‘We’re not trying to remake the economy’: FTC’s Mufarrige charts new course on tech enforcement

As director of the Federal Trade Commission’s (FTC) Bureau of Consumer Protection, Chris Mufarrige has reshaped how the agency has approached regulating technology and privacy. Mufarrige has focused privacy regulation largely on protecting children’s data and punishing companies for data breaches but, unlike his predecessor, has initiated no new enforcements against data brokers.

Mufarrige told Recorded Future News that he is “not trying to write rules to remake the economy,” which he claims the agency did under Biden administration chair Lina Khan. In a wide-ranging conversation, he discussed the agency’s embrace of age verification, why the Trump FTC has narrowed its focus, the fact that the FTC is keeping an eye on Meta and how industry should think about data privacy enforcement under his watch. 

This interview has been edited for length and clarity. 

Recorded Future News: At an FTC-hosted workshop last month, you and other agency officials focused on the merits of age verification systems and made it clear you support them. You said the Children’s Online Privacy Protection Rule (COPPA) should not be an “impediment to the most child protective technology to emerge in decades.” Why are you so bullish on age verification?

Chris Mufarrige: The key, in my view, for not just COPPA, but the safety of kids online — or the threshold gating question when you're talking about those issues — is identifying who the user is and understanding whether or not the user is a child. That's one of the trickiest elements of these, not just COPPA cases, but any case involving kids, or any time we're evaluating conduct that involves kids, is identifying the universe of the users, whether it's a platform, social media, a gaming site, whatever it is that we're looking into, trying to identify who is a kid or who's under 13 in the instance of COPPA. 

It can sometimes be a tricky issue so one of the things that's promising about age verification is that, as the technology continues to build on itself and improve, we're able to identify who are kids and who are not.

RFN: The enforcement date for the amended COPPA rule is coming up in less than two months. Are there any particular new elements of the rule that you're prioritizing for enforcement?

CM: The new requirements around data, the use of data, data minimization — I think that those things are obviously important. In terms of the real sort of meat of COPPA though it has long been the case that the central issue there is ensuring that parents have control over their children's data. And operators get that consent from parents and that's really the key that we're focusing on.

RFN: Recent reporting indicates that Meta is on the brink of adding facial recognition technology to its smart glasses, which critics say present enormous privacy, safety and stalking risks to the public. Children's privacy would also seem to be threatened by these smart glasses. So I'm wondering if this is on your radar and an issue of concern. 

CM: Meta is under an extremely robust order [for privacy violations] and we are constantly monitoring it and if we believe at any point in time that they are either introducing a new product or there's evidence to suggest that they're violating the order we will not hesitate to act in those instances.

RFN: In December, the president charged the FTC with identifying ways in which the FTC Act might preempt state AI laws that require developers to identify and mitigate distortions and patterns of invidious discrimination in their algorithmic systems. But as many experts have noted, the FTC Act has virtually no preemptive effect. Can you identify any specific examples of how the FTC Act would preempt state laws, AI or otherwise?

CM: This is something that we've been actively thinking through, and I think it's helpful to understand the traditional black letter law of Section Five [the part of the FTC Act barring unfair and deceptive practices] and then understand how that interacts with state law. Particularly when you're talking about the deception prong of Section Five, it provides a certain baseline of consumer protection to consumers in the sense that firms can't present untruthful, misleading information… [AI programs] can't doctor the information in order to comply with the state law. Section Five will still apply in those instances.

RFN: What consumer harms from AI are of greatest concern to the FTC and how is the FTC planning to address these concerns from the public about the AI's risks? 

CM: Our biggest focus right now is ensuring that AI is not used to facilitate fraud… What we're not focused on is substantive regulation of AI and we don't believe that should be our role.

RFN: You have said you'll be looking at some teen privacy issues, possibly relating to financial privacy over the next year. Is there any preview on what to expect with that and what companies should most focus on right now? 

CM: I came from financial services. There's been a proliferation of apps that are directed at teens and it’s really more financial tools — whether it's offering prepaid cards, debit cards, credit cards. Obviously, these apps involve parents as well. But the end customers really are the teens. You can imagine, if you have a high schooler then you might not have money on hand, it's probably easier to have a prepaid card or a debit card or something to that effect — whether it's in your wallet, your digital wallet, or physically. Those are the types of things that I was alluding to and that's an area where we are dedicating some resources.

