Dissents over Zoom settlement may offer roadmap to policy shifts in Biden administration

As speculation ramps up about what to expect in a Biden administration on privacy policy, the Federal Trade Commission’s two Democratic members set out a possible roadmap for the future in their dissents over the agency’s settlement with Zoom.

Rohit Chopra and Rebecca Slaughter picked up themes from past dissents and added some new angles as they lambasted what they saw as serious deficiencies in the proposed order with Zoom to settle charges of misrepresenting the strength of its security measures and evading a browser security feature.

“The FTC’s status quo approach to privacy, security and other data protection law violations is ineffective,” Chopra wrote. “The Commission must change course.”

Those comments take on new force as the Biden-FTC transition team is off and running at a time when privacy and data security issues are front page news.

The commissioners suggest “a potential path towards more aggressive privacy enforcement in the future,” Kirk Nahra, a veteran privacy expert at WilmerHale, wrote in an e-mail. “There are certainly points in these dissents that are intended to drive a tougher agenda.”

“For me, Commissioner Chopra’s observation that Zoom didn’t even tell the [Securities and Exchange Commission] about the investigation, presumably because it wasn’t material, means that the FTC stick needs to be wielded a bit more firmly,” Chris Hoofnagle, a professor at the University of California-Berkeley School of Law, wrote in an e-mail. In 2016, he authored the book Federal Trade Commission Privacy Law and Policy.

Since it’s all but certain that FTC Chairman Joe Simons will be stepping down, the agency’s direction will be steered by a new leader. The list of candidates for the post includes Chopra and Slaughter, a fact that makes their dissents even more noteworthy.

But their concerns have provoked debate that they’re unrealistic or underestimate the strength of the proposed order with the videoconferencing company.

Some takeaways from their dissents follow.

Failure to treat data security and privacy as intertwined. Slaughter writes the proposed order requires Zoom to establish an information-security program and submit to third-party audits, yet fails to even refer to “consumer privacy.” Sound data security practices do not guarantee privacy protection, she argues, and fail to recognize that “the reason customers care about security measures in products like Zoom is that they value their privacy.”

She would have ordered Zoom to regularly review consumer privacy risks posed by its products and build in privacy-risk mitigation before launching new products. “When companies offer services with serious security and privacy implications for their users, the Commission must make sure that its orders address not only security but also privacy.”

Jessica Rich, who served as director of the Bureau of Consumer Protection in the Obama administration, e-mailed that “I don’t think she’s right about that. Between the very broad prohibitions on privacy and security misrepresentations and the extremely detailed data security and third-party assessment requirements, Zoom is on the hook to protect virtually all aspects of privacy and security, and the FTC has what it needs for close monitoring and potential enforcement.”

But Daniel Solove, a George Washington University law professor, and Woodrow Hartzog, a Northeastern University law professor, agreed with Slaughter’s critique. In a blogpost, they say “privacy should have been a focus of the consent decree.”

Zoom, like many other “young tech companies,” focuses on growth and technology while only considering privacy later, “after everything is built,” they write. Instead, “privacy should be taken seriously at the start.”

Solove and Hartzog claim the FTC “often doesn’t step in until a company has grown quite large and prominent, so companies know that they can ignore privacy and security in the shadows until they step into the limelight.”

David Vladeck, Rich’s predecessor as bureau director and a law professor at Georgetown University, wrote in an e-mail that “the most urgent threat to privacy is a significant data breach, and I think that is partially Commissioner Slaughter's point. And the FTC has developed separate orders in each sphere, but that doesn't mean that the approaches have been compartmentalized.”

“I am sympathetic to her concern that the Zoom order ought to have more explicitly addressed privacy,” Vladeck added. “To be sure, the data security provisions make progress on that front. But I am generally on Zoom for at least 5 hours a day (the law school uses it for all classes, faculty meetings, etc), and I understand Commissioner Slaughter's concerns.”

An FTC official said a firm’s security practices often implicate consumer privacy concerns, and the proposed order reflects that. It prohibits Zoom from making privacy misrepresentations such as how it collects, uses or shares consumers’ personal information. Also, Zoom’s establishment of an information-security program includes privacy safeguards such as inventorying consumer data and including deletion protocols.

