By Lou Mastria
Big Idea: Technological advancement keeps the Federal Trade Commission on its toes as privacy questions proliferate in the areas of healthcare, artificial intelligence, and children, among other data sectors.
Speaking on his own, the FTC’s Ben Wiseman delivers remarks about recent activity at the FTC and ways to develop privacy benchmarks.
FTC’s Ben Wiseman opened his DAA Summit 24 discussion with a few remarks offering perspectives on companies taking ownership of their privacy programs.
Ben Wiseman, associate director for the Division of Privacy & Identity Protection at the Federal Trade Commission (FTC or Commission), along with Alison Pepper, executive vice president for government relations & sustainability at 4A’s, had a candid discussion at this year’s DAA Summit 24, providing a glimpse into the most recent trends in FTC enforcement actions and ways companies can “take ownership of privacy” in service to consumers. The following presents some key takeaways from the conversation – with Ben Wiseman’s stated opinion reflecting his own opinions, not that of the Commission.
In light of current FTC perspectives, Wiseman shared five actions companies can take in order to “take ownership of privacy”:
(1) Evaluate existing privacy safeguards,
(2) Create benchmarks for the industry,
(3) Perform audits,
(4) Do research, and
5) Hold yourself accountable.
Wiseman especially highlighted that, because DAA has “done the work to elevate privacy issues” during its 15-year tenure, the DAA Principles represent the efforts of various industry stakeholders, and companies could decrease their likelihood of becoming a target for enforcement by adhering to the Principles.
The FTC’s Ben Wiseman sat down with DAA Board Member Alison Pepper of the 4A’s to discuss current FTC enforcement priorities.
Insights from Recent FTC Enforcement Actions
“Say what you do and do what you say,” Wiseman on Healthcare Data, DAA Summit 24
In February 2023, a federal court ordered a permanent injunction against GoodRx, which “…permanently restrained and enjoined GoodRx from misrepresenting or assisting others in misrepresenting…” adherence to government-sponsored compliance programs and self-regulatory principles like the DAA Principles. GoodRx was essentially “…not doing what it said it was doing with consumer data.” As a result of the FTC’s complaint, GoodRx incurred at least $1.5 million in fees.
According to Pepper and Wiseman, this was the first time, since the Health Breach Notification Rule (HBNR) of the Health Insurance Portability and Accountability Act (HIPAA) was promulgated in 2009, that the FTC enforced the rule. Wiseman used this example to illustrate that the FTC has and will continue to use all tools available when bringing forward complaints to protect consumers from deception and unfair practices.
Additionally, to help companies stay on the right side of enforcement, Wiseman offered up another way of looking at “healthcare data.” He reminded attendees that while HIPAA applies to the collection and use of healthcare data among regulated entities, it is important to keep in mind that “…other regulations often apply” to entities that are not regulated by HIPAA. This insight is useful for organizations not subject to HIPAA but who touch personal health data for advertising and other business purposes.
For example, when considering how technology has been incorporated into health-conscious devices and applications (e.g., fitness trackers), Wiseman cautioned that those applications may “fall outside of HIPAA,” but still could raise FTC enforcement attention.
Thus, a broader perspective on what is regulated “health care information” is important. Wiseman suggested that health care information can include information that would help infer someone’s state of health – from the products they use, the information they seek online, the sites they visit, the apps with which they engage, and so on. As society continues to mix technology with healthcare, Wiseman proffered that “health privacy will remain a focal point” for the FTC.
“The rules on the books still apply” – Wiseman on AI at DAA Summit 24
Pepper began the AI [artificial intelligence] conversation by submitting that “…there are hundreds of bills on AI.” As she noted, predictive AI has been deployed in algorithms for targeted advertising for years, and FTC attention here has been focused on identifying and rooting out bias. More recently, it’s been the rise of generative AI that has captured the lion’s share of policy maker and regulator attention.
Wiseman pointed to the plethora of literature the FTC has released since 2012 that helps explain the FTC’s position on AI and machine learning. Wiseman noted that “when the internet was taking off,” the absence of comprehensive privacy legislation governing digital data gave rise to information-sharing practices that he believes were harmful to consumers. Wiseman suggested that stakeholders would benefit from not making the same mistake now with the rise of AI.
Beyond advertising, instances of racial discrimination in the use of AI facial recognition contributes further to the FTC’s wariness surrounding AI applications. Wiseman recounted the Rite Aid case where the FTC alleged the drug store chain’s employees called the police on a black woman for suspected shoplifting based on an AI-based suggestion, even though the picture to which the AI had matched her was that of a white woman with blonde hair. False positives such as this have led the FTC to release numerous recommendations on how to implement AI mechanisms responsibly and create accountability. Ultimately though, according to Wiseman, “AI is a new tool but the (old) rules still apply.”
“Absent a secondary harm, the loss of privacy itself is a substantial injury…” - Wiseman on Data Brokers at DAA Summit 24
Recently, the FTC has focused on the sale of consumer data. Wiseman told the cautionary tale of the FTC’s pending case against Kochava, Inc. In that case, the FTC raised complaints about Kochava’s collection and sale of geolocation data, and its database graph, app graph and audience segment products.
In that case, the court ruled that the FTC plausibly alleged that Kochava’s practices “…cause or are likely to cause substantial injury to consumers.” To substantiate its claims, Wiseman said the FTC used real examples of consumers that were harmed by the disclosure of geolocation and app-use data. While the FTC did not allege that Kochava itself cause those harms, the Court ruled that per Section 5(a) of the FTC Act, the defendant does not have to be the one inflicting the ultimate harm in order for a court to accept proof that the defendant’s acts cause or are likely to cause substantial harm. The court also ruled that the FTC’s invasion of privacy allegation was plausible.
DAA Principles – Self-Regulation Adherence as a Compliance Compass
While “there are circumstances where consumers have a reasonable expectation that their data is used,” Wiseman explained that issues arise when data is being used contrary to how the consumers are told it would be used. Again, Wiseman highlighted the usefulness of the DAA Principles. A company’s adherence to the DAA Principles is more likely to put that company on the right side of compliance, should there be a complaint.
Echoing the words of BBB National Program’s Mary Engle and Association of National Advertisers’ Senny Boone from the Digital Advertising Accountability Workshop on enforcement the day before, Wiseman assured attendees that the conversation does not stop at the Summit. The FTC provides resources to businesses who may have questions about permissible data collection and usage. He spoke about his open-door policy and willingness to keep the conversation with industry going.
DAA wishes to acknowledge the editorial and research support of legal associate Briana Humphrey in preparation of this blog post.
