Ch. 3: Federal and State Regulators and Enforcement of Privacy Laws Flashcards
FTC Background
1) Independent agency governed by 5 commissioners (with one being the Chair).
2) Has authority to enforce against “unfair and deceptive trade practices.”
3) SPECIFIC authority to enforce COPPA, and CAN-SPAM.
4) Prominent role in development of U.S. privacy standards.
-
Federal privacy areas covered by federal agencies.
Medical - HHS Office of Civil Rights
Financial - CFPB generally; Federal Reserve and Comptroller of Currency for institutions under their jurisdiction pursuant to GLBA.
Education - ED
Telemarketing and marketing privacy - FCC (with FTC) under TCPA and other statutes.
Workplace privacy - EEOC and others.
State Dept role in privacy
Negotiating internationally on privacy issues with other countries and multinational groups like OECD.
US Dept of Commerce
Leading role in policy development and administered Privacy Shield Framework.
US Dept of Transportation
Enforced privacy shield violations between US and EU for some transportation companies.
FAA, on drone policy.
National Highway Traffic Safety Administration, on connected cars.
OMB
Interpreting Privacy Act of 1974.
Also issues guidance to agencies and contractors on privacy information security issues, such as data breach disclosure and privacy impact assessments.
IRS
Subject to privacy rules re. tax records.
Other Dept of Treasury parts involved with financial records issues, including compliance with money laundering rules at the Financial rimes Enforcement Network.
US Dept of Homeland Security
E-verify program for new employees, rules for air traveler records (TSA), and immigration and other border issues (ICE).
Dept of Justice
DOJ is sole federal agency to bring criminal enforcement actions, which can result in imprisonment or criminal fines. Some statutes provide for civil and criminal, so DOJ works with other enforcement agency (eg HHS for HIPAA).
FTC Jurisdiction - Section 5 of FTCA
- Section 5 of the FTC Act is perhaps the single most important piece of U.S. privacy law. Section 5 notably says that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful,” although it does not mention privacy or information security.
- During the 1990s, the FTC began bringing privacy enforcement cases under its powers to address unfair and deceptive practices.
- Congress added privacy-related responsibilities to the FTC over time, such as those under the Children’s Online Privacy Protection Act (COPPA) of 1998 and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003.
- Among other authoritative powers, Section 6 of the FTC Act vests the commission with the authority to conduct investigations and to require businesses to submit investigatory reports under oath.
- FTCA Section 5 not apply to nonprofits, banks and common carriers.
FTC Jurisdiction - specific laws
- FTCA Section 5 - Enforcement, but rulemaking is only in theory under burdensome Magnuson-Moss Act of 1975.
- Rulemaking and enforcement for COPPA.
- Rulemaking and enforcement for CAN-SPAM (shared with FCC).
- Rulemaking and enforcement for Telemarketing Sales Rule (shared with FCC).
- Enforcement shared with CFPB for financial institutions not covered by other regulator (like Fed or Comptroller) WRT GLBA , FCRA (and FACTA). No rulemaking authority.
- Rulemaking and enforcment authority shared with HHS for data breaches related to medical records under HITECH Act of 2009.
FTC Consent Decrees
- Defendant not admit fault, but promises to change its practices and avoid further litigation on the issue. States what must do or must not do, and requires maintain proof of compliance, maintain privacy program, subject to audits, inform relevant persons of the CD.
- Posted publicly.Provide guidance re. what practices FTC considers inappropriate.
- Any violation of the CD can lead to enforcement in federal district court, including civil penalties, injunction and other relief.
- CDs monitored by Enforcement Division within the Bureau of Consumer Protection.
FTC Enforcement Process
- Broad investigatory powers.
- FTC issues complaint, and leads to administrative trial before ALJ.
- If violation found, ALJ can enjoin (appeal to comissioners, and then to district court).
- order of commission is final within 60 days after serve on company.
- FTC lacks civil fine authority, but if FTC ruling ignored, can seek civil penalties in federal court up to $40,654 per violation and seek compensation for those harmed.
Privacy notices required?
- Although there is no omnibus federal law requiring companies to have public privacy notices, certain sector-specific statutes such as HIPAA, Gramm-Leach-Bliley, and COPPA do impose notice requirements.
