements under chairs Timothy Muris, Deborah Majoras, William Kovacic, Jon Leibowitz, and, now, Edith Ramirez, “the goals of the FTC stay the same,” said Ohlhausen. “And privacy will remain an important issue for the FTC.” Freeman did not press her to predict the next FTC chair.
Of course, she elaborated, “for any organization, goals should evolve, and we should look for ways to improve. I want to be sure we are focusing on real harm and where the real problems lie. I would hope that would be one of the topics that the FTC keeps in mind as we keep up with our traditional bipartisan data privacy enforcement.”
For example, she pointed to the Nomi Technologies case, where Ohlhausen dissented. “If you make a promise you have to adhere to it,” she said, “but in Nomi, my concern was: Were we penalizing a company that was trying to do more than they were required to? And what was the incentive we were creating there? Should they instead just do the minimum and skate by? I thought that was a prosecutorial discretion kind of thing.”
“Often, there’s this idea that if we have a new technology, we need a new regulation, but that’s not necessarily the case.” — Commissioner Maureen Ohlhausen, FTC
As she looks forward to enforcement, Ohlhausen said she’d look first for substantial injury. And one that’s not outweighed by benefits to consumers or benefits to market competition. “That’s a multifactor test,” she said. “It’s kind of a cost-benefit analysis.”
Further, she’s not looking to slow the pace of technological advance. Rather, “we should be looking at the world and looking for issues that affect the everyday consumer,” Ohlhausen said. However, she allowed, “occasionally we have cases that are focused on a new technology because we want to set expectations correctly.” She noted this was the case with behavioral advertising, mobile apps, and the internet of things in the past.
At the core of her enforcement stance is what she called a “regulatory humility.”
“When there’s a new technology,” Ohlhausen said, “we need to educate our selves,” via FTC workshop or other research, “and then understand the likely benefits and harms to consumers. And are those harms occurring? It’s often only theoretical. And then if there are harms, do we have the tools to address them?
"That’s basic FTC stuff: If you make a promise, you better adhere to it." — Commissioner Maureen Ohlhausen, FTC
“Often, there’s this idea that if we have a new technology, we need a new regulation, but that’s not necessarily the case.”
The FTC is in the learning stages on SmartTVs (there was a workshop on the topic Dec. 8) and drones, for example. Also, look for a steady focus on data breaches, and new, similar, attacks, like ransomware and the DDoS attack that brought Dyn to its knees earlier this year.
In the mobile space, Ohlhausen made a point of highlighting issues of precise geolocation (the FTC considers that sensitive PII), how data is secured in transit, and data collected from children: “Our goal is not to play gotcha with that. It’s to make sure children’s information is treated the way Congress wants it to be treated.”
Really, keeping out of the FTC’s sights is pretty simple, Ohlhausen said. “What promises have you made to consumers about the data you’re collecting and securing? Make sure you adhere to those promises. A lot of small companies, they copy a privacy policy from someone else and then they don’t adhere to it. That’s basic FTC stuff: If you make a promise, you better adhere to it.”