Administrative Agencies & Their Role in Technological Regulation

By: Chi Kim

On January 7, 2023, Kevin McCarthy became Speaker of the House after his colleagues from the House of Representatives held fifteen separate voting sessions. The House demonstrated an equally impressive and depressing feat given the inability of our current elected officials to achieve results for even seemingly mundane decisions. While many liberal observers may have rejoiced at the chaos, the fifteen votes is emblematic of an overall trend of inefficiency within the legislative branch and political processes, especially when tackling more fluid concepts and problems within the technology sector. Creating regulations requires large amounts of information, lobbying, and time to convince policymakers with inflexible positions and procedures around fluid and emerging technologies of the merits of the proposed regulations. In addition to the typical policy lag, the timeline for proposed technological regulations are further exacerbated by the following intrinsic and extrinsic factors. 

Intrinsically, Congress is not equipped to handle technological regulation by design. Although our most recent Congress is younger than its predecessor by one year, this small change alone is a historical anomaly. The 118th Congress is the third oldest since 1789 and generally has been climbing since the early 1980s.The average ages in the Senate and House are 63.9 and 57.5, respectively. While this could be the result of modern medical advancements, the increasing age of our elected officials bodes negatively for the hope that our policymakers will understand the technology that they are regulating. Remember, for instance, the famous Facebook hearings? Even the generally unpopular Mark Zuckerberg looked relatable when forced into the position of explaining a new technology to an older person. Beyond the general lack of subject matter expertise, congressional officials cannot invest the requisite time to learn about these issues while also tackling persistent issues within voting rights legislation, labor and supply chain constraints from international pressures, and a looming recession creeping closer layoff by layoff. 

Extrinsically, big tech still has a massive voice within our congressional chambers. During the 2020 election cycle fifteen major tech companies, including Amazon, Facebook, Google, Microsoft, Oracle, and others, spent $96.3 million to influence forthcoming bills like the National Defense Authorization Act, Fairness for High Skilled Immigrants Act, and the CHIPS for America Act. While Congress receives input from stakeholders, there is often a cost to frame their political positions. 

Despite our political gridlock, the American government is not completely unarmed against big tech. In political law, hydraulics is the concept that political energy is never destroyed but rather manifests into new forms, finding new gaps and openings within the regulatory or political landscape, much like water does on earth. In the context of the technological landscape, the responsibility of passing regulations has flowed to administrative bodies. The Federal Trade Commission (FTC), for example, influences technology policy in a number of different ways. The FTC recently filed a lawsuit against data broker Kochava Inc. for selling geolocation data from millions of mobile devices. If the FTC is successful, such a ruling would likely affect the overall data broker industry. Notably, the FTC leadership impacts the policy direction advanced by the agency. For FTC Commissioner, President Biden appointed Alvaro Bedoya, who previously served as the founding director of the Center on Privacy and Technology at Georgetown Law Center where he worked at the intersection of privacy and civil rights. Additionally, as of the writing of this article, the FTC is accepting public comments for a proposed rule to ban non-compete clauses. This rule is intended to increase worker earnings and create more competition among big tech. While administrative agencies do have their own procedural “policy lags,” the FTC can still actively tackle issues while receiving input from internal and external industry experts without being directly tainted by lobbying efforts. 

Law and technology are often portrayed as incompatible ideas — rising technology  meeting archaic regulations. However, policymakers need to realize that law and technology are not so different — both policymaking and technology development require troubleshooting and reiterations over time. However, unlike the software engineers in the companies that they regulate, policymakers do not have endless opportunities to sandbox their regulations before fully staking their political careers and capital. The responsibility of making such regulations has often flowed to administrative agencies that can take measured steps on the daunting task of regulating big tech companies. However, Congress should build on administrative agency efforts by passing bills based on the failures or successes of the agency actions. Doing so could result in more relevant and long-lasting technology regulations. 