- Also, California requires companies and organizations doing in-state business to post privacy policies on their websites.
- By 2000, the vast majority of commercial websites posted privacy notices even in the absence of a legal requirement.
- By then, privacy notices had become a standard feature of legitimate commercial websites.
Deceptive practice standard?
- For a practice to be deceptive, it must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.
- Deceptive practices include false promises, misrepresentations, and failures to comply with representations made to consumers,
Unfair claims under FTCA, re. privacy
- By 2004, the FTC began to enforce “unfair” practices as well.
Unfair claims can exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers.
Wyndham standard: Unfair “when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits for their business.”
2012 White House Consumer Privacy Bill of Rights
- based on traditional FIPs.
- Individual control, on collection and use
- Transparency, of privacy and security practices.
- Respect for context, ie process in ways consistent with context in which data provided by consumer.
- Security
- Access and accuracy,
- Focused collection - ie reasonable limits on collection and retention.
- Accountability -
Also emphasized international interoperability, and FTC enforcement.
2012 FTC Report
- Many of same themes as White House Consumer Privacy Bill of Rights
- Privacy by Design
- Simplified consumer choice - not for uses consistent with collection context, but for other uses.
- Transparency - clearer, shorter privacy notices.
- Do not track mechanism.
- Mobile - greater self-regulation
- Data brokers - support legislation giving access to info held by DBs.
- Large platform providers - examine issues of those doing “comprehensive tacking”.
- self-regulatory codes - promoted.
2015 FTC Privacy and Data Security Update
Reasonable data security practices should include at least 5 principles:
(1) companies should be aware of what consumer information they have and who has legitimate access to this data;
(2) companies should limit the information they collect and maintain for their legitimate business purposes;
(3) companies should protect the information they maintain by assessing risk and by implementing procedures for electronic security, physical security, employee training and vendor management;
(4) companies should properly dispose of information they no longer need; and
(5) companies should have a plan in place to respond to security incidents, in case they occur.
2015 unfairness trend: FTC bringing enforcement when company unreasonably and unnecessarily exposed consumers personal data to unauthorized access. After hack or malware attack, FTC investigates to determine if they had taken reasonable steps.
2016 FTC Privacy and Data Security Update
- Focused on smartTVs, drones and ransomeware.
- letters of warning re. TV beacons collected by phones to target adds.
- InMobi - fine $1M re. deceptively tracking location even when consumer opted out.
- Turn, Inc. settled allegations it continued to track even after consumer deleted cookies and reset identifiers on phone.
State privacy enforcement
- Each state has a law similar to Section 5 of FTCA (UDAP statutes).
- In addition to unfair and deceptive, some state laws allow enforcement against “unconscionable” practices.
- Some federal laws, like CAN-SPAM, allow state AGs to bring enforcement actions along with relevant federal agency.
- Several states allow PROA under UDAP.
- State enforcement of data breach notificatoin laws, and related security lapses.
- sector speciic - medical, financial, and workplace. Smart grid and state utilities.
- Privacy torts.contract enforcement in some cases as well, when breach of a promise.
- National Association of Attorneys General Consumer Protection Project.
- California leading way. Eg, mobile app privacy permissions, data breach notice actions, inadequate privacy notice actions.
Self regulation and enforcement
3 components:
- Legislation - Who should define the privacy rules.
- Enforcement - Who should initiate actions.
- Adjudication - Who should decide whether violation ocurred.
Sometimes is hybrid, or co-regulation, where company or industry does legislation, and govt. agency (FTC or state AG, eg) investigates and ALJ and courts adjudicate.
PCI-DSS is completely self-regulatory.
Certification programs, if explicitly allowed for in statute (like COPPA) can serve as way to comply with legal requirements. is form of co-reg.
- Digital Advertising Alliance, coalition of media and advertising organizations, is self-reg.
Obama Admin, and 2012 efforts, endorsed self-reg. with all stakeholders involved, including consumer groups. so is multi-stakeholder approach.
- NTIA issued report mid2010s on drones and privacy after multi-stakeholder effort.
Cross-border enforcement
- OECD in 2007 called for member countries to work together to promote cross-border enforcement cooperation.
