FTC’s Third Open Meeting Brings New Changes to Agencies’ Approach for Health App Privacy, Petitions for Rulemaking, and Vertical Mergers

FTC’s Third Open Meeting Brings New Changes to Agencies’ Approach for Health App Privacy, Petitions for Rulemaking, and Vertical Mergers

Blog WilmerHale Privacy and Cybersecurity Law

On September 16, 2021, the Federal Trade Commission (“FTC” or “Commission”) held its third Open Commission Meeting in as many months. The Commission addressed four items: (1) whether to issue a policy statement affirming that health apps and connected devices must comply with the Health Breach Notification Rule (“HBNR”) in the event of a privacy breach; (2) an FTC report regarding almost a decade of unreported acquisitions by five major technology companies; (3) proposed revisions to FTC procedural rules concerning petitions for rulemakings; and (4) the proposed withdrawal of the FTC’s Vertical Merger Guidelines that were adopted in June 2020.

Key takeaways from the meeting include:

  • The Democratic Commissioner are moving quickly to remove what they view as roadblocks to their progressive antitrust agenda, withdrawing recent guidelines on how to evaluate vertical mergers without providing any replacement guidance for businesses.
  • The FTC continues to signal its interest in entities that collect health information. At the meeting, the Commissioners voted (3-2) to approve a Policy Statement that broadly interprets the HBNR to apply to many applications that might not otherwise think of themselves as offering personal health records.
  • The FTC continues to look for ways to pursue civil penalties against perceived wrongdoers. One of the reasons the FTC appears willing to broaden the application of the HBNR is so that it can obtain penalties for first time rule violators.
  • The Commission will continue to make use of its Section 6(b) authority to gather information that it can use either in future enforcement actions or to guide future policy decisions and/or rule changes.
  • The Commission continues to focus on the rulemaking process and is steadily making changes that are intended to make the process more streamlined and transparent.

Read our coverage of the first Open Commission Meeting held on July 1, 2021, and the second Open Commission Meeting held on July 21, 2021.

Proposed Policy Statement on Privacy Breaches by Health Apps and Connected Devices

The Commission voted along party lines (3-2) to approve a Policy Statement that “serves to clarify” the types of apps and connected devices that are required to comply with the HBNR and under what circumstance they must notify consumers and others when those individuals’ health data is breached. The HBNR resulted from the American Recovery and Reinvestment Act of 2009, in which Congress directed the FTC to adopt a rule implementing breach notification requirements applicable to vendors of personal health records, PHR related entities, and third-party service providers that are non-HIPAA-covered entities.

In practice, however, the Policy Statement broadly interprets the HBNR in two ways. First, it interprets the rule to cover a larger segment of health-related apps and devices than was previously understood under the Rule. The Policy Statement explains that apps and connected devices such as wearable fitness tracking devices that collect consumers’ health information are covered by the HBNR (and therefore considered “personal health records”) if they can draw data from multiple sources and are not covered by the HIPAA Breach Notification Rule issued by the Department of Health and Human Services. For example, a health app would be covered if it collects health information from a consumer and has the technical capacity to also collect information by synching with the consumer’s fitness tracker. These types of applications are different than what we traditionally think of as a PHR, where an individual consumer can collect a variety of medical records from multiple health care providers and various other sources to manage their health (the “personal” equivalent of a health care provider’s electronic medical record).

Second, the Policy Statement interprets the rule to cover any sharing of covered information without valid consumer consent. This means that any sharing of health information with a third party in violation of a privacy policy or other public facing statement could be actionable under the rule, even if it would not traditionally be considered a data breach.

The two Republican Commissioners voted no and dissented from approving the Policy Statement, citing concerns about improperly expanding the scope of the HBNR outside of the rulemaking process and depriving the public of the opportunity to comment on agency rulemaking. In her dissenting statement, Commissioner Christine S. Wilson noted that the Policy Statement contradicts existing FTC business guidance and curtails an open, ongoing rulemaking process that covers the HBNR. In his dissenting statement, Commissioner Noah Joshua Phillips echoed the same concerns and further noted that the HBNR provides an unworkable “remedy” for notice of a breach in the context of apps and companies that operate based on the sharing of health-related consumer data.

The Commission signaled its intent to bring actions to enforce the HBNR consistent with the Policy Statement. However, there could be meaningful challenges to this purported clarification if the Commission seeks to enforce the HBNR against health-related apps and devices in the future.

Non-HSR Reported Acquisitions by Select Technology Platforms, 2010–2019: An FTC Study

The FTC staff presented findings (the “Report”) from its study into past acquisitions that were not reported to antitrust authorities under the Hart-Scott-Rodino Act (the “HSR Act”). The Report includes an analysis of 616 transactions valued at or above $1 million conducted by the five largest U.S. companies by market capitalization between January 1, 2010, and December 31, 2019. The Report was a study conducted using the FTC’s Section 6(b) authority, which allows it to conduct wide-ranging studies that do not have a specific law enforcement purpose and to obtain information from companies through the use of Special Orders. The study was designed to deepen the FTC’s understanding of large technology firms’ acquisition activity, including how these firms report their transactions to the federal antitrust agencies. The study also purported to look at whether large tech companies are systemically making potentially anticompetitive acquisitions of nascent or potential competitors that fall below HSR filing thresholds and therefore do not need to be reported to the antitrust agencies. The Commission voted unanimously to make the Report public.