The FTC Takes on Health and Fitness Apps’ Rampant Privacy Problems

By: Laura Ames

More and more Americans are turning to mobile health and fitness applications, but many worry about the lack of regulations would ensure that developers of these products keep user information secure and private. The Federal Trade Commission (“FTC”) recently addressed this concern with a policy statement (“Statement”) including app developers among the entities who must follow certain notification procedures after security breaches. However, many question the Statement’s practical effects and whether the FTC had the authority to issue it.  

Health App Trends

Mobile health and fitness apps have gained popularity in recent years, and the COVID-19 pandemic only accelerated this growth. In fact, the United States led the world in health and fitness app downloads as of October 2020 with 238,330,727 downloads that year alone. Even with this increased usage, a recent poll showed that over 60% of U.S. adults felt at least somewhat concerned regarding the privacy of their health information on mobile apps. These worries appear to be well-founded. Flo Health Inc., the developer of a menstrual cycle and fertility-tracking app, currently faces a consolidated class action alleging the company disclosed users’ health information to third parties without users’ knowledge. This is not an isolated concern. A recent study of over 20,000 health and fitness apps found that a third of these apps could collect user email addresses and more than a third transmitted user data to third parties such as advertisers.

The Original Health Breach Notification Rule

Congress enacted the Health Information Technology for Economic and Clinical Health (“HITECH”) Act as an investment in American health care technology. Subtitle D of this Act delegated authority to the FTC to promulgate breach notification requirements for breaches of unsecured protected health information. In 2009, the FTC issued its Health Breach Notification Rule (“HBNR”) covering vendors of personal health records (“PHR”) and PHR-related entities who experienced a security breach. The HBNR requires these entities to notify affected individuals and the FTC. Crucially, the HITECH Act defines a PHR as an electronic record that can be drawn from multiple sources.

The FTC has never enforced the HBNR, but the possibility for changes to the rule has been on the horizon for some time. In 2020, the FTC requested public comments on the HBNR, which functions as a part of their rulemaking process, saying that it was merely a periodic review of the rule. However, before that comment period ended, the Commission issued a policy statement that turned heads.

The FTC Makes a Bold Move

On September 15, the FTC issued a statement with two of the five Commissioners dissenting. The FTC’s stated goal was to clarify the HBNR and put entities on notice of their security breach obligations. The FTC explained that the HBNR is triggered when “vendors of personal health records that contain individually identifiable health information created or received by health care providers” experience a security breach. The first major revelation was that the FTC considers developers of health apps or connected devices as health care providers because they provide health care services or supplies.

Additionally, the FTC stated that it interprets the rule as covering apps that are capable of drawing information from multiple sources, like through a combination of consumer inputs and application programming interfaces (“APIs”). The statement gave two examples of apps that are covered under this understanding. First, an app that collects information directly from users and has the capacity to draw information through an API that enables syncing with a user’s fitness tracker. Second, an app is implicated if it draws information from multiple sources even if the health information only comes from one source. For example, if a consumer uses a blood sugar monitoring app that draws health data only from that consumer’s inputs but also draws non-health data from the phone’s calendar, that app is covered by the HBNR.

Additionally, the FTC sought to remind entities that a breach is not limited to cybersecurity intrusions but also includes unauthorized access to information. Under this interpretation, companies that share information without a user’s authorization would also be subject to the Rule. Although the FTC had not previously enforced the Rule, this Statement also served as signaling the FTC’s willingness to do so. It mentions that businesses could face potential civil penalties of $43,792 per violation per day.

Obviously, these clarifications could subject many app developers and other companies to the FTC’s rule. However, in the eyes of some, including the two dissenting Commissioners, this statement is not a mere clarification but a fundamental policy change. It could not only lead to potential confusion but could also be a breach of the FTC’s statutory authority and rulemaking process.

Critiques and Larger Questions

Some legal experts argue that this statement represents an expansion of the HBNR that could lead to further confusion for app companies and others. The two dissenting FTC Commissioners go further than potential confusion in their statements.