- Led to GPEN- Global Privacy Enforcement Network in 2010. Aim is to promote cross-border info sharing and investigative/enforcement cooperation around the world.
- Also, there is APEC’s Cross Border Privacy Enforcement Arrangement
Conflicts Between Privacy and Disclosure Laws
Arise when privacy laws in Country X prohibit disclosure but laws in Country Y compel disclosure.
- Example - US court requires litigant to disclose X document in course of litigation, but its subject to GDPR which prohibits disclosure.
- More details on Ch 4
What is Civil Litigation?
Occurs in courts when one person sues another person to redress a wrong.
What types of relief may a person seek in civil litigation?
- Monetary Judgment
2. Injunction
When may person sue based on a violation of law?
When a law creates a private right of action (ex. FCRA)
What is Criminal Litigation?
Lawsuits brought by the government for violations of criminal laws.
What types of punishment are typical associated with Criminal Litigation?
- Imprisonment
2. Criminal Fines
Who initiates Criminal Litigation?
- DOJ
2. State attorney generals
What are Agency Enforcement Actions?
Actions carried out pursuant to the statues that create and empower an agency.
What is the Administrative Procedure Act?
An act laying out the basic rules for agency enforcement actions.
What Act and Agency(ies) govern Medical Privacy?
Agencies - OCR and CMS (both roll up to HHS)
Act - HIPAA
What Act and Agency(ies) govern Financial Privacy?
Agencies - CFPB, OCC, FED
Act - GLBA
What Act and Agency(ies) govern Education Privacy?
Agencies - Dept. of Education
Act - Family Educational Rights and Privacy Act
What Act and Agency(ies) govern Telemarking and Marketing Privacy?
Agencies - FCC and FTC
Act - Telephone Consumer Protection Act and other statues
What Act and Agency(ies) govern Workplace Privacy?
Agencies - EEOC and other agencies
Act - ADA other statutes
Which Acts give the FTC power to govern privacy issues?
- FTC Act Section 5
- FCRA
- Children’s Online Privacy Protection Act (COPPA)
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
- Telemarking Sales Rule
What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?
FTC
- Achieves a consent decree that incorporates good privacy and security practices
- Avoids the expense and delay of trail
- Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree
Company
- Avoids a prolonged trial
- Avoids negative publicity
What is considered “unfair”?
An injury that is:
- Substantial
- Without offsetting benefits
- one the consumers cannot reasonably avoid.
Unfair Case: Gateway
Facts: Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out.
Unfair Case: BJ’s Wholesale Club
Facts: BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customers’ identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice.
Unfair Case: Google
Google buzz automatically enrolled consumers and provided personal information to the public. This was in conflict with Google’s privacy notice.
Unfair Case: Facebook
Facts: Facebook repeatedly made designated personal private information public. This was in violation of Facebook’s privacy notice.
What are the Consumer Privacy Bill of Rights?
- Individual Control
- Transparency
- Respect for Context
- Security
- Access and Accuracy
- Focused Collection
- Accountability
What areas did the FTC Report emphasize?
- Privacy by Design
- Simplified Consumer Choice
- Transparency
What five priorities did the FTC announce for attention?
- Do Not Track
- Mobile
- Data Brokers
- Large Platform Providers
- Promoting enforceable self-regulatory codes
How to states enforce against unfair and deceptive practices?
Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. Ina addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.
Who enforces UDAP laws?
State attorney generals
How does self regulation occur?
Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication
What does legislation refer to?
To the question of who should define the appropriate rules for protecting privacy.
What does enforcement refer to?
To the question of who should initiate enforcement actions.
What does adjudication refer to?
To the question of who should decide whether a company has violated the privacy rules, and with what penalties.
Where does self regulation occur with Section 5 of the FTC and state UDAP laws?
At the legislation stage - companies write their privacy policies.
What is PCI DSS?
Payment Card Institute Data Security Standard
Where does self regulation occur with PCI DSS?
At all three stages.
What is GPEN?
Global Privacy Enforcement Network. it aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
What is APEC?
Asia-Pacific Economic Cooperation. The Asia-PAcific Cross-Border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating member to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region.
