Demystifying Privacy Law: FTC Data Privacy Enforcement

Unlike many countries in the world, the United States does not have one regulatory agency with authority to monitor and enforce data privacy violations. The U.S. uses a sectoral model of data privacy protection, using a variety of enforcement mechanisms. One of those enforcement mechanisms--and perhaps the predominant one--is the Federal Trade Commission, or the FTC, which acts as a watchdog to protect against data privacy violations. It can bring lawsuits for "unfair practices" or "deceptive practices" for many violations, including breaches of a data controller's privacy policy. What is the source of FTC data privacy enforcement, and how does it go about enforcing data privacy? This article provides an overview of FTC's power, contemporary issues of FTC enforcement, and potential hotspots for data privacy-related government litigation. 

The FTC’s Reach

The Federal Trade Commission “is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC draws its primary legal authority from  Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”

The FTC has interpreted Section 5 as giving it a broad mandate to police data privacy and security, using its powers to bring hundreds of privacy suits.  Where appropriate, it can seek a variety of remedies including the “implementation of comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of illegally obtained consumer information, and provision of robust notice and choice mechanisms to consumers.” See FTC's 2014 Privacy and Data Security Update for more information on the powers of the FTC with respect to data privacy.

Section 5 Unpacked: What are “Deceptive Practices”

The vast majority of cases brought by the FTC fall under the shade of Section 5’s “deceptive practices” language. These cases often involve a failure on the part of the target companies to adhere to their own principles of data protection set out in privacy policies.

For a privacy violation to fall under the category of a “deceptive practice,” the following three factors must be present:

There Must Be A Representation, Omission Or Practice That Is Likely To Mislead The Consumer

The FTC evaluates representations made to the public on matters of data security and privacy, attempting to discern whether or not they are misleading. Such faulty representations can include written and oral misstatements, expressly or impliedly alleging the existence of practices the company fails to follow.

The Act Or Practice Must Be Considered From The Perspective Of A Reasonable Consumer

The FTC will not hold a company liable for every interpretation, belief or act made by a client. In determining whether or not a practice can be said to be “deceptive,” the FTC views the issue from the vantage point of a reasonable consumer. Legal actions against targeted companies are “replete” with references to the reasonable consumer standard, which can be modified when evaluating deceptive practices tailored towards a specific group (e.g. children, the elderly, etc…).

The Representation, Omission or Practice Must Be Material

Material misrepresentations are those "likely to affect a consumer’s choice of or conduct regarding a product." Express claims and statements that “significantly involve health, safety or other areas with which the reasonable consumer would be concerned” are presumed material. A statement can also be inferred to be material through implied claims.

Section 5 Unpacked: What are “Unfair Practices”

The second prong of the FTC Section 5 mandate involves “unfair practices,” or those that “cause or are likely to cause substantial injury to consumers” and are “not reasonably avoided by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” This set of criteria limits the FTC’s jurisdiction, though it remains to be seen how unfair practice analysis will impact questions of data security impropriety.

Since 1964, the FT has identified three major characteristics of an unfair practice.

Consumer Injury

As mentioned in the definition above, consumer injury is the most important facet in FTC determinations on the issue. To raise the specter of an unfair practice, the possibility of consumer injury must be substantial, with no countervailing consumer or competitive benefits to tip the scales in the other direction. Finally, the injury must be of the sort that consumers themselves could not have avoided in a reasonable manner.

Violation of Public Policy

A second characteristic of an unfair practice analysis involves conduct that “violates public policy as it has been established by statute, common law, industry practice or otherwise.” The FTC considers the public policy avenue a secondary line of attack, reserved for situations in which the examination of “outside statutory policies and established judicial principles” compounds evidence of consumer injury or otherwise hints at a violation of a public norm. To act as a firm foundation for Commission, the relevant public policy must be clear and well-established. In practice, this renders the FTC reluctant to bring suits solely on a basis of a public policy violation.

Unethical or Unscrupulous Conduct

The third and final pillar of an unfair practice analysis involves ascertaining whether targeted conduct was “immoral, unethical, oppressive or unscrupulous.” Originally intended as a catch-all mechanism allowing the FTC to bring suits against companies for the violation of “generally recognized standards of business ethics,” this provision is mostly redundant. As the FTC notes, “conduct that is truly unethical or unscrupulous will almost always injure consumers or violate public policy.”

Summing Up: What You Should Know About Data Security And The FTC

The jurisdiction of the Federal Trade Commission over matters of data security remains poorly defined, and it could take some time for courts to clarify the subject. While you wait for better direction, there are some common-sense principles you can implement to guide your handling of consumer privacy issues and avoid possible government litigation.

“First, do no harm.” You can avoid the brambles of privacy suits by building data security into every service you offer. Be upfront and honest about the way you handle your customer’s personal information, and don’t blur ethical lines. For tips on how to handle personally-identifiable information, see our earlier article.

Second, build an excellent privacy policy. Establish clear, coherent and workable guidelines for your company and the public. More importantly, follow your own guidelines! For tips on how to draft an excellent privacy policy, see our article on the subject.

Third, take advantage of outside advice.


DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.