Ex-FTC Investigator Sees NGL, Epic Settlements as Blueprint for Stopping Teen Harm
The FTC’s 2024 settlement with NGL Labs and 2023 agreement with Epic Games could serve as a blueprint for federal and state enforcers protecting teens from privacy and design-related harms, former Consumer Protection Bureau Director Samuel Levine told Privacy Daily in an interview Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Levine recently co-authored a Stanford Law Review article with former FTC Chair Lina Khan and former Chief Technologist Stephanie Nguyen. The Biden administration enforcers highlighted the agency’s use of unfairness authority in holding companies liable for harming teens (see 2506160021).
Levine noted FTC Republicans supported both settlements. Commissioner Christine Wilson supported Epic, and then-Commissioner Andrew Ferguson and Commissioner Melissa Holyoak voted in favor of NGL.
Epic settled with the FTC for $245 million over allegations it violated the Children’s Online Privacy Protection Act by using “dark patterns to trick players into making unwanted purchases and let children rack up unauthorized charges without any parental involvement.”
NGL settled for $5 million on unfairness and COPPA-related claims alleging the messaging app unfairly marketed the service to children and teens.
The Epic case included claims the company’s default privacy settings allowed sexual predators to message minors on its Fortnite gaming platform.
The Epic settlement is “certainly a precedent for privacy,” said Levine, now a senior fellow at the Berkeley Center for Consumer Law & Economic Justice. “It’s really a question of: Do we recognize that teens can face unique harms online, whether through privacy settings or whether that’s through the design of a service, as with NGL? So, I think that precedent can certainly carry forward in the privacy space.”
The FTC relies on Section 5 authority to police unfair or deceptive acts or practices (UDAP). Levine said it lets the agency target data abuse, including “discreet over-collection, over-sharing and over-retention.” One thing lacking is specific authority to establish data-minimization standards across the economy, he said, noting it could have been done through an agency rulemaking. The FTC under Khan in 2022 opened an inquiry into a potential rule on commercial surveillance and data security, which the current administration hasn’t taken up (see 2503250051).
“I’m not saying we did not have the authority to” pursue data-minimization claims, he said. “I think we may well have had the authority to do so, but certainly states have much stronger tools. They’re not limited to practices that are unfair or deceptive. States have much broader authority to require data minimization” without having to follow the FTC’s procedural and substantive requirements.
Levine said the FTC’s January settlements with data brokers Mobilewalla and Gravy Analytics (see 2501140072) were an enforcement “wake-up call” for the adtech industry. Both cases focused on the inherent risk posed by sharing sensitive geolocation data, he said, calling them a “real step forward” for the commission.
Levine said there was a lot of reaction in particular to the Mobilewalla allegations regarding the harvesting of real-time bidding data. “That generated a lot of response from” adtech, he said: That industry in particular has gotten an enforcement “wake-up call” in recent years.