Cable Communications Privacy Act of 1984
CCPA- regulates required notice of cable TV providers, once at start of service and annually thereafter.
You can request opt-out, but exceptions are:
- legit business activities
- court order
- Name and address only
FCC, FTC
Communications Assistance to Law Enforcement Act of 1994
CALEA, Digital Telephony Bill.
- requires communications companies to design products to allow for lawful government access (wiretaps, etc)
As of 2005, includes internet.
FCC, FTC
CAN-SPAM Consent to Share Requirements
“Express Prior Authorization”- must be an affirmative OK, like a checkbox or button. It can be written, oral, or digital, must there must be a record of it.
CAN-SPAM email requirements
- No false or misleading headers
- clear, working return email address
- clear opt-out without cost
- don’t send to those who have unsubscribed (10 day grace period)
- no aggravated actions, like address harvesting
- pornographic content must have a warning label
Now covers texts, too
Cybersecurity Information Sharing Act of 2015
CISA- federal government can share unclassified, technical data with companies about attacks/breaches, as well as how to defend against them.
No consent needed. PI must be removed.
DHS, DOJ
Electronic Communications Privacy Act of 1986
Collective name of ECPA and Stored Wire Electronic Communications Act, which updates the Federal Wiretap Act.
Protects communications when made, in transit, and stored on computers.
Only one party (provider exception) needs to consent to share.
Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehab Act of 1970
Must have written patient consent to share these types of medical records. Covers any program receiving federal funding.
Exceptions:
- medical emergency
- research
- audits, evaluations
- crimes on premises
- child abuse
- court order
- for the organization to provide services
Often in parallel with HIPAA.
AG.
FERPA vs. HIPAA
HIPAA doesn’t cover a school if FERPA covers them. This is generally a public-funded school with a nurse on staff.
FERPA does NOT apply to private schools, so HIPAA would cover them.
College health centers treating only students = FERPA
College health centers treating students and staff = FERPA for students, HIPAA for staff
5th Amendment
No self-incrimination, which is often interpreted to mean you have a right to privacy in some situations
GINA- what agencies enforce it?
EEOC - Title II (employment discrimination)
DOL, HHS, Treasury- title I (genetic info in health insurance)
Junk Fax Prevention Act
Created the EBR exception in TCPA. Faxes must have a clear opt out.
FTC, FCC, TCPA
21st Century Cures Act of 2016
It’s OK to give researchers health data to “expedite research.”
Provisions:
- OK to view data remotely in compliance with HIPAA
- must have certs of confidentiality
- can’t block pharma’s access to the data
- no personal info
FDA
PATRIOT ACT, Section 215
“Library Records” provision and “Tangible Things” provision: allows FBI director to apply for an order to produce materials that assist in investigations against terrorism.
- things like books, papers, records
Only FISA and magistrate judges can grant it. Does NOT need to say why it was granted!
USA FREEDOM Act of 2015
Modified Patriot Act:
- outs some restriction on bulk collection, following Snowden
- restored roving wiretaps for terrorist tracking
Privacy Protection Act of 1980
PPA- gives the media extra protection from government searches in criminal investigations.
Based on 1978 case Zurcher v Standford Daily, where police used a warrant to look through unpublished photos of a demonstration to find a suspect. SC said this was OK as long as there was strong case that evidence would be found. Still requires warrant or subpoena
Binging Corporate Rules (BCRs)
Internal rules for data transfers within multinational companies, like a code of conduct for transfer.
Standard Contract Clauses (SCCs)
Established by EU to cover data transfer outside of EU:
- 2 for controller to controller
- 1 for controller to processor
4 Types of Privacy
Info (PII, etc)
Communications (mail, phone, email)
Bodily (drug testing, health testing, search, etc)
Territorial (home, work, monitoring, etc)
Data Controller vs. Processor
Per GDPR:
- Controller: determines the purpose and means for processing PI
- Processor: processes data on behalf of controller.
Under GDPR, the controller must make sure the processor takes appropriate security measures.
Is an IP personal data?
In the EU, yes. In the US, under the Privacy Act, no, but the FTC considers it PI if breached
Info Management: Discover, Build, Communicate, Evolve
Discover: ID the issue, self assess, and determine best practice
Build: Make procedures, verify, and implement
Communicate: document and educate
Evolve: affirm, monitor, and adapt
What laws DO NOT preempt stricter state law?
