Earlier this week, Representatives Jan Schakowsky and Lori Trahan (D-MA) introduced the FTC Whistleblower Act of 2021 (FTCWA), which would reward and protect disclosures about potential or suspected violations of any law, rule, or regulation enforced by the Federal Trade Commission (FTC or Commission). Modeled on the successful SEC whistleblower reward program, the FTCWA (HR 6093) could supercharge FTC enforcement of laws that prohibit fraud, deception and unfair business practices.
And an FTC whistleblower reward program could spur whistleblowers at social media and technology companies to disclose data privacy and security practices that harm consumers. As demonstrated by the success of similar laws rewarding whistleblowing about various types of fraud, offering financial incentives to encourage potential whistleblowers to take the significant risk of coming forward would substantially enhance the FTC’s ability to detect and combat deceptive trade practices.
Violations that Could Qualify for a Whistleblower Award (FTC Enforcement Authority)
The U.S. lacks comprehensive general privacy and data security legislation. In many ways this limits the FTC’s ability to address harmful practices. Nonetheless, through a patchwork of statutory authority, the Commission has surprisingly broad ability to address privacy and data security concerns. This expansive scope is good news for whistleblowers because the proposed bill’s protections and incentives would cast a correspondingly wide net.
The FTC has relied on its authority under the FTC Act and narrower specific statutes to stop and remediate privacy and data security violations. Section 5 of the FTC Act provides the primary legal authority for the Commission to regulate privacy and data security. Section 5 prohibits “deceptive” or “unfair” commercial acts or practices. A representation, omission, or practice is deceptive if it is material and likely to mislead consumers acting reasonably. An act or practice is unfair if (1) it causes or is likely to cause substantial injury, (2) consumers cannot reasonably avoid the injury, and (3) benefits to consumers or competition do not outweigh the injury.
In addition to the FTC Act, the Commission enforces a variety of laws that protect specific aspects of privacy, including the Gramm-Leach-Bliley Act (“GLB”), which protects the privacy of financial information; the CAN-SPAM Act, which allows consumers to opt out of receiving commercial email messages; the Children’s Online Privacy Protection Act (“COPPA”), which protects the online privacy of children under 13; the Fair Credit Reporting Act (“FCRA”), which protects the privacy of consumer report information; the Fair Debt Collection Practices Act, which protects consumers from harassment by debt collectors; and the Telemarketing and Consumer Fraud and Abuse Prevention Act, under which the FTC implemented the Do Not Call registry.
Understanding the Commission’s jurisdiction is only the first step for analyzing whether reporting misconduct would lead to an award under the bill. The FTC’s ability to combat privacy and data security violations is quite limited. First, though Section 5 of the FTC Act gives the Commission its broadest legal authority to prosecute violations, the law’s remedies are restricted. In AMG Capital Mgmt., LLC v. FTC, the U.S. Supreme Court ruled that the FTC Act does not permit the Commission to obtain monetary relief in federal court. AMG Capital Mgmt., LLC v. FTC, 141 S. Ct. 1341 (2021). Accordingly, the FTC lost its most important tool for recouping money for those who suffered losses because of deceptive, unfair, or anticompetitive conduct.
Moreover, the FTC currently lacks adequate resources to fully pursue its enforcement priorities concerning privacy and data security misconduct. By way of comparison, the FTC’s Division of Privacy and Identity Protection has only about 40-45 employees, whereas the U.K. Information Commissioner’s office has about 768 employees, and the Irish Data Protection Commissioner has about 150 employees. The Commission estimates that it would need an additional 100 full-time employees to fulfill its enforcement priorities.
In the meantime, the FTC recently has focused on a subset of its priorities. This includes addressing 1) privacy concerns that may be heightened by the pandemic, and 2) technologies or types of data that could exacerbate racial inequities. For example, during 2021, the FTC has addressed issues the pandemic has brought to the forefront, including increased use of health apps; accuracy of data used for housing, employment, and credit; and videoconferencing and education technology.
Additionally, the Commission has collected research on racial equity issues, issued business guidance on artificial intelligence and algorithms, brought enforcement actions related to facial recognition and credit discrimination, and implemented the FTC’s Every Community Initiative. The Every Community Initiative examines consumer protection issues and the impact of unlawful privacy practices on distinct groups, including Black Americans, Latinos, Asian Americans, Native Americans, older adults, military service members and veterans, and other groups.
Despite the legal and practical limitations, whistleblowers have reason to be optimistic that they can help the Commission fulfill its aggressive agenda. In addition to the foregoing issues, the FTC aims to: 1) better integrate its privacy and data security efforts with its mission to promote competition, 2) improve remedies for consumers, 3) focus on digital platforms, and 4) expand the Commission’s understanding of algorithms.
