Biden’s Build Back Better Act Aims to Strengthen the FTC’s Privacy and Data Security Stance, But Enforcement Options Remain Limited by Supreme Court Precedent

On November 19, 2021, the U.S. House of Representatives voted 220 to 213 to approve the Build Back Better Act (“BBBA”). Alongside the BBBA’s initiatives for enhancing the social safety net and combatting climate change, the law contains provisions that will dramatically bolster the Federal Trade Commission’s (“FTC”) capabilities to investigate violations related to privacy and data security. If passed in its current form, the BBBA will provide US$500 million to the FTC to focus on privacy and data security enforcement, including through a designated bureau responsible for addressing these issues.

While the BBBA must still be passed by the Senate, regardless of the bill’s fate, the push to bolster the FTC’s privacy and data security mission—and increased investment in other cyber security measures—are significant developments worth watching. Still, as discussed further below, the FTC’s enforcement options will be cabined by recent Supreme Court precedent that limits the FTC’s ability to seek equitable monetary remedies in court.

The BBBA’s Data and Privacy Protections and Limits on the FTC’s Enforcement Authority

The BBBA aims to enhance the FTC’s capacity to police and penalize privacy and data security violations, including by funding the creation of a data security and privacy bureau within the FTC. The BBBA would provide US$500 million to the FTC through September 30, 2029 to “create and operate a bureau, including by hiring and retaining technologists, user experience designers, and other experts,” that focuses on “unfair or deceptive acts or practices” relating to “privacy, data security, identity theft, data abuses, and related matters.” This would be a significant development, as the FTC’s resources and personnel dedicated to enforcement of privacy and data security protections have typically lagged behind its strong rhetoric.

The BBBA does not grant the FTC any new authority to extract monetary relief for violations, which is particularly noteworthy in light of the Supreme Court’s early 2021 decision in AMG Capital Management v. FTC. AMG Capital held that Section 13(b) of the Federal Trade Commission Act (“FTC Act”) does not authorize the FTC to seek equitable monetary relief in court, including restitution or disgorgement, without first pursuing administrative remedies—tempering the FTC’s powers to pursue potential data security and privacy violators under the BBBA.

AMG Capital therefore defanged what had recently been two of the FTC’s most effective enforcement tools: disgorgement and restitution. Through disgorgement, the FTC could force violators to return alleged ill-gotten gains from illegal conduct. And restitution required violators to make alleged victims whole. In recent decades, the FTC has frequently sought equitable monetary relief in court without first pursuing administrative remedies.

The Supreme Court took up AMG Capital to resolve a split among courts regarding the FTC’s authority, and ultimately concluded that Section 13(b) does not authorize the FTC to seek equitable monetary relief from courts without first pursuing administrative remedies. Instead, Section 13(b) only authorizes injunctions directed towards prospective violations. The Court left open the possibility that the FTC could pursue equitable monetary relief under a different section of the FTC Act, Section 19—after pursuing administrative remedies and issuing a cease and desist order—steps which will prolong the FTC’s enforcement efforts and create additional requirements for the FTC to meet.

The BBBA does not address AMG Capital or its potential limits on the FTC’s enforcement options. In assessing the BBBA, the Senate may have concerns about whether the new FTC bureau will have the necessary tools to effectively pursue their cyber security and privacy enforcement goals in light of AMG Capital.

In addition to investments in the FTC’s data security and privacy capabilities, the BBBA provides other notable funding for cyber security measures. For example, the BBBA provides the Cybersecurity and Infrastructure Security Agency (CISA) with hundreds of millions of US dollars for cybersecurity activities, as well as funding for the Federal Emergency Management Agency (FEMA) and National Institute for Standards and Technology (NIST) (among others) for security-related research and activities.

Conclusion

Privacy and data security are a priority of the Biden administration, and while the BBBA will be passed, if at all, along party lines, there has been bipartisan support to strengthen federal privacy and data security protections. Five hundred million US dollars over eight years could go a long way to giving bite to the FTC’s bark, and dramatically shift the federal landscape of privacy and data security enforcement. Still, considering that the BBBA provides no new authority to the FTC, the FTC’s enforcement options may be limited in light of recent Supreme Court precedent.

O’Melveny recognizes law clerk Kayla Evans for her valuable contribution in researching and drafting this article.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Ben Bradshaw, an O’Melveny partner licensed to practice law in California and the District of Columbia, Ian Simmons, an O’Melveny partner licensed to practice law in the District of Columbia and Pennsylvania, Riccardo Celli, an O’Melveny partner licensed to practice law in the Capital Region of Brussels, the Law Society England & Wales, and Roma, Melody Drummond Hansen, an O’Melveny partner licensed to practice law in California, the District of Columbia, and Illinois, Courtney Dyer, an O’Melveny partner licensed to practice law in the District of Columbia and New York, Andrew Frackman, an O’Melveny partner licensed to practice law in New Jersey and New York, Yoji Maeda, an O’Melveny partner licensed to practice law in Japan and New York, Stephen McIntyre, an O'Melveny counsel licensed to practice law in California, Philip Monaghan, an O’Melveny partner licensed to practice law in the Capital Region of Brussels, Hong Kong, the Law Society England & Wales, and the Law Society Ireland, Anna T. Pletcher, an O’Melveny partner licensed to practice law in California, Katrina Robson, an O’Melveny partner licensed to practice law in California and the District of Columbia, Julia Schiller, an O’Melveny partner licensed to practice law in the District of Columbia, New Jersey, and New York, Youngwook Shin, an O’Melveny partner licensed to practice law in California and New York, Michael Tubach, an O’Melveny partner licensed to practice law in California and the District of Columbia, Laura Aronsson, an O’Melveny counsel licensed to practice law in New York and California, Courtney C. Byrd, an O’Melveny counsel licensed to practice law in the District of Columbia and Maryland, John Dermody, an O’Melveny counsel licensed to practice law in California and the District of Columbia, Scott Hammack, an O'Melveny counsel licensed to practice law in the District of Columbia and New York, Zhao Liu, an O’Melveny counsel licensed to practice law in California and the District of Columbia, Kelse Moen, an O’Melveny counsel licensed to practice law in the District of Columbia and Massachusetts, Scott Schaeffer, an O’Melveny counsel licensed to practice law in the District of Columbia and California, Evan N. Schlom, an O’Melveny counsel licensed to practice law in the District of Columbia and California, Jason Yan, an O'Melveny counsel licensed to practice law in the District of Columbia and Virginia, Sergei Zaslavsky, an O’Melveny counsel licensed to practice law in the District of Columbia and Maryland, and Kayla Evans, an O’Melveny law clerk, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.