On September 16, 2021, the Federal Trade Commission
(“FTC” or “Commission”) held its third Open
Commission Meeting in as many months. The Commission addressed four
items: (1) whether to issue a policy statement affirming that
health apps and connected devices must comply with the Health
Breach Notification Rule (“HBNR”) in the event of a
privacy breach; (2) an FTC report regarding almost a decade of
unreported acquisitions by five major technology companies;
(3) proposed revisions to FTC procedural rules concerning
petitions for rulemakings; and (4) the proposed withdrawal of
the FTC’s Vertical Merger Guidelines that were adopted in June
2020.
Key takeaways from the meeting include:
- The Democratic Commissioner are moving quickly to remove what
they view as roadblocks to their progressive antitrust agenda,
withdrawing recent guidelines on how to evaluate vertical mergers
without providing any replacement guidance for businesses. - The FTC continues to signal its interest in entities that
collect health information. At the meeting, the Commissioners voted
(3-2) to approve a Policy Statement that broadly interprets the
HBNR to apply to many applications that might not otherwise think
of themselves as offering personal health records. - The FTC continues to look for ways to pursue civil penalties
against perceived wrongdoers. One of the reasons the FTC appears
willing to broaden the application of the HBNR is so that it can
obtain penalties for first time rule violators. - The Commission will continue to make use of its Section 6(b)
authority to gather information that it can use either in future
enforcement actions or to guide future policy decisions and/or rule
changes. - The Commission continues to focus on the rulemaking process and
is steadily making changes that are intended to make the process
more streamlined and transparent.
Read our coverage of the first Open Commission Meeting held on
July 1, 2021, and the second Open Commission Meeting held on
July 21, 2021.
Proposed Policy Statement on Privacy Breaches by Health Apps
and Connected Devices
The Commission voted along party lines (3-2) to approve a Policy Statement that
“serves to clarify” the types of apps and connected
devices that are required to comply with the HBNR and under what
circumstance they must notify consumers and others when those
individuals’ health data is breached. The HBNR resulted from
the American Recovery and Reinvestment Act of 2009, in which
Congress directed the FTC to adopt a rule implementing breach
notification requirements applicable to vendors of personal health
records, PHR related entities, and third-party service providers
that are non-HIPAA-covered entities.
In practice, however, the Policy Statement broadly interprets
the HBNR in two ways. First, it interprets the rule to cover a
larger segment of health-related apps and devices than was
previously understood under the Rule. The Policy Statement explains
that apps and connected devices such as wearable fitness tracking
devices that collect consumers’ health information are covered
by the HBNR (and therefore considered “personal health
records”) if they can draw data from multiple sources and are
not covered by the HIPAA Breach Notification Rule issued by the
Department of Health and Human Services. For example, a health app
would be covered if it collects health information from a consumer
and has the technical capacity to also collect information by
synching with the consumer’s fitness tracker. These types of
applications are different than what we traditionally think of as a
PHR, where an individual consumer can collect a variety of medical
records from multiple health care providers and various other
sources to manage their health (the “personal” equivalent
of a health care provider’s electronic medical record).
Second, the Policy Statement interprets the rule to cover any
sharing of covered information without valid consumer consent. This
means that any sharing of health information with a third party in
violation of a privacy policy or other public facing statement
could be actionable under the rule, even if it would not
traditionally be considered a data breach.
The two Republican Commissioners voted no and dissented from
approving the Policy Statement, citing concerns about improperly
expanding the scope of the HBNR outside of the rulemaking process
and depriving the public of the opportunity to comment on agency
rulemaking. In her dissenting
statement, Commissioner Christine S. Wilson noted that the
Policy Statement contradicts existing FTC business
guidance and curtails an open, ongoing rulemaking process that
covers the HBNR. In his dissenting
statement, Commissioner Noah Joshua Phillips echoed the same
concerns and further noted that the HBNR provides an unworkable
“remedy” for notice of a breach in the context of apps
and companies that operate based on the sharing of health-related
consumer data.
The Commission signaled its intent to bring actions to enforce
the HBNR consistent with the Policy Statement. However, there could
be meaningful challenges to this purported clarification if the
Commission seeks to enforce the HBNR against health-related apps
and devices in the future.
Non-HSR Reported Acquisitions by Select Technology Platforms,
2010-2019: An FTC Study
The FTC staff presented findings (the
“Report”) from its study into past acquisitions that were
not reported to antitrust authorities under the Hart-Scott-Rodino
Act (the “HSR Act”). The Report includes an analysis of
616 transactions valued at or above $1 million conducted by the
five largest U.S. companies by market capitalization between
January 1, 2010, and December 31, 2019. The Report was a study
conducted using the FTC’s Section 6(b) authority, which allows
it to conduct wide-ranging studies that do not have a specific law
enforcement purpose and to obtain information from companies
through the use of Special Orders. The study was designed to deepen
the FTC’s understanding of large technology firms’
acquisition activity, including how these firms report their
transactions to the federal antitrust agencies. The study also
purported to look at whether large tech companies are systemically
making potentially anticompetitive acquisitions of nascent or
potential competitors that fall below HSR filing thresholds and
therefore do not need to be reported to the antitrust agencies. The
Commission voted unanimously to make the Report public.
