FTC Consumer Protection and Privacy Enforcement Series: Practical Tips for When Your Company Gets an FTC CID

Welcome to our new series on Federal Trade Commission (FTC) enforcement, where we will provide practical insights into emerging FTC priority areas for consumer protection and data privacy enforcement. Overall, the current FTC is focused on “[v]igorous enforcement” rather than rulemaking, so we expect a steady stream of enforcement activity around key frameworks (including but not limited to the FTC Act, COPPA, and the Telemarketing Sales Rule) and issue areas (including but not limited to data sales, advertising, and kids’ privacy and marketing). In this series, we plan to take deep dives into these and other priority areas to discuss emerging trends, enforcement developments, key compliance issues, and implications for businesses.

To kick the series off, we are starting with practical tips for companies that receive a civil investigative demand (CID) or other inquiries from the FTC. These tips apply across the board to any FTC investigation or enforcement action in the consumer protection or privacy arena. In our next post in this series, we will explore FTC enforcement issues with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), a law that prohibits data brokers from selling or transferring American’s “personally identifiable sensitive data” to certain foreign adversary countries or entities they control. PADFA took effect on June 23, 2024, and it is expected to be a priority area for enforcement under the current Administration.

Four Key Points if Your Company Gets an Inquiry from the FTC

1. Understand the Implications of the CID

FTC CIDs typically include a cover letter that describes the subject and nature of the investigation. This, along with insight from experienced counsel, can help companies know if they are the target of the investigation or a third party. This analysis is critical, as target CIDs mean the company may become the subject of an enforcement action seeking injunctive relief and civil penalties up to $53,088 per violation. In addition, publicly traded firms may have to consider whether investigations need to be reported in filings and disclosures and whether to notify insurance carriers.

2. Act Quickly to Preserve and Collect Relevant Documents

FTC CIDs often require production of emails, contracts, policies, and data samples. And they often include tight timelines for producing responses. Begin preservation efforts immediately and coordinate with IT and legal teams to ensure responsive materials are collected and reviewed efficiently. Although counsel can help negotiate additional time, prompt internal coordination is still essential. For large organizations, just identifying relevant document custodians and key stakeholders can be a lengthy process.

3. Consult with Experienced FTC Counsel

As noted above, counsel with FTC experience can help with the nuances of CID responses and help implement a response strategy that accounts for FTC authority and legal doctrines. Knowledgeable counsel can also help navigate the unwritten rules and norms of practice before the agency that are not included in the FTC’s published rules of practice.

4. Understand and Plan for the Full Lifecycle of an FTC Inquiry

FTC inquiries have a complex lifespan that is important to understand from the outset. Once FTC staff begin an investigation – in many cases based on consumer complaints or media coverage about companies’ consumer protection, privacy, or advertising issues – the next step is often seeking relevant information from the company. Sometimes, staff will issue letters asking companies to provide information voluntarily; in other instances, staff will issue a CID to the target of the investigation. And sometimes, staff will start investigations by seeking evidence from third parties, like advertising partners or data providers, without informing the target. Notably, there are no specific limits on the number of interrogatories. And once a company has finished responding, FTC staff sometimes issue a second CID.

The FTC can also use CIDs to compel companies and individuals to testify under oath in hearings. CIDs can compel testimony from both individuals and corporate entities. CIDs for documents, information, and testimony all have deadlines for meeting with FTC staff, filing a petition asking the full commission to quash or modify the CID, and completing full responses.

Once staff complete their investigation, they will either move forward with enforcement or close the investigation. In most instances, when they decide on enforcement, FTC staff send the company a draft complaint and proposed settlement and enter into “consent negotiations” before litigating. If a settlement is not reached, staff usually recommend the Commission vote to bring an enforcement action. Usually, the company has opportunities during this process to meet with the Consumer Protection Bureau Director and Commissioners. Those meetings can be opportunities to advocate against enforcement or for more favorable settlement terms.

Even if the FTC ultimately does not pursue enforcement, the investigation itself can be burdensome. The process of producing information can require enormous internal staffing resources, and FTC investigations routinely continue for more than a year. Investigational hearings or follow-up demands may also compound resource requirements. 

Understanding the potential process and resource burdens from the outset is critical to be able to plan for and best respond to any FTC inquiry.

***

Wiley’s FTC and Consumer Protection and Privacy, Cyber & Data Governance teams assists clients with a full spectrum of advertising, consumer protection, privacy, cybersecurity, and data governance issues. Please reach out to any of the authors with questions.