One of the FTC’s priorities is to better integrate its privacy and data security efforts with its goal of promoting competition. Many companies have become players in digital markets by virtue of their access to and control over user data. The FTC aims to ensure that it views problems raising in digital markets through a dual lens that addresses both privacy and competition concerns. For example, market power may enable consumer protection violations that in turn decrease competition. Likewise, companies may gain market share through deceptive reassurances on privacy. In addition, the FTC wants to apply competition-based remedies in consumer protection cases. (See the Everalbum, Inc., enforcement action below as an example of how these principles may apply in action.)
Another Commission priority is to improve consumer remedies. In pursuit of its goals to provide relief for consumers and deter unfair or deceptive privacy and security practices, the FTC is focused on expanding the following types of remedies: 1) providing notice to harmed consumers (see the Flo Health, Inc., enforcement action below); 2) recovering money for harmed consumers (see the Vivint Smart Home, Inc.; Equifax; and Facebook enforcement actions below); 3) obtaining non-monetary remedies for consumers (see the Vivint action); and 4) stopping companies from benefitting from illegally collected data (see the Everalbum action).
Third, the Commission intends to increase its focus on the data practices of dominant digital platforms, so that the agency can leverage its limited resources to redress the most egregious practices and have a broader impact. The FTC sees an increased focus on order enforcement as integral to this goal. The Commission already has many large companies under order for privacy and/or data security violations, including Facebook, Google, Twitter, Microsoft, and Uber. The wants its orders to have credibility, disincentivize misconduct, and improve practices across the market. To accomplish that goal, the Commission plans to shift resources to order compliance and enforcement, especially against large companies.
Finally, the FTC has a particular interest in better understanding algorithms and the consumer protection and competition risks associated with them. For example, the FTC Act’s prohibition on unfair or deceptive practices includes the sale or use of racially biased algorithms. If an algorithm’s developer promises that its product will provide unbiased results, but in fact it does not, that could be a deceptive practice. Similarly, if the use of a biased algorithm discriminates against consumers, causing them substantial injury that is not reasonably avoidable and not outweighed by countervailing benefits – the FTC could challenge that use as unfair.
Perhaps the best way to understand these enforcement priorities is to look at how the Commission has applied them in practice. The following list highlights some of the FTC’s recent notable privacy and data security enforcement actions.
- In May 2021, the Commission settled its enforcement action against Everalbum, Inc., the developer of the photo storage and organization app, Ever. In the Matter of Everalbum, Inc., FTC File No. 1923172 (2021). The Commission alleged that the company violated the FTC Act by deceiving users about how it would apply facial recognition technology to the photos collected from users. The consent order resolving the allegations required the company to delete any facial recognition models or algorithms it developed with Ever users’ photos or videos. This remedy demonstrates the FTC’s emphasis on not only stopping illegal conduct, but also prohibiting violators from gaining a competitive advantage from unlawfully collected data.
- In June 2021, the FTC resolved its first privacy-related health app case against Flo Health, Inc. In the Matter of Flo Health, Inc., FTC File No. 1923133 (2021). The Commission alleged that, in violation of its promises to users, the company disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties such as Facebook and Google. In addition to other requirements, the settlement required Flo Health to notify affected users about the disclosure of their personal information. The FTC emphasized this remedy on the basis that it allowed those users to decide whether to still use or recommend Flo Health’s services in light of its actions. The Commission reasoned that this was a fundamental equity issue because those affected by a company’s unlawful conduct have a right to know about it, but many people will not hear about an FTC action against a company they deal with unless the company tells them.
- In April 2021, the FTC resolved a federal action against Vivint Smart Home, Inc., that alleged that in some instances consumers’ credit information was used by Vivint sales representatives without their knowledge or consent to qualify another individual for financing for Vivint’s products and services. S. v. Vivint Smart Home, Inc., Civil Action No. 2:21-cv-00267-TS (D. Utah 2021). According to the complaint, if customers qualified using these tactics later defaulted on their loans, Vivint referred the innocent third party to its debt buyer, potentially harming that consumer’s credit and subjecting them to debt collectors. Vivint agreed to pay $20 million to settle the charges, including a $5 million redress fund for consumers who did not sign up for Vivint’s services but were contacted by debt collectors or found Vivint accounts improperly listed on their credit reports. In addition, the settlement required Vivint to establish a customer service task force to verify that accounts belong to the right customer before referring any account to a debt collector, and to assist consumers who were improperly referred to debt collectors.