Some key findings of the Report include:

  • Of the 616 transactions, 94 exceeded the HSR Size of Transaction threshold.
  • In 36 percent of the transactions, the acquirer assumed some amount of debt or liabilities. When added to the purchase price of the target, such debts and liabilities would have tipped the purchase amount of three of the transactions above the HSR Size of Transaction threshold. That is, three more transactions would have been added to the 94 transactions already above the HSR Size of Transaction threshold.
  • More than 79 percent of transactions used deferred or contingent compensation to founders and key employees, with relatively small variation across the five respondents. Higher value transactions were more likely to use deferred or contingent compensation. Of the transactions reported, nine additional transactions would have exceeded the HSR Size of Transaction threshold (i.e., in addition to the 94 transactions already above the HSR Size of Transaction threshold) at the time of their consummation when adding the deferred or contingent compensation to their purchase price.
  • More than 75 percent of transactions included non-compete clauses for founders and key employees of the acquired entities, with little variation in the percentage of transactions that had non-compete clauses across the five respondents. Higher value transactions were more likely to use non-compete clauses.
  • The number of transactions in each of five transaction size ranges—starting at between $1 million and $5 million and ending at between $50 million and the Hart-Scott-Rodino Size-of-Transaction threshold—fluctuated but generally trended up over the 2010 to 2019 time period. Of the 616 transactions, 65 percent were between $1 million and $25 million.
  • Asset and control transactions, including voting security control and non-corporate interest control transactions, were the most common in each transaction range. For transactions exceeding $5 million, the majority were control transactions. Moreover, higher-value transactions were more likely to be control acquisitions.
  • The majority of transactions in each transaction range were for domestic firms, with roughly two thirds of the entities acquired in each transaction range being domestic.
  • At least 39.3 percent of the transactions in which the target company’s age was available involved firms that, as of the time of the consummation of the transaction, were less than five years old.
  • In more than half the transactions for which the respondents provided the number of the target company’s full-time non-sales employees, the number was between one and 10. Employee counts correlate positively with the size of the transaction.
  • The total number of transactions per calendar year across the five respondents ranged from 43 at its lowest per calendar year (in 2012) to 79 at its highest (in 2014) and remained relatively higher in 2015-2019 (ranging from 63 to 74 transactions) than in 2010-2013 (ranging from 43 to 63 transactions).

In their remarks regarding the report, the three democratic commissioners signaled interest in conducting additional research pursuant to Section 6(b) to shed further light on M&A trends in other industries, closing potential loopholes that allow companies to avoid the reporting requirements in the HSR Act, working closely with international regulatory counterparts, and scrutinizing the use of non-competes in M&A. Chair Kahn and Commissioner Chopra both indicated that amendments to the HSR Act could help to ensure that larger firms report more of their M&A activity to antitrust authorities.

Revisions to FTC’s Rules of Practice

By a vote of 4 to 1 (with Commissioner Wilson voting no), the Commission approved a series of changes to the FTC’s Rules of Practice governing petitions for rulemaking. The stated purpose for the changes is to enhance public participation in the agency’s rulemaking by making it easier for members of the public to petition the agency for new rules or changes to existing rules. The revisions are intended to help clarify the process of submitting petitions to the FTC and increase opportunities for public input while enhancing the process for FTC responses to petitions it receives. These revisions are part of the larger effort by the Commission to revise its procedural rules relating to the rulemaking process. Notable changes include:

  • Additional information and guidance on what information is required with petition submissions and how the FTC will process petitions.
  • Publication of petitions in the federal register so that others can comment on them.
  • Petitioners will be notified of a Commission decision to either initiate rulemaking in response to a petition or to deny the petition.

Commissioner Wilson in a statement regarding the vote expressed concern that there were no funding disclosure provisions, so the FTC would have no idea who was funding a petition for a proposed rulemaking. Commissioner Wilson explained that funding disclosure provisions were necessary to avoid regulatory gamesmanship and ensure that the FTC knew who was seeking to influence the rulemaking process. Notably, while the other four Commissioners all voted in favor of the proposed revisions, they each expressed agreement that the FTC should look into the funding disclosure issue, indicating this may be a topic that is addressed in the future.

Withdrawal of 2020 Vertical Merger Guidelines

The FTC also voted, along party lines, to withdraw its approval of the Vertical Merger Guidelines, issued jointly with the Department of Justice (“DOJ”), and the FTC’s Vertical Merger Commentary. These guidelines had outlined how the federal antitrust agencies would evaluate the likely competitive impact of vertical mergers and whether those mergers complied with U.S. antitrust law. The associated commentary had summarized a selection of prior investigations that largely utilized the framework in the guidelines.

In voting to rescind the guidelines, the majority expressed a belief that the guidelines had relied on flawed economic theories and provided loopholes that would allow certain companies to avoid merger regulations. The majority further reasoned that the guidelines had not yet had a significant impact, and that withdrawal was necessary to prevent judicial or industry reliance on the flawed approach. Notably, the Commission did not issue any new guidelines for vertical mergers to replace the withdrawn guidelines, but instead reaffirmed its commitment to working with the DOJ to update the agency’s merger guidance. Whether and when these updates will occur, however, remains to be seen. Until new guidance is issued, the majority noted that the FTC will continue to analyze mergers in accordance with its statutory mandate, which does not presume efficiencies for any category of mergers.

The two Republican Commissioners voted no and dissented, as both had supported the adoption of the 2020 Vertical Merger Guidelines. Commissioner Wilson expressed deep concern that the majority was unilaterally withdrawing sound guidance that was supported by economics with little notice or opportunity for public comment. Commissioner Phillips agreed and also noted that by withdrawing the guidance without providing replacement guidance, the majority was creating uncertainty in the market and would cause confusion for companies on how the FTC would review these mergers going forward.