Trump FTC pick seen as mixed bag for data privacy enforcement

President-elect Donald Trump’s choice to chair the Federal Trade Commission (FTC) has attacked data brokers, lamented the end of privacy and lambasted Big Tech. But he has also criticized the very agency he is about to take over. 

Commissioner Andrew Ferguson, the former solicitor general of Virginia, was announced as the replacement for current FTC Chair Lina Khan on Tuesday. 

Under Khan and the current Democratic majority, the FTC has cracked down on data brokers trafficking in individuals’ sensitive information and the improper use of facial recognition technology.

Ferguson has voted in favor of every privacy-related enforcement since he began his tenure as a commissioner in April, but a leaked memo he wrote to Trump and his official statements on a range of FTC actions suggest he will diverge from Khan’s approach in important ways.

In the memo, Ferguson told Trump that under his stewardship the agency would “stop abusing FTC enforcement authorities as a substitute for comprehensive privacy legislation.”

“No more novel and legally dubious consumer protection cases,” the memo, first reported by Punchbowl News, said.

Although Ferguson has said the collection and sale of data leads to troubling surveillance of individuals, he also has made clear that he believes Congress should lead the charge by enacting privacy laws and that the FTC should not fill the void.

“Commissioner Ferguson has made no secret of his preference for Congress, rather than the FTC, to set clear privacy guardrails,” said Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals. “This means rulemaking activities at the Commission are likely to be deprioritized.”

Privacy advocates fear this deprioritization could kill a particularly significant effort by the agency to establish a commercial surveillance and data security rule. The agency has been working on the proposed rule since August 2022 but has not yet published it. It is said to focus on data security, data minimization and algorithmic accountability. Experts believe it is likely to be abandoned by a Ferguson-led agency.

Even as advocates see promise when it comes to the likelihood of a continued crackdown on data brokers, Ferguson also has emphasized that he strongly believes the FTC under Khan has overstepped its authority, including on privacy enforcements.

In a statement about a recent enforcement action against location data brokers, Ferguson wrote that the other commissioners erroneously view the FTC Act, which bans unfair or deceptive business practices, as “a comprehensive privacy law.”

“Comprehensive privacy regulation involves difficult choices and expensive tradeoffs. Congress alone can make those choices and tradeoffs,” he wrote.

“We must not stray from the bounds of the law.”

Still, Ferguson’s skepticism about rulemaking and deference to Congress is not likely to jeopardize a high-profile effort to overhaul how children’s privacy is guarded online, Zweifel-Keegan said.

Work on an update to the Children’s Online Privacy Protection Rule (COPPA) began in the first Trump administration, and the FTC released a proposed rule last December that has not been finalized. Congress is now considering a children’s online privacy law, but mere weeks before the end of this session the bill has yet to pass.

A critic of big tech and data brokers

Ferguson is no fan of tech companies and has a strong pro-privacy bent when it comes to data collection and sales.

When the agency released a report in September condemning social media and video streaming companies for spying on consumers with few measures in place to regulate how users’ and non-users’ data is gathered, stored and sold, Ferguson came out swinging.

The report drew information from nine major platforms provided to the commission under pressure, including Meta, Snap, ByteDance, X, YouTube and Amazon.

In his statement supporting the report’s release, Ferguson said he favored publication due to how the report “sheds light on the online privacy crisis” and makes more Americans aware of the extent of the “online commercial surveillance to which they have been subjected.”

“It is alarming how much private, revealing information SMVSSs [social media and video streaming services] have been collecting, aggregating, disclosing, and indefinitely storing,” Ferguson wrote. “This massive collection, repackaging, sharing and retention of our private and intimate details puts Americans at great risk.”

Later in his statement, Ferguson lamented that foreign governments and indeed anyone with money can buy Americans’ “most private details like their browsing histories, sexual interests, private political views, and so forth.’”

He also suggested the notice and consent regime companies rely on to justify their data practices is broken. Ferguson derided big tech’s privacy policies as “long, vague and unhelpful” and noted that they “change like the seasons.”

Ferguson did not agree with the commission’s report in its entirety, however. He criticized the way the report attacked targeted advertising, saying that policymakers should “focus on protecting consumer data privacy on the front end rather than on implementing the sort of amorphous, backend advertising regulations that the report recommends.”

More recently, Ferguson voted in favor of the commission’s enforcement actions against location data brokers, which the FTC said were not doing enough to anonymize the data.

“This type of data — records of a person’s precise physical locations — is inherently intrusive and revealing of people’s most private affairs,” Ferguson wrote in a statement. “The sale of such revealing information that can be linked directly to an individual consumer poses an obvious risk of substantial injury to that consumer.”

Ferguson’s FTC is likely to continue to crack down on data privacy abuses, Zweifel-Keegan said, citing his statements largely concurring with important recent privacy orders.

“His detailed writings in those cases reflect a belief that there is a data privacy crisis in the U.S., fueled especially by Big Tech and other entities with the power to set the terms of engagement for consumers’ data,” he said.

John Davisson, the director of litigation at the Electronic Privacy Information Center, likewise sounded an optimistic note, saying that current commissioners have found “common cause” in pursuit of data privacy regulation, a trend that he said is in line with the agency’s history of working across the aisle.

Davisson said he hopes that “consensus will continue the next four years on issues like data security, children’s privacy, and the protection of our health, location, browsing and other sensitive data.”

Advocates are less hopeful that Ferguson will stick with the AI-related privacy enforcement work that Khan’s commission has recently begun, given what he said in the leaked memo.

“End the FTC’s attempt to become an AI regulator,” Ferguson wrote. 

Khan’s FTC has warned companies not to quietly change their privacy policies to allow them to mine user data to train AI and a year ago it barred RiteAid from using facial recognition technology in stores for five years on accusations of racial bias and inaccuracy. 

The memo also demonstrated what some advocates see as an alarming bias against transgender people. Ferguson called for an investigation of doctors, therapists and hospitals for “deceptively” pushing “gender confusion, hormone replacement and sex change surgery on children and adults while failing to disclose strong evidence that such interventions are not helpful and carry enormous risks.”

Advocates say regulating transgender medical care violates individual privacy by defining what kinds of services people can receive based on their sexuality, a private matter.