Earlier this week, Representatives Jan Schakowsky and Lori Trahan (D-MA) introduced the FTC Whistleblower Act of 2021 (FTCWA), which would reward and protect disclosures about potential or suspected violations of any law, rule, or regulation enforced by the Federal Trade Commission (FTC or Commission). Modeled on the successful SEC whistleblower reward program, the FTCWA (HR 6093) could supercharge FTC enforcement of laws that prohibit fraud, deception and unfair business practices.
And an FTC whistleblower reward program could spur whistleblowers at social media and technology companies to disclose data privacy and security practices that harm consumers. As demonstrated by the success of similar laws rewarding whistleblowing about various types of fraud, offering financial incentives to encourage potential whistleblowers to take the significant risk of coming forward would substantially enhance the FTC’s ability to detect and combat deceptive trade practices.
The U.S. lacks comprehensive general privacy and data security legislation. In many ways this limits the FTC’s ability to address harmful practices. Nonetheless, through a patchwork of statutory authority, the Commission has surprisingly broad ability to address privacy and data security concerns. This expansive scope is good news for whistleblowers because the proposed bill’s protections and incentives would cast a correspondingly wide net.
The FTC has relied on its authority under the FTC Act and narrower specific statutes to stop and remediate privacy and data security violations. Section 5 of the FTC Act provides the primary legal authority for the Commission to regulate privacy and data security. Section 5 prohibits “deceptive” or “unfair” commercial acts or practices. A representation, omission, or practice is deceptive if it is material and likely to mislead consumers acting reasonably. An act or practice is unfair if (1) it causes or is likely to cause substantial injury, (2) consumers cannot reasonably avoid the injury, and (3) benefits to consumers or competition do not outweigh the injury.
In addition to the FTC Act, the Commission enforces a variety of laws that protect specific aspects of privacy, including the Gramm-Leach-Bliley Act (“GLB”), which protects the privacy of financial information; the CAN-SPAM Act, which allows consumers to opt out of receiving commercial email messages; the Children’s Online Privacy Protection Act (“COPPA”), which protects the online privacy of children under 13; the Fair Credit Reporting Act (“FCRA”), which protects the privacy of consumer report information; the Fair Debt Collection Practices Act, which protects consumers from harassment by debt collectors; and the Telemarketing and Consumer Fraud and Abuse Prevention Act, under which the FTC implemented the Do Not Call registry.
Understanding the Commission’s jurisdiction is only the first step for analyzing whether reporting misconduct would lead to an award under the bill. The FTC’s ability to combat privacy and data security violations is quite limited. First, though Section 5 of the FTC Act gives the Commission its broadest legal authority to prosecute violations, the law’s remedies are restricted. In AMG Capital Mgmt., LLC v. FTC, the U.S. Supreme Court ruled that the FTC Act does not permit the Commission to obtain monetary relief in federal court. AMG Capital Mgmt., LLC v. FTC, 141 S. Ct. 1341 (2021). Accordingly, the FTC lost its most important tool for recouping money for those who suffered losses because of deceptive, unfair, or anticompetitive conduct.
Moreover, the FTC currently lacks adequate resources to fully pursue its enforcement priorities concerning privacy and data security misconduct. By way of comparison, the FTC’s Division of Privacy and Identity Protection has only about 40-45 employees, whereas the U.K. Information Commissioner’s office has about 768 employees, and the Irish Data Protection Commissioner has about 150 employees. The Commission estimates that it would need an additional 100 full-time employees to fulfill its enforcement priorities.
In the meantime, the FTC recently has focused on a subset of its priorities. This includes addressing 1) privacy concerns that may be heightened by the pandemic, and 2) technologies or types of data that could exacerbate racial inequities. For example, during 2021, the FTC has addressed issues the pandemic has brought to the forefront, including increased use of health apps; accuracy of data used for housing, employment, and credit; and videoconferencing and education technology.
Additionally, the Commission has collected research on racial equity issues, issued business guidance on artificial intelligence and algorithms, brought enforcement actions related to facial recognition and credit discrimination, and implemented the FTC’s Every Community Initiative. The Every Community Initiative examines consumer protection issues and the impact of unlawful privacy practices on distinct groups, including Black Americans, Latinos, Asian Americans, Native Americans, older adults, military service members and veterans, and other groups.
Despite the legal and practical limitations, whistleblowers have reason to be optimistic that they can help the Commission fulfill its aggressive agenda. In addition to the foregoing issues, the FTC aims to: 1) better integrate its privacy and data security efforts with its mission to promote competition, 2) improve remedies for consumers, 3) focus on digital platforms, and 4) expand the Commission’s understanding of algorithms.
