Will Trump’s pick to lead the FTC halt privacy rulemaking, AI enforcement?

Andrew N. Ferguson is President-elect Donald Trump’s choice to head the Federal Trade Commission (FTC). If approved by the Republican-controlled Senate, his selection could indicate an inclination by the incoming Trump administration to deprioritize FTC rulemaking and enforcement activities related to data privacy and AI. This also could indicate a broader regulatory philosophy that emphasizes legislative action over administrative rulemaking.

Ferguson’s stated regulatory philosophy and strategic priorities, if implemented as FTC chair, would have profound implications for industry and consumers. Critics argue that this shift would mean that critical privacy issues will be given short shrift as technologies like AI and data analytics rapidly evolve and outpace regulatory schema.

Meanwhile, Trump announced that he intends to nominate Mark Meador to be an FTC commissioner. Meador is a partner at Washington, D.C.-based Kressin Meador Powers. He also was an antitrust counsel to Republican U.S. Senator Mike Lee. While specific details about Meador’s positions on privacy and AI regulation are scant, given his antitrust expertise it is plausible that he would advocate for a more balanced approach to regulation, aiming to foster innovation while ensuring consumer protection, a perspective that aligns with the broader Republican emphasis on limited government intervention and market-driven solutions.

Ferguson is the former solicitor general of Virginia, a former counsel to Republican Senator and Senate Minority leader Mitch McConnell, and he a clerked for U.S. Supreme Court Justice Clarence Thomas. If confirmed, he will inherit a slew of regulatory actions against Big Tech and a half-dozen lawsuits by companies arguing that the FTC overstepped its authority. There’s also the FTC’s investigation – launched in July 2023 – of OpenAI for possible privacy issues.

Ferguson has voted in favor of every privacy-related FTC enforcement action as an FTC commissioner, but he also has consistently emphasized the importance of congressional authority in crafting comprehensive data privacy laws.

In a leaked memo he wrote to Trump reportedly advocating for the top FTC post, he said the FTC under his direction will “stop abusing FTC enforcement authorities as a substitute for comprehensive privacy legislation,” and that there will be “no more novel and legally dubious consumer protection cases.”

One matter in particular that Ferguson will have to contend with, and which will have to be addressed, is the complaint and proposed Decision and Order that the agency has taken against two Virginia-based data brokers. The complaint alleges that they unlawfully tracked and sold sensitive consumer location data. Ferguson supported two of the counts that the commission brought against the firms, but dissented from the commission’s counts that accuses them of unfairly categorizing consumers based on sensitive characteristics and of selling those categorizations to third parties.

In his dissent, Ferguson argued that the FTC Act explicitly prohibits the collection and subsequent sale of precise location data without the consumer’s consent. He emphasized that data brokers are required to take reasonable measures to verify that consumers initially consented to the collection of the data being utilized and sold.

Ferguson agreed that if a company aggregates and categorizes data that were collected without proper consent and then sells those categorizations, it violates Section 5 of the FTC Act. But he also argued that the violation arises from the lack of consent for the original data collection, not from the specific categories into which the data are organized.

Ferguson said the FTC Act imposes consent requirements in defined circumstances, but it does not restrict how legally acquired data may be analyzed, or the conclusions that may be drawn from such analysis. That line of thinking begins to walk a very fine line. Yes, data is acquired legally. But highly granularized analysis of an individual’s aggregated data, and the sorts of personal conclusions that can be inferred from it, begins to edge very close to raising legitimate privacy concerns. It also raises the incentive for bad actors to steal the information – in bulk.

Ferguson said the FTC commissioners have an erroneous view of the FTC Act as being “a comprehensive privacy law,” adding that “comprehensive privacy regulation involves difficult choices and expensive tradeoffs. Congress alone can make those choices and tradeoffs. We must not stray from the bounds of the law.”

Indeed. Ferguson believes broad regulatory initiatives on privacy should emerge from Congress, not an administrative federal agency, an approach that underscores his critique of what he views as regulatory overreach by administrative bodies. The FTC’s role, Ferguson has said, should focus on enforcing existing laws rather than expanding its mandate through rulemaking.

Ferguson has been highly critical of what he perceives to have been regulatory overreach under previous FTC leadership. He’s argued that the FTC should focus on its core competencies – namely, enforcing existing laws – rather than creating new rules that could extend its mandate without clear legislative backing.

“Commissioner Ferguson has made no secret of his preference for Congress, rather than the FTC, to set clear privacy guardrails,” said Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals. “This means rulemaking activities at the commission are likely to be deprioritized.”

Privacy advocates fear this deprioritization could kill a proposed rule on commercial surveillance and data security that the FTC announced in August 2022 that it is considering. The commission at that time published an advance notice of proposed rulemaking to request public comment – for the purpose of the rulemaking – on the prevalence of commercial surveillance and data security practices that harm consumers. The FTC said at the time that the new rule will focus on data security, data minimization, and algorithmic accountability.

Under Ferguson’s leadership, the FTC would likely redirect resources toward enforcement of existing laws such as the Children’s Online Privacy Protection Act (COPPA) and provisions under Section 5 of the FTC Act which targets unfair or deceptive practices. This strategy would suggest a preference for addressing specific harms through targeted actions rather than introducing broad, preemptive regulations. Indeed, rather than pursuing expansive, preemptive rulemaking initiatives, the focus is more likely to lean towards addressing specific, well-defined harms like deceptive practices by data brokers.

