In the United States, the Federal Trade Commission (FTC) serves as the primary federal enforcer of consumer data privacy and security laws for most businesses. Companies that violate privacy rights of consumers or mishandle sensitive consumer information may face legal enforcement actions brought by the FTC and state-level authorities.
In the United States, the Federal Trade Commission (FTC) serves as the primary federal enforcer of consumer data privacy and security laws for most businesses. Companies that violate privacy rights of consumers or mishandle sensitive consumer information may face legal enforcement actions brought by the FTC and state-level authorities. The FTC began to bring these actions in the late 1990s and has since established a wealth of its own privacy jurisprudence in the absence of many judicial decisions relating to FTC enforcement. Together with various state-level agencies, the FTC has successfully investigated and taken legal action against many companies that have been alleged to have mishandled personal consumer information. Here are four key considerations you need to be aware of in ensuring compliance.
1. What is the scope of FTC authority to enforce consumer privacy and security?
Within the FTC's Bureau of Consumer Protection, the Division of Privacy and Identity Protection is responsible for consumer privacy enforcement. In the early stages of its involvement in data privacy enforcement, the FTC simply enforced regulations created by companies for themselves, pursuant to its authority under Section 5 of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce."1The FTC's authority has expanded over the years to include enforcement of key portions of the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the EU-U.S. Privacy Shield Framework, the Swiss-U.S. Privacy Shield Framework, and the Children's Online Privacy Protection Act of 1998 (COPPA).
2. How does the FTC's self-regulatory regime work?
Under the FTC's self-regulatory regime, companies are required to disclose their privacy policies to consumers and abide by their stated policies. Two pillars of the self-regulatory system emerged from the Fair Information Practice Principles issued in the 1970s by the U.S. Department of Health, Education, and Welfare: notice and choice.
3. Are FTC enforcement actions effective?
As a consumer data protection authority, the FTC has been criticized as being weak and lacking teeth, particularly compared to data protection authorities in other countries. Many other nations have established government agencies with designated authority to enforce data privacy laws, whereas the development of the FTC into a data protection authority was much less deliberate. Undoubtedly, data privacy and security laws in the European Union are stronger and more developed than the body of applicable law in the United States.
In fact, disapproval by EU leaders of the inadequacy of data privacy laws and enforcement in the United States was the impetus of the U.S.-EU Safe Harbor Framework, implemented in 2000. The Safe Harbor Framework provided a legal mechanism for companies to transfer consumer data between the EU and U.S., after EU leaders passed legislation prohibiting member nations from transferring data to countries with inadequate privacy protection. Following a finding by the European Court of Justice in 2015 that the Safe Harbor Framework did not provide an adequate level of privacy protections, the U.S. and EU renegotiated and improved upon the Framework, replacing it with the EU-U.S. Privacy Shield Framework in 2016.
Despite criticism of its regulatory inadequacy, the FTC has successfully brought legal actions against many businesses addressing a wide range of data privacy issues including peer-to-peer file sharing, social media networking, spam, spyware, behavioral advertising and failure to adhere to privacy commitments.
4. What is the future of FTC enforcement actions?
The FTC's approach to enforcement actions against companies that fail to properly handle consumer data will likely shift to imposing more customized conditions. Under the Eleventh Circuit's decision in LabMD, specific benchmarks for data security, rather than vague standards of "reasonableness," will be required for companies accused of failing to safeguard data. Given the speed of innovation, defining "reasonableness" for each individual company may prove challenging for the FTC.
As the U.S. looks forward in its approach to consumer data privacy protection, there may be a trend toward aligning U.S. data privacy laws and enforcement measures with the robust body of law in this area in the EU. If that trend develops, it is likely that the FTC will need to be empowered with even more regulatory powers with a clearer congressional mandate.
Marcie Ernst is a partner in SGR's Litigation Practice. She has extensive experience in commercial litigation at trial and appellate court levels. Her practice also includes cybersecurity, data privacy and technology matters.
1 15 U.S.C. § 45(a)(1).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.