- In July 2019, the FTC settled allegations that Equifax, Inc., a credit reporting company, failed to take reasonable steps to secure its network resulting in a 2017 data breach that affected approximately 147 million people. In its complaint, the FTC alleged that Equifax’s failure exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud. Equifax Inc. agreed to pay at least $575 million, and potentially up to $700 million. Notably, the Commission supplemented its authority by partnering with other agencies and states to get money back to consumers, and the FTC has stated that such partnerships will continue to be an especially important part of its enforcement efforts. This demonstrates that despite the AMG decision, the Commission still has tools to recover monetary relief for violations of the FTC Act.
- In April 2020, the U.S. District Court for the District of Columbia approved the 2019 settlement between Facebook, the FTC, and the U.S. Department of Justice. The complaint alleged that Facebook violated the Commission’s 2012 order against the company by 1) misrepresenting the control users had over their personal information, which tens of millions of users relied upon, and 2) failing to institute and maintain a reasonable program to ensure consumers’ privacy. The FTC also alleged that Facebook deceptively failed to disclose that it would use phone numbers provided by users for two-factor authentication for targeted advertisements to those users. The Commission’s order imposed a $5 billion penalty, as well as a host of modifications to the Commission’s original order designed to change Facebook’s overall approach to privacy. The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy.
As demonstrated by the foregoing enforcement actions, the FTC has leveraged its limited resources successfully to fulfill its enforcement priorities and redress the most egregious privacy and data security violations. Understanding the broad scope (and substantial limitations) of the Commission’s jurisdiction will help whistleblowers understand their rights and incentives under the new bill.
Establishing an FTC Whistleblower Reward Program
Section 3 of the FTCWA would create a whistleblower reward program at the FTC, under which a whistleblower could obtain an award ranging from 10 to 30 percent of collected monetary sanctions that the FTC recovers in an administrative or judicial action brought by the FTC or DOJ in which the aggregate monetary sanctions exceed $1,000,000. To be eligible for an award, the whistleblower must voluntarily provide original information to the FTC that the whistleblower reasonably believes relates to a potential or suspected violation of any law, rule, or regulation enforced by the FTC and that original information must lead to an FTC enforcement action.
The monetary sanctions collected in any judicial or administrative action that would qualify for an FTC whistleblower award include any monies, including penalties, disgorgement, or interest ordered or agreed to be paid but excludes any relief necessary to redress injury to consumers.
The FTCWA would establish a reward program at the FTC similar to the SEC whistleblower program that Congress enacted in the Dodd-Frank Act, which has proven successful in enhancing the SEC’s ability to detect and halt fraud schemes and protect investors. Since the inception of the SEC whistleblower program, whistleblower tips have enabled the SEC to recover approximately $5 billion in monetary sanctions and return $1.3 billion to harmed investors. The SEC has issued awards totaling approximately $1.2 billion to 234 individuals.
There is, however, a flaw in the text of the FTCWA authorizing the payment of awards in that HR 6093 states that the FTC “may pay an award,” whereas the Dodd-Frank Act states that the SEC “shall pay an award.” And the FTCWA provides that the “determination of whether, to whom, or in what amount to make an award shall be in the discretion of the FTC.”
Rewarding “Original Information” Leading to FTC Enforcement Actions
The FTCWA whistleblower incentive provision would encourage whistleblowers to provide “original information,” i.e., information that is derived from the independent knowledge or analysis of a whistleblower or is not known to the FTC from any other source, unless the whistleblower is the original source of the information. Providing information that is exclusively derived from an allegation made in a judicial or administrative hearing, governmental report, hearing, audit, or investigation, or from the news media would not qualify for a whistleblower award unless the whistleblower is a source of the information.
The FTCWA permits a whistleblower to be represented by counsel. But in contrast to the SEC whistleblower program, the FTCWA does not expressly authorize whistleblowers to report violations to the FTC anonymously through an attorney.
Whistleblowers Ineligible for an Award
Under the FTCWA, the FTC may deny an award to any whistleblower who
- is convicted of a criminal violation related to the covered action;
- acting without direction from a covered entity, deliberately causes or substantially contributes to the alleged violation in the covered action; or
- fails to provide original information to the FTC in such form as the FTC may require.
The FTCWA does not limit award eligibility to whistleblowers who gain information through the performance of compliance or audit duties.
Determining the Amount of an FTC Whistleblower Award
To determine the amount of an AMLA whistleblower award, the FTC will consider:
- the significance of the information provided by the whistleblower to the success of the covered judicial or administrative action;
- the degree of assistance provided by the whistleblower and any legal representative in the covered action; and
- additional relevant factors that the FTC deems relevant.