One of the FTC’s priorities is to better integrate its privacy and data security efforts with its goal of promoting competition. Many companies have become players in digital markets by virtue of their access to and control over user data. The FTC aims to ensure that it views problems raising in digital markets through a dual lens that addresses both privacy and competition concerns. For example, market power may enable consumer protection violations that in turn decrease competition. Likewise, companies may gain market share through deceptive reassurances on privacy. In addition, the FTC wants to apply competition-based remedies in consumer protection cases. (See the Everalbum, Inc., enforcement action below as an example of how these principles may apply in action.)
Another Commission priority is to improve consumer remedies. In pursuit of its goals to provide relief for consumers and deter unfair or deceptive privacy and security practices, the FTC is focused on expanding the following types of remedies: 1) providing notice to harmed consumers (see the Flo Health, Inc., enforcement action below); 2) recovering money for harmed consumers (see the Vivint Smart Home, Inc.; Equifax; and Facebook enforcement actions below); 3) obtaining non-monetary remedies for consumers (see the Vivint action); and 4) stopping companies from benefitting from illegally collected data (see the Everalbum action).
Third, the Commission intends to increase its focus on the data practices of dominant digital platforms, so that the agency can leverage its limited resources to redress the most egregious practices and have a broader impact. The FTC sees an increased focus on order enforcement as integral to this goal. The Commission already has many large companies under order for privacy and/or data security violations, including Facebook, Google, Twitter, Microsoft, and Uber. The wants its orders to have credibility, disincentivize misconduct, and improve practices across the market. To accomplish that goal, the Commission plans to shift resources to order compliance and enforcement, especially against large companies.
Finally, the FTC has a particular interest in better understanding algorithms and the consumer protection and competition risks associated with them. For example, the FTC Act’s prohibition on unfair or deceptive practices includes the sale or use of racially biased algorithms. If an algorithm’s developer promises that its product will provide unbiased results, but in fact it does not, that could be a deceptive practice. Similarly, if the use of a biased algorithm discriminates against consumers, causing them substantial injury that is not reasonably avoidable and not outweighed by countervailing benefits – the FTC could challenge that use as unfair.
Perhaps the best way to understand these enforcement priorities is to look at how the Commission has applied them in practice. The following list highlights some of the FTC’s recent notable privacy and data security enforcement actions.
As demonstrated by the foregoing enforcement actions, the FTC has leveraged its limited resources successfully to fulfill its enforcement priorities and redress the most egregious privacy and data security violations. Understanding the broad scope (and substantial limitations) of the Commission’s jurisdiction will help whistleblowers understand their rights and incentives under the new bill.
Section 3 of the FTCWA would create a whistleblower reward program at the FTC, under which a whistleblower could obtain an award ranging from 10 to 30 percent of collected monetary sanctions that the FTC recovers in an administrative or judicial action brought by the FTC or DOJ in which the aggregate monetary sanctions exceed $1,000,000. To be eligible for an award, the whistleblower must voluntarily provide original information to the FTC that the whistleblower reasonably believes relates to a potential or suspected violation of any law, rule, or regulation enforced by the FTC and that original information must lead to an FTC enforcement action.
The monetary sanctions collected in any judicial or administrative action that would qualify for an FTC whistleblower award include any monies, including penalties, disgorgement, or interest ordered or agreed to be paid but excludes any relief necessary to redress injury to consumers.
The FTCWA would establish a reward program at the FTC similar to the SEC whistleblower program that Congress enacted in the Dodd-Frank Act, which has proven successful in enhancing the SEC’s ability to detect and halt fraud schemes and protect investors. Since the inception of the SEC whistleblower program, whistleblower tips have enabled the SEC to recover approximately $5 billion in monetary sanctions and return $1.3 billion to harmed investors. The SEC has issued awards totaling approximately $1.2 billion to 234 individuals.
There is, however, a flaw in the text of the FTCWA authorizing the payment of awards in that HR 6093 states that the FTC “may pay an award,” whereas the Dodd-Frank Act states that the SEC “shall pay an award.” And the FTCWA provides that the “determination of whether, to whom, or in what amount to make an award shall be in the discretion of the FTC.”
The FTCWA whistleblower incentive provision would encourage whistleblowers to provide “original information,” i.e., information that is derived from the independent knowledge or analysis of a whistleblower or is not known to the FTC from any other source, unless the whistleblower is the original source of the information. Providing information that is exclusively derived from an allegation made in a judicial or administrative hearing, governmental report, hearing, audit, or investigation, or from the news media would not qualify for a whistleblower award unless the whistleblower is a source of the information.
The FTCWA permits a whistleblower to be represented by counsel. But in contrast to the SEC whistleblower program, the FTCWA does not expressly authorize whistleblowers to report violations to the FTC anonymously through an attorney.