And as for data brokers – which have come under withering criticism and congressional scrutiny in the wake of an unprecedented security breach this summer – they could face less systemic scrutiny under a Ferguson FTC. Enforcement actions may become more sporadic and narrowly defined. Rather than proposing rules to regulate the industry, the FTC might instead rely on case-by-case enforcement, potentially creating an inconsistent and less predictable regulatory environment. Ferguson’s stance aligns with Republicans’ broader emphasis on ensuring regulatory clarity and avoiding undue burdens on businesses.

This approach diverges sharply from the path that was set by Ferguson’s predecessor, Lina Khan, who championed a more proactive regulatory approach. It was under Khan’s leadership that the FTC issued the impending rulemaking on commercial surveillance and data security practices, which seeks to address systemic issues in privacy and consumer protection.

Ferguson’s position, on the other hand, represents a stark departure, potentially one that could pause or roll back such initiatives. Critics have argued that this could delay progress in protecting consumer data in an era of rapid technological change. Ferguson’s departure from this activism could signal a rollback of momentum in establishing comprehensive privacy standards.

Ferguson’s strategy, while appealing to those who advocate for limited government intervention, poses certain risks. The absence of federal rulemaking could perpetuate a fragmented regulatory landscape where states enact their own privacy laws. This patchwork will only further complicate compliance for businesses, especially those operating across multiple jurisdictions. And consumers could see delayed protections against data misuse and breaches. And enforcement actions alone likely would not adequately address systemic vulnerabilities in data security.

For the business community, especially Big Tech, Ferguson’s position offers a reprieve from the immediate pressures of adapting to new federal regulations. Established companies, especially in the tech and data brokering industries, would undoubtedly find this environment more favorable for their operations. Smaller firms and startups though would encounter challenges navigating the inconsistencies of state laws without clear federal guidelines. Such regulatory uncertainty could stifle innovation in some sectors while empowering larger entities to consolidate their influence.

Ferguson’s overall approach to privacy regulation reflects a broader effort to balance enforcement with fostering innovation. He has expressed concerns that excessive regulatory measures could stifle technological advancement and impede competition, a position that’s been signaled by the incoming Republican dominated Congress. Republican lawmakers have favored a more market-driven and hands-off approach when it comes to regulating consumer data privacy than their Democratic counterparts. By focusing on enforcement of existing rules rather than expansive rulemaking, Ferguson would seek to maintain this balance, even if it means delaying the establishment of universal protections.

Ferguson’s position on deprioritizing privacy rulemaking could also signal a shift in the FTC’s focus toward narrower enforcement and a reliance on Congress for broader legislative solutions. While this approach aligns with his regulatory philosophy, it raises concerns about the FTC’s ability to address emerging privacy challenges effectively in an increasingly complex digital environment.

With the rise of AI technologies, Ferguson’s reluctance to engage in privacy-related rulemaking could hinder the FTC’s ability to establish clear guidelines on the use of consumer data in AI training and applications. Ferguson has said that he would “end the FTC’s attempt to become an AI regulator.” His unabashed approach to AI reflects a desire to foster innovation and competition while avoiding premature or overly burdensome regulations that could stifle technological advancement.

Wedbush analyst Dan Ives said in a client note that: “We expect Ferguson to continue to have a keen eye on the tech world … he will clearly roll back Khan’s head-scratching anti-tech agenda, including ending efforts to regulate AI.”

Such a restrained position though raises questions about the adequacy of existing legal frameworks to address the unique challenges and risks that increasingly are posed by AI technologies.

Ferguson has expressed skepticism about the FTC’s attempts to position itself as a primary regulator of AI. He critiqued initiatives under Khan that sought to expand the FTC’s role in governing AI systems, arguing that such actions could exceed the agency’s statutory authority. He’s said that he favors a measured approach that focuses on enforcing existing laws against deceptive or unfair practices in the use of AI. This approach could possibly translate into investigating AI systems that mislead consumers, perpetuate fraud, or violate privacy laws.

The impact of Ferguson’s stance on AI regulation is multifaceted. On the one hand, it could create a more innovation-friendly environment by giving developers and businesses greater latitude to experiment with AI technologies without immediate regulatory constraints, but it could also accelerate technological progress, particularly in areas where regulatory uncertainty has previously slowed investment and development. Businesses operating in AI would benefit from clearer, more predictable enforcement under existing laws rather than having to navigate a potentially ambiguous or stringent new regulatory landscape.

On the other hand, though, this approach could leave critical gaps in oversight. AI technologies introduce unique risks, such as algorithmic bias, lack of transparency, and the potential for misuse in areas like surveillance or misinformation. Existing laws, which were not designed with AI’s complexities in mind, could prove insufficient to address these risks comprehensively. By refraining from proactive rulemaking, the FTC could miss opportunities to establish clear guidelines for responsible AI development and deployment, which could lead to inconsistent standards across industries.

Another significant implication of Ferguson’s position is the likelihood of increased reliance on state or sector-specific regulations to fill the gap left by federal inaction. For example, states like California and New York may continue to advance their own AI-specific laws, creating a fragmented regulatory landscape. While larger companies may have the resources to navigate this complexity, smaller firms could struggle to comply, potentially disadvantaging startups and innovators.

Article Topics

data privacy  |  data protection  |  FTC  |  regulation  |  U.S. Government