Protecting FTC Whistleblowers Against Retaliation
Section 2 of the FTCWA creates a private right of action for whistleblowers who have suffered retaliation for disclosing a potential violation of any law, rule, or regulation enforced by the FTC. It prohibits an entity or individual subject to the jurisdiction of the FTC from retaliating against a whistleblower for:
- Making a covered disclosure (a formal or informal communication or transmission that an individual reasonably believes relates to a potential or suspected violation of any law, rule, or regulation enforced by the FTC) to the FTC or a Federal entity, including any Member or committee of Congress; a person with supervisory authority over the individual; or another individual who the individual reasonably believes has the authority to investigate, discover, or terminate the violation.
- Initiating, testifying, assisting, or participating in an investigation or judicial or administrative proceeding by a qualified entity.
- Objecting to, or refusing to participate in, any activity, policy, practice, or assigned task that the individual reasonably believes is a potential or suspected violation of any law, rule, or regulation enforced by the Commission.
The FTCWA’s definition of “whistleblower” clarifies that it protects current or former full-time, part-time, or temporary employees, contractors, subcontractors (at any tier), grantees, subgrantees, or agents of a covered entity or any person that assists or is perceived as assisting a whistleblower.
Broad Scope of Prohibited Retaliatory Adverse Actions
Similar to the Sarbanes-Oxley whistleblower protection law, the FTCWA prohibits a wide range of retaliatory acts, including directly or indirectly discharging, demoting, suspending, threatening, harassing, blacklisting, or in any other manner discriminating or taking an adverse personnel action. The catch-all category of retaliation (“in any other manner” discriminating against a whistleblower) encompasses non-tangible employment actions, such as “outing” a whistleblower in a manner that forces the whistleblower to suffer alienation and isolation from work colleagues.
A prevailing AMLA whistleblower is entitled to the following remedies:
- triple back pay with interest;
- uncapped consequential and compensatory damages, which includes emotional distress damages; and
- reasonable attorney fees, litigation costs, and expert witness fees.
FTCWA retaliation claims would be brought directly in federal court. There is no administrative exhaustion requirement. And FTCWA retaliation claims would not be subject to mandatory arbitration.
Robust Anti-Gag Provisions
The FTCWA contains robust anti-gag provisions. It would prohibit a covered entity from taking any action that impedes or prevents an individual from communicating directly with a qualified entity about a covered disclosure, including enforcing, or threatening to enforce, a confidentiality or non-disparagement agreement. And a covered entity (an entity subject to the jurisdiction of the FTC) would be prohibited from requiring the consent of the counsel of the covered entity for a qualified entity (the FTC, a Federal entity, or Congress) to communicate directly with an individual or the attorney of an individual (if the individual is represented by an attorney) regarding a possible covered disclosure. A violation of the anti-gag provisions would be deemed an unfair or deceptive act or practice subject to FTC enforcement authority, including penalties.
FTCWA Would Not Preempt or Diminish Additional Retaliation Remedies
The FTCWA’s whistleblower protection provision would not preempt or supersede any other Federal or State law relating to whistleblower protections. Nor would it diminish the rights, privileges, or remedies of any whistleblower under any Federal or State law, or under any collective bargaining agreement.
If enacted, the whistleblower rewards and protection provisions of the FTCWA will play a critical role in identifying and combating consumer protection fraud.
Purpose of FTC Whistleblower Act of 2021
A press release from Congresswoman Jan Schakowsky states the purpose of the FTCWA:
“Whistleblowers risk their livelihoods to bring truth to light and help safeguard the public from corporate wrongdoing,” said Congresswoman Schakowsky. “Recent events have again proven how indispensable whistleblowers are to our society, to democracy, and to American families. That is why today my colleague Representative Trahan and I take action to support whistleblowers. The FTC Whistleblower Act of 2021 will help the Commission to take bold action against wrongdoers by protecting whistleblowers from retaliation for their bravery and incentivizing the disclosure of unlawful activity that harms American consumers.”
Congresswoman Trahan added, “Time and time again, whistleblowers have proven key in uncovering information critical to protecting consumers. As the Federal Trade Commission works to investigate harmful behavior by massive corporations, it’s important that the agency offers safeguards to protect and incentivize potential whistleblowers, as is standard with several other investigatory agencies. I’m proud to join with Chairwoman Schakowsky to introduce the FTC Whistleblower Act of 2021, which will enable the Commission to establish these essential standards and bolster its important work.”
“Whistleblowers play an essential role in exposing waste, fraud, and misconduct that directly impacts consumers,” said Melissa Wasser, policy counsel, Project On Government Oversight. “Establishing a whistleblower award program at the Federal Trade Commission (FTC) will incentivize whistleblowers to come forward with tips and protect those whistleblowers from retaliation. POGO thanks Representative Schakowsky and her team for their commitment to protect whistleblowers at the FTC by mirroring best practices within this new award program. This legislation ensures more whistleblowers will come forward with important disclosures that will strengthen consumer protection.”