Under the FTCWA, the FTC may deny an award to any whistleblower who
The FTCWA does not limit award eligibility to whistleblowers who gain information through the performance of compliance or audit duties.
To determine the amount of an AMLA whistleblower award, the FTC will consider:
Section 2 of the FTCWA creates a private right of action for whistleblowers who have suffered retaliation for disclosing a potential violation of any law, rule, or regulation enforced by the FTC. It prohibits an entity or individual subject to the jurisdiction of the FTC from retaliating against a whistleblower for:
The FTCWA’s definition of “whistleblower” clarifies that it protects current or former full-time, part-time, or temporary employees, contractors, subcontractors (at any tier), grantees, subgrantees, or agents of a covered entity or any person that assists or is perceived as assisting a whistleblower.
Similar to the Sarbanes-Oxley whistleblower protection law, the FTCWA prohibits a wide range of retaliatory acts, including directly or indirectly discharging, demoting, suspending, threatening, harassing, blacklisting, or in any other manner discriminating or taking an adverse personnel action. The catch-all category of retaliation (“in any other manner” discriminating against a whistleblower) encompasses non-tangible employment actions, such as “outing” a whistleblower in a manner that forces the whistleblower to suffer alienation and isolation from work colleagues.
A prevailing AMLA whistleblower is entitled to the following remedies:
FTCWA retaliation claims would be brought directly in federal court. There is no administrative exhaustion requirement. And FTCWA retaliation claims would not be subject to mandatory arbitration.
The FTCWA contains robust anti-gag provisions. It would prohibit a covered entity from taking any action that impedes or prevents an individual from communicating directly with a qualified entity about a covered disclosure, including enforcing, or threatening to enforce, a confidentiality or non-disparagement agreement. And a covered entity (an entity subject to the jurisdiction of the FTC) would be prohibited from requiring the consent of the counsel of the covered entity for a qualified entity (the FTC, a Federal entity, or Congress) to communicate directly with an individual or the attorney of an individual (if the individual is represented by an attorney) regarding a possible covered disclosure. A violation of the anti-gag provisions would be deemed an unfair or deceptive act or practice subject to FTC enforcement authority, including penalties.
The FTCWA’s whistleblower protection provision would not preempt or supersede any other Federal or State law relating to whistleblower protections. Nor would it diminish the rights, privileges, or remedies of any whistleblower under any Federal or State law, or under any collective bargaining agreement.
If enacted, the whistleblower rewards and protection provisions of the FTCWA will play a critical role in identifying and combating consumer protection fraud.
A press release from Congresswoman Jan Schakowsky states the purpose of the FTCWA:
“Whistleblowers risk their livelihoods to bring truth to light and help safeguard the public from corporate wrongdoing,” said Congresswoman Schakowsky. “Recent events have again proven how indispensable whistleblowers are to our society, to democracy, and to American families. That is why today my colleague Representative Trahan and I take action to support whistleblowers. The FTC Whistleblower Act of 2021 will help the Commission to take bold action against wrongdoers by protecting whistleblowers from retaliation for their bravery and incentivizing the disclosure of unlawful activity that harms American consumers.”
Congresswoman Trahan added, “Time and time again, whistleblowers have proven key in uncovering information critical to protecting consumers. As the Federal Trade Commission works to investigate harmful behavior by massive corporations, it’s important that the agency offers safeguards to protect and incentivize potential whistleblowers, as is standard with several other investigatory agencies. I’m proud to join with Chairwoman Schakowsky to introduce the FTC Whistleblower Act of 2021, which will enable the Commission to establish these essential standards and bolster its important work.”
“Whistleblowers play an essential role in exposing waste, fraud, and misconduct that directly impacts consumers,” said Melissa Wasser, policy counsel, Project On Government Oversight. “Establishing a whistleblower award program at the Federal Trade Commission (FTC) will incentivize whistleblowers to come forward with tips and protect those whistleblowers from retaliation. POGO thanks Representative Schakowsky and her team for their commitment to protect whistleblowers at the FTC by mirroring best practices within this new award program. This legislation ensures more whistleblowers will come forward with important disclosures that will strengthen consumer protection.”
MEET OUR TEAM OF SEASONED WHISTLEBLOWER ATTORNEYS Jason Zuckerman Principal Dallas Hammer Principal Matthew Stock…
The Whistleblower Protection Act prohibits retaliation against federal employees, applicants, or former employees for disclosing…
D.C.’s Amended Whistleblower Protection Act: The Gold Standard for Public Sector Whistleblower Protection BNA…
An article titled Supreme Court will review whistleblower complaint reports that the Supreme Court…