GLBA TSR / TCPA VPPA (except CA) ECPA (except in DE and CT) PPA RFPA HIPAA SAMHSA
What laws allow for Private Right of Action?
CCPA VPPA FCRA ECPA CA SB 1386
What laws do NOT allow for private right of action?
GLBA
COPPA
CAN-SPAM
GINA
What are the rules in FACTA?
The disposal rule and the red flag rule
what are the rules in GLBA?
Safeguard rule; Privacy rule
What rules are in HIPAA?
Privacy rule; Security rule; Omnibus rule
What regulatory body created TSR?
FTC
What rule is part of TCPA
TSR
What act created DoNotCall Registry
TCPA
What act was amended to include SCA?
ECPA
What two acts have a privacy rule?
HIPPA and GLBA
What act(s) require opt-in to share information?
FCRA; COPPA; HIPAA
What act(s) require privacy notices?
GLBA; COPPA; HIPAA
What act(s) allow for opt-out of sharing?
GLBA; CAN-SPAM; JFPA
What act(s) have strong preemption?
FACTA; FERPA; CAN-SPAM
What act(s) have some preemption?
COPPA; TCPA (Interstate regulations)
What act(s) have Private right of action?
FCRA; RFPA; TCPA;VPPA; JFPA; CCPA;
What act(s) require training?
HIPPA
what are legally complaint method for transporting at out of the US?
Binding Corporate Rules (BCC); Standard Contractual Clauses (SCC); Privacy Shield; Codes of Conduct; Certification Mechanisms;
4th Amendment principles have informed a number of statutes such as:
- Wiretap laws,
- the Electronic Communications Privacy Act,
- the Right to Financial Privacy Act (applying to financial institutions), and
- the Privacy Protection Act (applying to reporters and media companies)”
Which US laws require disclosure of personal information held by an organization?
- Food, Drug and Cosmetic Act (FDA)
- OSHA
- HIPAA
According to FRCP 45 a subpoena must:
- State the court from which it is issued
- State the title of the action and its civil-action number
- Command each person to whom it is directed to do the following at a specific time and place: attend and testify; produce designated documents, electronically stored information or tangible things in that person’s possession, custody or control; or permit the inspection of premises
- Set out the text of the rules describing a person’s right to challenge or modify the subpoena.
How many bureaus at FTC?
Three bureaus do the work of the FTC: Competition, Consumer Protection, and Economics. Several other offices help implement the mission of the bureaus.
Lisa the three bureaus do the work of the FTC
1) Competition
2) Consumer Protection
3) Economics.
Several other offices help implement the mission of the bureaus.
Wireless telecommunication services means services providing for the transmission of wireless communications utilizing frequencies authorized ________ _______ ________ ________for paging systems, enhanced specialized wireless telecommunication, television, personal communication services or cellular telephone.
by the Federal Communications Commission
What is Civil Litigation?
Occurs in courts when one person sues another person to redress a wrong.
What types of relief may a person seek in civil litigation?
- Monetary Judgment
2. Injunction
When may person sue based on a violation of law?
When a law creates a private right of action (ex. FCRA)
What is Criminal Litigation?
Lawsuits brought by the government for violations of criminal laws.
What types of punishment are typical associated with Criminal Litigation?
- Imprisonment
2. Criminal Fines
Who initiates Criminal Litigation?
- DOJ
2. State attorney generals
What are Agency Enforcement Actions?
Actions carried out pursuant to the statues that create and empower an agency.
What is the Administrative Procedure Act?
An act laying out the basic rules for agency enforcement actions.
What Act and Agency(ies) govern Medical Privacy?
Agencies - OCR and CMS (both roll up to HHS)
Act - HIPAA
What Act and Agency(ies) govern Financial Privacy?
Agencies - CFPB, OCC, FED
Act - GLBA
What Act and Agency(ies) govern Education Privacy?
Agencies - Dept. of Education
Act - Family Educational Rights and Privacy Act
What Act and Agency(ies) govern Telemarking and Marketing Privacy?
