FTC Background
- Independent agency governed by 5 commissioners (with one being the Chair).
- Has authority to enforce against “unfair and deceptive trade practices.”
- Specific authority to enforce COPPA, and CAN-SPAM.
- Prominent role in development of U.S. privacy standards.
-
Federal privacy areas covered by federal agencies.
Medical - HHS Office of Civil Rights
Financial - CFPB generally; Federal Reserve and Comptroller of Currency for institutions under their jurisdiction pursuant to GLBA.
Education - ED
Telemarketing and marketing privacy - FCC (with FTC) under TCPA and other statutes.
Workplace privacy - EEOC and others.
State Dept role in privacy
Negotiating internationally on privacy issues with other countries and multinational groups like OECD.
US Dept of Commerce
Leading role in policy development and administered Privacy Shield Framework.
US Dept of Transportation
Enforced privacy shield violations between US and EU for some transportation companies.
FAA, on drone policy.
National Highway Traffic Safety Administration, on connected cars.
OMB
Interpreting Privacy Act of 1974.
Also issues guidance to agencies and contractors on privacy information security issues, such as data breach disclosure and privacy impact assessments.
IRS
Subject to privacy rules re. tax records.
Other Dept of Treasury parts involved with financial records issues, including compliance with money laundering rules at the Financial rimes Enforcement Network.
US Dept of Homeland Security
E-verify program for new employees, rules for air traveler records (TSA), and immigration and other border issues (ICE).
Dept of Justice
DOJ is sole federal agency to bring criminal enforcement actions, which can result in imprisonment or criminal fines. Some statutes provide for civil and criminal, so DOJ works with other enforcement agency (eg HHS for HIPAA).
FTC Jurisdiction - Section 5 of FTCA
- Section 5 of the FTC Act is perhaps the single most important piece of U.S. privacy law. Section 5 notably says that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful,” although it does not mention privacy or information security.
- During the 1990s, the FTC began bringing privacy enforcement cases under its powers to address unfair and deceptive practices.
- Congress added privacy-related responsibilities to the FTC over time, such as those under the Children’s Online Privacy Protection Act (COPPA) of 1998 and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003.
- Among other authoritative powers, Section 6 of the FTC Act vests the commission with the authority to conduct investigations and to require businesses to submit investigatory reports under oath.
- FTCA Section 5 not apply to nonprofits, banks and common carriers.
FTC Jurisdiction - specific laws
- FTCA Section 5 - Enforcement, but rulemaking is only in theory under burdensome Magnuson-Moss Act of 1975.
- Rulemaking and enforcement for COPPA.
- Rulemaking and enforcement for CAN-SPAM (shared with FCC).
- Rulemaking and enforcement for Telemarketing Sales Rule (shared with FCC).
- Enforcement shared with CFPB for financial institutions not covered by other regulator (like Fed or Comptroller) WRT GLBA , FCRA (and FACTA). No rulemaking authority.
- Rulemaking and enforcment authority shared with HHS for data breaches related to medical records under HITECH Act of 2009.
FTC Consent Decrees
- Defendant not admit fault, but promises to change its practices and avoid further litigation on the issue. States what must do or must not do, and requires maintain proof of compliance, maintain privacy program, subject to audits, inform relevant persons of the CD.
- Posted publicly.Provide guidance re. what practices FTC considers inappropriate.
- Any violation of the CD can lead to enforcement in federal district court, including civil penalties, injunction and other relief.
- CDs monitored by Enforcement Division within the Bureau of Consumer Protection.
FTC Enforcement Process
- Broad investigatory powers.
- FTC issues complaint, and leads to administrative trial before ALJ.
- If violation found, ALJ can enjoin (appeal to comissioners, and then to district court).
- order of commission is final within 60 days after serve on company.
- FTC lacks civil fine authority, but if FTC ruling ignored, can seek civil penalties in federal court up to $40,654 per violation and seek compensation for those harmed.
Privacy notices required?
- Although there is no omnibus federal law requiring companies to have public privacy notices, certain sector-specific statutes such as HIPAA, Gramm-Leach-Bliley, and COPPA do impose notice requirements.
- Also, California requires companies and organizations doing in-state business to post privacy policies on their websites.
- By 2000, the vast majority of commercial websites posted privacy notices even in the absence of a legal requirement.
- By then, privacy notices had become a standard feature of legitimate commercial websites.
First FTC Internet privacy enforcement action?
In the Matter of GeoCities, Inc. (1999)
Company promised not to sell data without consent, but they did, and entered into CD with FTC. Company had to post conspicuous privacy notice.
Eli Lilly case (2002)
Privacy notice made promises about security and privacy of user data provided to website. Company sent email to users revealing email addresses of all subscribers. CD with FTC , for first time, required company to develop and maintain an information security and privacy program.
- So not just require company to refrain from unfair/deceptive practice, but was adding a proactive requirement.
Deceptive practice standard?
- For a practice to be deceptive, it must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.
- Deceptive practices include false promises, misrepresentations, and failures to comply with representations made to consumers,
In the Matter of Nomi
- Placed sensors in brick and mortar businesses to detect MAC address of mobile devices searching for wifi, and used data to analyze customer retail traffic patterns.
Misled consumers about opt-out ability, and did not inform consumers where this was taking place.
CD made them stop this.
In the Matter of Snapchat
Deceptively led consumers to believe that snaps went away, when were many ways to keep.
Also, deceptively collected names and numbers of all contacts on user’s mobile device address book.
Also, did not secure find a friend feature.
Hackers compiled database using address book data.
CD had company agree not to continue doing these things.
In Matter of TRUSTe, Inc.
Failed to conduct annual recerts in more than 1k instances, despite claim to conduct annual recerts (COPPA and Safe Harbor).
- Comprehensive records required by CD and 200k civil penalty.
Unfair claims under FTCA, re. privacy
- By 2004, the FTC began to enforce “unfair” practices as well.
Unfair claims can exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers.
Wyndham standard: Unfair “when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits for their business.”
In the Matter of Wyndham Worldwide Corp.
- Company challenged unfairness authority of FTC to require more than minimum standards.
- 3rd Circuit upheld FTC authority.
- Then company entered into CD. Agreed to maintain comprehensive infosec program, etc.
In the Matter of LabMD, Inc.
- Company chose to fight rather than settle.
- Hack led to sensitive info of customers being stolen.
- FTC brought action - lost at ALJ level, won at commissioner level, but lost at 11th circuit. 11th said standard of requiring “reasonable” data security measures to achieve fairness was too vague and violated company’s due process rights because not know prior what the standard is.
FTC Enforcement History
- From late 1990s - Chairman Pitofsky approach = “notice and choice”. Enforcement actions based on deception and failure to comply with privacy notice, rather than specific, tangible harm to consumers.
- From 2001 to 2009, Chairman Muris and Platt-Majors emphasized “harm-based model” for enforcement, i.e. harms due to identity theft, and invoked unfairness.
- 2009, Chairman Leibowitz, began including requirement of comperhensive privacy program in CDs, and beyond tangible harm.
- 2009 approach reflected in 2012 White House and FTC reports.