RFN: It's no secret the FTC has lost a lot of experienced staff in the past year, including in the privacy division. How will you be able to staff investigations and enforcement actions, particularly in light of new enforcement responsibilities like the Take It Down Act, a law criminalizing the nonconsensual publication of intimate images?

CM: We've hired a lot in the last six months, and we're hiring more. If you look at our website right now, I think we have about nine postings up, including for Take It Down… The last admin was hyper focused on writing broad, expansive rules, which require significant resources. To the extent we're interested in just a handful of rules… We're focused on enforcement. The last admin over-hired and that wasn't sustainable. 

RFN: Are there plans to enforce Take It Down as rigorously as you have COPPA? What should industry expect?

CM: In the coming weeks and months, we're going to be rolling out significant guidance in statements, both coming from staff and the bureau in terms of our expectations with Take It Down. We're actively thinking through how to both ingest complaints and we're thinking about where we want to focus our enforcement resources initially. These are all active conversations and we're going to hit the ground running whenever our authority kicks in.

RFN: What are the FTC’s plans this year to confront the expanding privacy risks posed by data brokers?

CM: Right now we're actively litigating a case against a data broker called Kochava. We've been in active litigation all year and so that represents a significant number of resources in terms of how we're trying to take on that industry. I also recently sent 13 letters to data brokers or potential data brokers on their compliance with the Protecting American Data from Foreign Actors Act. We're actively looking at this space. And if we have evidence that data brokers are violating the law, then we're going to be bringing action. 

RFN: Besides COPPA, which enforcement priorities of the previous FTC do you expect the current FTC will continue working on with respect to tech practices?

CM: We brought in our own set of priorities, and obviously we are hyperfocused on big tech and that's why we brought cases against, obviously, Amazon, Disney… We have our own positive agenda that's focused on quantifiable and substantial harm to consumers. We're not trying to remake the economy. We're not trying to write rules to remake the economy. We’re focused on traditional meat and potatoes consumer protection cases. 

RFN: And by remaking the economy, that's an allusion to what you believe the Khan FTC was doing? 

CM: That's precisely right. 

RFN: The agency is focusing on the potential injuries and benefits posed by consumer data collection and use. What do you see as the benefits of this type of data collection and use?

CM: What do I see as the benefits?... Are you suggesting there's no benefits?

RFN: Well, I'm just saying a lot of people would focus on the negatives, the privacy violations… I'm not saying there are no benefits, but I'm just curious how you would characterize it as beneficial.

CM: Our job here at the commission is to enforce the law. Traditionally, when we're talking about data brokers, when we're talking about the use of data, it is the case that we're talking about the provision of unfairness [in the FTC Act] that requires a cost benefit analysis. So for us to come in and enforce the law, we have to at least grapple with what industry may be arguing, and we need to understand the data and the facts in order to make arguments that land in court. 

So it would be foolish, and it was foolish of the last admin, to dismiss any benefits that could come from data practices. We have to understand those practices if we're going to be effective in court and if we're going to be effective in terms of making sure that we're targeting the types of practices that truly harm consumers.

RFN: Surveillance pricing has been in the news a lot as it has emerged that more companies are using it and states are legislating against it. How is the FTC considering this issue?

CM: Surveillance pricing was a term made up by the last admin. And so I'm not sure I accept that premise either. We focus on the misuse of data. When folks use that term, surveillance pricing, it's unclear to me sometimes what it is that they're alluding to. If folks are using people's data inappropriately, that's covered under the law, and we can take action and we will take action. But it just is kind of like the use of the word dark patterns. These are terms that were just made up, buzzwords by the last admin. 

RFN: Let's define surveillance pricing as using people's location, how often they click on something, how airlines might be using knowledge of a death in the family to price tickets, intimate knowledge of something happening with consumers to set prices. 

CM: You identified like four different circumstances or situations where folks may be using data… What folks are likely alluding to is companies attempting to discern consumers' price elasticities, which can lead to consumer harm, sure. If we have evidence that folks are taking advantage of consumers' data in that way then we will take action.