But such defenses left Slaughter unpersuaded. She tweeted the security/privacy issue “implicates an important part of a larger policy debate over data abuse in the US.”

FTC: Litigation averse? Chopra wrote “when it comes to data protection, FTC Commissioners have rarely voted to authorize agency staff to sue national players for misconduct. We must do more to safeguard against any perception about the agency’s unwillingness to litigate.”

That theme has surfaced in several of Slaughter’s dissents. She’s argued the benefits of litigation include transparency and accountability for the target company and the agency, as the FTC must present its case in a public court and the company must respond. There’s also the prospect of a finding of liability, which has a large deterrent effect.

But in a media call, Andrew Smith, director of the Bureau of Consumer Protection, countered the settlement with Zoom would provide certain, immediate relief without rolling the dice in protracted litigation.

“We are providing strong injunctive relief in a timely way while we still can use it,” he said. “Had we litigated this case we might have gotten more or different relief, but I’d bet we’d be having this conversation in 2022 rather than today.”

Rich also cautioned against generalizations about the merits of litigation. “There are always tradeoffs between settling and litigating, and it’s appropriate for the Commissioners to raise these questions,” she e-mailed. “However, it’s not a cookie-cutter issue — in every case, you need to evaluate which option is likely to get the best result for consumers.”

“Also, while I don’t know the backstory in these recent cases, I do know that institutionally, the FTC hasn’t shied away from litigation. Consider, for example, its successful court cases against AT&T, D-Link, Amazon, LifeLock, and Wyndham, as well as its unsuccessful ones against LabMD and DirecTV,” Rich said.

But Chopra used the example of the Wyndham Hotels litigation to underscore the important legal developments that come from trying a case rather than settling. In 2012, the agency charged Wyndham with unfair data practices and won over an aggressive defense by the hotel.

“The court’s ruling cemented the Commission’s ability to target lax data security practices under existing law,” Chopra noted.

Many factors are involved in deciding whether to litigate, according to Vladeck.

“It is hard to litigate when a company wants to settle,” he wrote. “There were many cases during my tenure I would have relished litigating, but that question is generally resolved by the defendant, not the FTC. The more difficult question is what constitutes a reasonable settlement? There are too many factors to answer this question sensibly, and ultimately, that is for the Commission to decide.”

Vladeck addressed whether the failure to secure admissions from defendants in settlements makes them a less appealing alternative to litigation, which has the prospect of a finding of liability.

“Putting admissions on the table might help the FTC extract tougher settlements,” he e-mailed. “But at what cost? ... Whatever policy the FTC decides, it should be uniform — not dependent on the defendant's resources. If the Commission decides to require admissions, it has to be an all-or-nothing rule, and categorical rules always have virtues and vices.”

“This issue was alive when I was at the FTC and the Commission decided that on balance, forcing admissions wasn't worth it — it might discourage otherwise valuable settlements, it might lead to disparate treatment of companies depending on their resources, and there was no consensus that admissions would, in fact, have a substantial deterrent effect.”

Questioning the effectiveness of third-party assessments. A common provision in FTC orders requires defendants to retain a third party to monitor compliance with data protection protocols, but Chopra questioned whether such monitors “are truly effective when it comes to deterring or uncovering misconduct.”

He uses Facebook as an example. An independent third party “was supposedly watching over the company’s compliance” with privacy obligations under a 2012 order between the social media behemoth and the agency. But it failed to do so, as the FTC filed a complaint charging major violations of the order.

Chopra also backed making third-party reports public to get companies and monitors to take them more seriously.

But the FTC’s Smith countered the agency now includes in its data security orders various steps to increase accountability of third-party assessors. “Assessors can’t just take the company’s word for it — they have to do the work. They have to show the work.”

“They have to identify evidence to support their conclusions, including independent sampling, employee interviews and document review. They have to retain all their work papers and provide the FTC with access to those work papers,” he said, adding that the FTC is empowered to withhold approval of a third-party assessor.

Unpersuaded, Chopra said there’s a need to “restore the agency’s credibility deficit when it comes to oversight of the digital economy. This does not stem from a lack of authority or resources or capabilities from our staff — it stems from the policy and enforcement approach of the Commission, and this needs to change.”