Commissioner Christine S. Wilson argued that this Statement both short-circuits the FTC’s rulemaking process and also improperly increases its statutory authority by expanding the definitions of terms without legislative approval. Commissioner Noah Joshua Phillips agreed that this statement’s first problem is its issuance in the middle of a request for public comment. Wilson pointed out that the FTC’s own business guidance for dealing with the HBNR directly contradicted the statement by saying that “if consumers can simply input their own” health data on a business’ site, for example, a weekly weight input, then the business is not covered by this rule. Wilson also expressed concerns that this interpretation of “health care provider” was a potentially slippery slope. For instance, does Amazon qualify as a health care provider given that users can purchase Band-Aids and other medical supplies through its phone app?

In the coming months, we might see the FTC forcing app developers to notify customers of data disclosures, but the debate around this statement also reveals larger questions concerning health care at the moment. Fundamental questions that once might have seemed easy to answer, such as who qualifies as a health care provider, are growing murkier. In the wake of COVID-19’s effects on telehealth and health technology in general, it seems unlikely that health care will phase out of this continued intermingling with technology. If that is the case, then legislation and regulations surrounding health care will continue to have to scramble to catch up with this rapid technological evolution.

Prove It or Lose It: The FTC’s Standard for Scientific Support of Medical App Claims

Medical-Apps-in-HealthcareBy Julie Liu

Among the countless mobile applications that allow us to control much of our lives, the growing wave of medical apps allows us to manage and improve our health with the convenience of a phone or tablet. But, as illustrated by the Federal Trade Commission’s approval of its final order against the maker of the UltimEyes app, this possibility comes with important limitations. Continue reading

Five Stars for the Recent Crackdown on Fake Reviews

fakeBy Alex Bullock

Think of the last time you were in the market for a product or to find a restaurant for dinner – did you search online for reviews of the product or the business? If you’re like me and many other modern consumers, the answer is likely, “Yes.” And again, if you’re like me, you may take for granted that those online reviews are objective and real. That is why it is encouraging to hear that a company like Amazon, as well as the Federal Trade Commission (FTC), are taking steps to ensure that consumers can trust those reviews.

In October, Amazon filed suit against more than 1,000 people who allegedly offered to write reviews of products they had not used in exchange for a fee. According to the company’s complaint in King County Superior Court, each of the individuals sued in this case used the website Fiverr, a global online marketplace for individuals offering tasks and services in order to offer to create fake reviews for a fee. The complaint outlines a typical encounter between an Amazon seller and a prospective fake reviewer. Continue reading

A New (Old) Sheriff: The FTC’s Authority on Cybersecurity Affirmed

chainsBy Julie Liu

As we know well from news coverage of hacks and leaked information, consumers and employees take a gamble whenever they give their personal information to a company. Consciously or not, these individuals count on the company’s technological savvy in combination with its data security policies to keep the information safe. While this status has not changed much since businesses first became digitized, regulations are gradually catching up. For the Federal Trade Commission (FTC), cybersecurity has been a top priority in recent years, and it will likely tighten its grip on businesses with inadequate security measures.

Late last month, the U.S. Court of Appeals for the Third Circuit issued its long-awaited ruling in FTC v. Wyndham Worldwide Corporation, a case which reevaluated the FTC’s authority to regulate cybersecurity. Litigation began in 2012 when the FTC sued Wyndham Worldwide, a hotel chain company, for unfair business practices. The FTC alleged that Wyndham’s inadequate data security led to three data breaches at Wyndham hotels in two years. According to the complaint, these breaches compromised more than 619,000 payment card accounts and caused over $10.6 million in fraud loss. Wyndham responded with a motion to dismiss the complaint, arguing that the FTC did not have the authority to bring the suit in the first place. The district court denied the motion last year, and the Third Circuit has now affirmed this order on interlocutory appeal.

Continue reading