Agencies - FCC and FTC
Act - Telephone Consumer Protection Act and other statues
What Act and Agency(ies) govern Workplace Privacy?
Agencies - EEOC and other agencies
Act - ADA other statutes
Which Acts give the FTC power to govern privacy issues?
- FTC Act Section 5
- FCRA
- Children’s Online Privacy Protection Act (COPPA)
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
- Telemarking Sales Rule
What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?
FTC
- Achieves a consent decree that incorporates good privacy and security practices
- Avoids the expense and delay of trail
- Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree
Company
- Avoids a prolonged trial
- Avoids negative publicity
What is considered “unfair”?
An injury that is:
- Substantial
- Without offsetting benefits
- one the consumers cannot reasonably avoid.
Unfair Case: Gateway
Facts: Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out.
Unfair Case: BJ’s Wholesale Club
Facts: BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customers’ identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice.
Unfair Case: Google
Google buzz automatically enrolled consumers and provided personal information to the public. This was in conflict with Google’s privacy notice.
Unfair Case: Facebook
Facts: Facebook repeatedly made designated personal private information public. This was in violation of Facebook’s privacy notice.
What are the Consumer Privacy Bill of Rights?
- Individual Control
- Transparency
- Respect for Context
- Security
- Access and Accuracy
- Focused Collection
- Accountability
What areas did the FTC Report emphasize?
- Privacy by Design
- Simplified Consumer Choice
- Transparency
What five priorities did the FTC announce for attention?
- Do Not Track
- Mobile
- Data Brokers
- Large Platform Providers
- Promoting enforceable self-regulatory codes
How to states enforce against unfair and deceptive practices?
Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. Ina addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.
Who enforces UDAP laws?
State attorney generals
How does self regulation occur?
Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication
What does legislation refer to?
To the question of who should define the appropriate rules for protecting privacy.
What does enforcement refer to?
To the question of who should initiate enforcement actions.
What does adjudication refer to?
To the question of who should decide whether a company has violated the privacy rules, and with what penalties.
Where does self regulation occur with Section 5 of the FTC and state UDAP laws?
At the legislation stage - companies write their privacy policies.
What is PCI DSS?
Payment Card Institute Data Security Standard
Where does self regulation occur with PCI DSS?
At all three stages.
What is GPEN?
Global Privacy Enforcement Network. it aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
What is APEC?
Asia-Pacific Economic Cooperation. The Asia-PAcific Cross-Border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating member to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region.
Which agency promotes job creation and economic growth by ensuring fair trade, providing the data necessary to support commerce and constitutional democracy, and fostering innovation by setting standards and conducting foundational research and development?
The Department of Commerce
the federal agency for granting U.S. patents and registering trademarks
The United States Patent and Trademark Office (USPTO)
Agency that regulates interstate and international communications by radio, television, wire, satellite, and cable in all 50 states, the District of Columbia and U.S. territories is
The Federal Communications Commission
The operating units of the Department of Commerce are:
organizational entities outside the Office of the Secretary charged with carrying out specified substantive functions (i.e., programs) of the Department.
The Bureau of Industry and Security is
an agency of the United States Department of Commerce that deals with issues involving national security and high technology. A principal goal for the bureau is helping stop the proliferation of weapons of mass destruction, while furthering the growth of United States exports.
The Economics and Statistics Administration is an agency within
the United States Department of Commerce that analyzes, disseminates, and reports on national economic and demographic data. Its three primary missions are the following: Release and disseminate U.S. National Economic Indicators.
The U.S. Economic Development Administration is an agency in
the United States Department of Commerce that provides grants and technical assistance to economically distressed communities
The Bureau of Consumer Protection stops unfair, deceptive and fraudulent business practices by collecting reports from consumers and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and is a part of what agency?
FTC
The Federal Trade Commission Act
Codified in 15 USC section 45. Section 5(a) of the FTC act empowers the agency to enforce against - “unfair or deceptive acts or practices in or affecting commerce” are hereby declared unlawful.
Limits on FTC Authority
- Applies to commerce, excluding nonprofits
2. Excludes financial institutions
FTC Privacy & Enforcement Actions
The FTC brings enforcement actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices which holds businesses to fair and transparent privacy and security standards.
