Fourth Amendment
ban against unreasonable searches and seizures
Search warrants must:
- show “probable cause” that a crime has been or is likely to be committed and supported by testimony
- approved by neutral magistrate
- requires specifics about place being searched
FTC enforcement process
source
- Minor
- mutual resolution
- FTC/respondent - Significant pattern
FTC investigation
Violations
- Administrative trial
violations
- injunctions or civil penalties via federal district court - Consent decree
Violations
- federal district court
FMLA
Family and Medical Leave Act
Entitles certain employees to unpaid leave in event of a birth or illness of self or family member
FCRA
Fair Credit Reporting Act
Enforced by FTC and CFPB
- entities must have permissible purpose for obtaining a consumer report
- pre-employment screening for qualification of promotion, reassignment, retention
- permits investigative consumer reports if PERMISSIBLE PURPOSE exists
- limit use of medical information obtained by CRA
- limit use of consumer reports to “PERMISSIBLE PURPOSES”
- mandate CRAs have accurate, relevant, and timely info
CISA
Cybersecurity Info Sharing Act
- meant to improve US cybersecurity by encouraging government and companies to voluntarily SHARE unclassified info about cybersecurity threats and how successfully address
- non-federal entities authorized to receive “cyber-threat indicators”
- defensive measures - acts applied to info systems that detect and prevent cybersecurity threats or security vulnerabilities
SCA
Stored Communications Act
- part of ECPA in 1986
- established general prohibition against unauthorized acquisition, alterations/ blocking of e-communications in e-facility where e-comms service is provided
- legal limits on internet are stricter than those for access to stored records
CCPA
Cable Communications Policy Act of 1984
- established national policy for regulation of cable TV communications by federal, state, and local authorities
Requires: cable tv, cable operations and other cable organizations to provide notice to customers at the time of their agreement and annually to include nature of PI collected, how it was used, retention period, how to access and correct own PI
Enforced: FCC
Violations: investigations and civil penalties
DAA
Digital Advertising Alliance
Non-profit collaboration with businesses, public policy groups and public officials to establish and enforce “responsible privacy practices across the industry for relevant digital ads, providing consumers with enhanced transparency and control”
- consumer management of opt-outs
CLOUD
Clarifying Lawful Overseas Use of Data Act
Provides transborder access to communications data in criminal law enforcement investigations
FTC Privacy Responsibilities
prevent unfair methods of competition and unfair or deceptive trade practices
- Prescribes trade regulation rules
- can conduct administrative proceedings, issue C+Ds, and if violations continue, impose civil penalties
PCLOB
Privacy and Civil Liberties Oversight Board
- coordinated by DHS
- oversees and reviews privacy and civil liberties implications within CISA acts
- government shares technical data with companies about cybersecurity threats
- must publish guidelines on use and disclosure of shared info for privacy concerns
Telemarketing Sales Rule
FTC implemented it to implement Telemarketing and Consumer Fraud and Abuse Prevention Act
- restricts telemarketing calls, auto phone dialing, and pre-recorded messages
- requires consumer consent for robocalls
Violations: up to 11k per violation
Telecommunications Act of 1996
- modernizes regulations of telecoms industry by promoting competition, encourage tech innovation and foster growth of the telecoms sector
- address concerns of phone companies’ misuse of personal records for internal marketing purposes
Enforced: FCC
Violations: revoke licenses, fines, seize property, implement compliance plans through consent decrees
FTC enforcement process sources
claim, press report, consumer complaint
exceptions to the DNC registry
- consent by consumer
- existing business relationship
- on behalf of non-profits
- in DNC safe harbor
Protective orders
judge decides what info is public and not and conditions for who may access on 3 part test:
- resisting party must explain why info should be confidential
- requesting party must show how info is relevant
- court must weigh harm disclosure against need for info
CAN-SPAM Act
Controlling Assault of Non-Solicited Porn and Marketing Act of 2003
Rules for commercial messages prohibit:
- false/misleading headers
- addy harvesting
- creating multiple accounts
- transmission through unauthorized accounts
- deceptive subject lines
- emailing opted-out recipients
Requires:
- clear, conspicuous explanation of how to opt out
- functional return email
- warning for sexually explicit messages
- clear ID of commercial message
- valid physical address
JFPA
Junk Fax Prevention Act
- prohibits use of fax machines, computers, other devices to send unsolicited ads to fax machines
Senders of ads required to:
- establish business relationship with person
- obtain fax number through voluntary communications from recipient/internet directory where number was voluntarily made available for public
- conspicuous notice on first page of how to opt out
Violations: 500-1500$
3 goals of financial privacy laws
Confidentiality, Security, Laws and Regulations
What to include in a data breach notification
- description of incident in general terms
- approximate date of incident
- description of type of PI involved
- description of what the business has done to prevent further unauthorized access
- phone # for further info
- list of steps to take to protect against ID theft
- contact information of FTC and relevant AG’s office
Recommended Stages of Incident Response Program
- Prepare: users and IT staff to handle
2: ID: determine if it was a security incident - Containment: limit damage of incident and isolate and prevent more damage
- Eradication: find root cause of incident and remove affected system
- Recovery: permit affected systems back into product environment and ensure no threat remains
- Lessons Learned: complete incident documentation and perform analysis to learn and improve response efforts
Vendor Due Diligence
procuring organization may have standards and processes for vendor selection like:
- vendor reputation
- financial conditions and insurance
- point of transfer
- disposal of information
- employee training and user awareness
- vendor incident response
- audit rights
Facebook 2012, 2019
- FB agreed to consent order to prohibit misrepresenting extent users can control privacy of their info
- FTC claims FB violated 2012 consent order
- 2019 settlement agreement - FB restructured approach to privacy and increased accountability and paid $5B fine
What is an unfair trade practice to the FTC
those that cause or are likely to cause significant injury to consumers, lack offsetting benefits to consumers/competitors and which are not reasonably available by consumers themselves