Some key findings of the Report include:
- Of the 616 transactions, 94 exceeded the HSR Size of
Transaction threshold. - In 36 percent of the transactions, the acquirer assumed some
amount of debt or liabilities. When added to the purchase price of
the target, such debts and liabilities would have tipped the
purchase amount of three of the transactions above the HSR Size of
Transaction threshold. That is, three more transactions would have
been added to the 94 transactions already above the HSR Size of
Transaction threshold. - More than 79 percent of transactions used deferred or
contingent compensation to founders and key employees, with
relatively small variation across the five respondents. Higher
value transactions were more likely to use deferred or contingent
compensation. Of the transactions reported, nine additional
transactions would have exceeded the HSR Size of Transaction
threshold (i.e., in addition to the 94 transactions already above
the HSR Size of Transaction threshold) at the time of their
consummation when adding the deferred or contingent compensation to
their purchase price. - More than 75 percent of transactions included non-compete
clauses for founders and key employees of the acquired entities,
with little variation in the percentage of transactions that had
non-compete clauses across the five respondents. Higher value
transactions were more likely to use non-compete clauses. - The number of transactions in each of five transaction size
ranges-starting at between $1 million and $5 million and ending at
between $50 million and the Hart-Scott-Rodino Size-of-Transaction
threshold-fluctuated but generally trended up over the 2010 to 2019
time period. Of the 616 transactions, 65 percent were between $1
million and $25 million. - Asset and control transactions, including voting security
control and non-corporate interest control transactions, were the
most common in each transaction range. For transactions exceeding
$5 million, the majority were control transactions. Moreover,
higher-value transactions were more likely to be control
acquisitions. - The majority of transactions in each transaction range were for
domestic firms, with roughly two thirds of the entities acquired in
each transaction range being domestic. - At least 39.3 percent of the transactions in which the target
company’s age was available involved firms that, as of the time
of the consummation of the transaction, were less than five years
old. - In more than half the transactions for which the respondents
provided the number of the target company’s full-time non-sales
employees, the number was between one and 10. Employee counts
correlate positively with the size of the transaction. - The total number of transactions per calendar year across the
five respondents ranged from 43 at its lowest per calendar year (in
2012) to 79 at its highest (in 2014) and remained relatively higher
in 2015-2019 (ranging from 63 to 74 transactions) than in 2010-2013
(ranging from 43 to 63 transactions).
In their remarks regarding the report, the three democratic
commissioners signaled interest in conducting additional research
pursuant to Section 6(b) to shed further light on M&A trends in
other industries, closing potential loopholes that allow companies
to avoid the reporting requirements in the HSR Act, working closely
with international regulatory counterparts, and scrutinizing the
use of non-competes in M&A. Chair Kahn and Commissioner Chopra
both indicated that amendments to the HSR Act could help to ensure
that larger firms report more of their M&A activity to
antitrust authorities.
Revisions to FTC’s Rules of Practice
By a vote of 4 to 1 (with Commissioner Wilson voting no), the
Commission approved a series of changes to the FTC’s Rules of
Practice governing petitions for rulemaking. The stated purpose for
the changes is to enhance public participation in the agency’s
rulemaking by making it easier for members of the public to
petition the agency for new rules or changes to existing rules. The
revisions are intended to help clarify the process of submitting
petitions to the FTC and increase opportunities for public input
while enhancing the process for FTC responses to petitions it
receives. These revisions are part of the larger effort by the
Commission to revise its procedural rules relating to the
rulemaking process. Notable changes include:
- Additional information and guidance on what information is
required with petition submissions and how the FTC will process
petitions. - Publication of petitions in the federal register so that others
can comment on them. - Petitioners will be notified of a Commission decision to either
initiate rulemaking in response to a petition or to deny the
petition.
Commissioner Wilson in a statement regarding the vote expressed
concern that there were no funding disclosure provisions, so the
FTC would have no idea who was funding a petition for a proposed
rulemaking. Commissioner Wilson explained that funding disclosure
provisions were necessary to avoid regulatory gamesmanship and
ensure that the FTC knew who was seeking to influence the
rulemaking process. Notably, while the other four Commissioners all
voted in favor of the proposed revisions, they each expressed
agreement that the FTC should look into the funding disclosure
issue, indicating this may be a topic that is addressed in the
future.
Withdrawal of 2020 Vertical Merger Guidelines
The FTC also voted, along party lines, to withdraw its approval
of the Vertical Merger
Guidelines, issued jointly with the Department of Justice
(“DOJ”), and the FTC’s Vertical Merger Commentary.
These guidelines had outlined how the federal antitrust agencies
would evaluate the likely competitive impact of vertical mergers
and whether those mergers complied with U.S. antitrust law. The
associated commentary had summarized a selection of prior
investigations that largely utilized the framework in the
guidelines.
In voting to rescind the guidelines, the majority expressed a
belief that the guidelines had relied on flawed economic theories
and provided loopholes that would allow certain companies to avoid
merger regulations. The majority further reasoned that the
guidelines had not yet had a significant impact, and that
withdrawal was necessary to prevent judicial or industry reliance
on the flawed approach. Notably, the Commission did not issue any
new guidelines for vertical mergers to replace the withdrawn
guidelines, but instead reaffirmed its commitment to working with
the DOJ to update the agency’s merger guidance. Whether and
when these updates will occur, however, remains to be seen. Until
new guidance is issued, the majority noted that the FTC will
continue to analyze mergers in accordance with its statutory
mandate, which does not presume efficiencies for any category of
mergers.
The two Republican Commissioners voted no and dissented, as both
had supported the adoption of the 2020 Vertical Merger Guidelines.
Commissioner Wilson expressed deep concern that the majority was
unilaterally withdrawing sound guidance that was supported by
economics with little notice or opportunity for public comment.
Commissioner Phillips agreed and also noted that by withdrawing the
guidance without providing replacement guidance, the majority was
creating uncertainty in the market and would cause confusion for
companies on how the FTC would review these mergers going
forward.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