Two outcomes of FTC enforcement actions
- Information Resolutions
2. Consent Decree
Consent Decree
Formal contract between the government requiring modification of business practices
Information Resolution
Agreement that the accused company will modify business practices without a formal enforcement action
Privacy Enforcement Actions
- No broad privacy law in the US
- Corporate privacy policies often provide the basis for FTC enforcement actions
- Authority derived from FTCs power to regulate deceptive trade practices
- First action occurred in 1999, FTC files an enforcement action against GeoCities. Case settled with a consent degree requiring a privacy policy and new privacy controls.
- In 2014 – Trustee promised that they would conduct annual reviews of website they would certify but did not do that. Consent decree required a $200k fine and to follow-through on policy.
FTC Security Enforcement Actions
- Authority to regulate unfair business practices
- May arise after a security breach
- May occur on a proactive basis
- Windham – credit card information.
FTC Sunset Policy
Sets a 20-year maximum length on consent agreements
The FTC protects ______ by stopping unfair, deceptive or fraudulent practices in the marketplace.
consumers
What was the first FTC Internet privacy enforcement action?
In the Matter of GeoCities, Inc.
What are the facts of the GeoCities case?
GeoCities operated a website that provided an online community through which users could maintain personal home pages. To register and become a member of GeoCities, users were required to fill out an online form that requested PI, with which GeoCities created an extensive info database. GeoCities promised on its website that the collected information would not be sold or distributed without user consent.
What was the basis of the GeoCities action brought by the FTC?
Enforcement actions was for two separate unfair and deceptive practices. First, the FTC alleged that GeoCities misrepresented how it would use info collected from its users by reselling the information to third parties, which violated its privacy notice. Second GeoCities collected and maintain children’s PI without parental consent.
What was the outcome of the GeoCities action?
GeoCities settled the action and the FTC issued a consent order, which required GeoCities to post and adhere to a conspicuous online privacy notice that disclosed to users how it would collect and use PI. It was also required to obtain parental or guardian consent before collective information from children 12 years of age or under.
When did FTC bring an action against Eli Lilly & Co?
2004
What are the facts of Eli Lilly & Co case?
Eli Lilly is a pharaceutical manufacturer that maintained a website where users would provide PI for messages and updates reminding them to take their medication. The website included a privacy notice that made promises about the security and privacy of the info provided. When Eli Lilly ended the program, it sent subscribers an e-mail announcement, inadvertently addressed to and revealing the e-mail addresses of all subscribers.
What was the basis of the enforcement action against Eli Lilly by the FTC?
It reuslted in settlement terms, which required Eli Lilly to adhere to representations about how it collects, uses and protects user information. It also required, for the first time in an online privacy and security case, that Eli Lilly develop and maintain an information privacy and security program.
Designerware
Tracking software on rent-to-own computers actually logged keystrokes, had webcam access, took screenshots, logged GPS. Used registration as way of getting personal info,
FTC issued consent decree.
Geocities
Registration info notice said it wouldn’t sell or use data without consent, but they sold it to 3rd parties.
FTC issued consent decree, made them redo privacy notice.
LabMD
Hacked in ‘09 and ‘12. PII and health ins. data leaked.
FTC brought action and LabMD opted for hearing, which was dismissed. FTC forced them to develop a sec program.
LifeLock
They claimed to protect against ID theft totally, but it was really only certain forms of ID theft. Didn’t use encryption on PI or thoroughly restrict access.
Settled with FTC for $1M and fees, had to establish security program.
In 2015, action for failure to comply and fined $100M
Nomi
Sensors in stores detect MAC addresses on phones. FTC claimed they misled about opt-out in notice and didn’t communicate which stores used the service. FTC issued consent decree.
Snapchat
Snapchat was aware snaps could be saved, and address book details were collected from phones. Additionally, “Find Friends” wasn’t secure enough, got hacked, and users were spammed.
Consent decree with FTC
TrustE
Issues digital certs for privacy, which they claimed to do yearly. FTC claimed 1k+ instances not recerted, but given a badge anyways.
FTC settlement
Wyndham Hotels
3 hacks from 2008 - 2009. FTC said they stored CC info unencrypted, allowed easy passwords, didn’t use firewalls when they should have, had out of data systems, didn’t patch, no 3rd party access control, no unauthorized detection measures, and didn’t change any security protocols after breaches.
Wyndham took it to court and lost. 3rd circuit said FTC has the right to extend regulation to cyberspace if it’s causing harm to consumers.
City of Ontario vs. Quon
4th Amendment. City reviewed pager texts and discovered sexual content. Court held that the search and seizure was OK because it was work-related, didn’t violate 4th Amendment.
Aerospaciale vs. SD of Iowa
French company claimed you could only do discovery under the Hague Convention (one judicial state can request evidence from another) after victims of a plane crash in US were trying to get French info, and French company tried to issue protective order. Court said that convention was to facilitate info, so discovery didn’t need to precisely follow the Hague convention.
Apple vs. FBI
FBI wanted back door to encrypted info on criminal’s iPhone. Apple said no. Case was dropped when 3rd party was able to crack it.
Eli Lilly
Had a website that reminded users to take pills. When discontinued, they sent an email out but exposed al the email addresses in the “to” field. FTC brought enforcement action.
First time a privacy and sec program was required as part of settlement.
Riley vs. California
- SC said you cannot search contents of a cellphone without getting a search warrant first.
Katz vs. US
Katz used a apyphone to transmit illegal gambling bets. the FBI recorded it via wiretap, and Katz said this was a 4th amendment violation.
SC agreed, saying people have a right to “a reasonable amount of privacy”
First FTC Internet privacy enforcement action?
In the Matter of GeoCities, Inc. (1999)
Company promised not to sell data without consent, but they did, and entered into CD with FTC. Company had to post conspicuous privacy notice.
Eli Lilly case (2002)
Privacy notice made promises about security and privacy of user data provided to website. Company sent email to users revealing email addresses of all subscribers. CD with FTC , for first time, required company to develop and maintain an information security and privacy program.
- So not just require company to refrain from unfair/deceptive practice, but was adding a proactive requirement.
In the Matter of Nomi
- Placed sensors in brick and mortar businesses to detect MAC address of mobile devices searching for wifi, and used data to analyze customer retail traffic patterns.
Misled consumers about opt-out ability, and did not inform consumers where this was taking place.
CD made them stop this.
In the Matter of Snapchat
Deceptively led consumers to believe that snaps went away, when were many ways to keep.
Also, deceptively collected names and numbers of all contacts on user’s mobile device address book.
Also, did not secure find a friend feature.
Hackers compiled database using address book data.
CD had company agree not to continue doing these things.
In Matter of TRUSTe, Inc.
Failed to conduct annual recerts in more than 1k instances, despite claim to conduct annual recerts (COPPA and Safe Harbor).
- Comprehensive records required by CD and 200k civil penalty.
In the Matter of Wyndham Worldwide Corp.
- Company challenged unfairness authority of FTC to require more than minimum standards.
- 3rd Circuit upheld FTC authority.
- Then company entered into CD. Agreed to maintain comprehensive infosec program, etc.
In the Matter of LabMD, Inc.
- Company chose to fight rather than settle.
- Hack led to sensitive info of customers being stolen.
- FTC brought action - lost at ALJ level, won at commissioner level, but lost at 11th circuit. 11th said standard of requiring “reasonable” data security measures to achieve fairness was too vague and violated company’s due process rights because not know prior what the standard is.
FTC Enforcement History
- From late 1990s - Chairman Pitofsky approach = “notice and choice”. Enforcement actions based on deception and failure to comply with privacy notice, rather than specific, tangible harm to consumers.
- From 2001 to 2009, Chairman Muris and Platt-Majors emphasized “harm-based model” for enforcement, i.e. harms due to identity theft, and invoked unfairness.
- 2009, Chairman Leibowitz, began including requirement of comperhensive privacy program in CDs, and beyond tangible harm.
- 2009 approach reflected in 2012 White House and FTC reports.
What happened in the GoeCities, Inc case?
GeoCities was found to misrepresent how they used user info and they collected and maintained children’s PI w/o consent. consent order required them to post accurate and conspicuous privacy notice and get child parents consent
What happened in the Microsoft Corp matter?
FTC found the “high-level” online security claims were misleading because this security process was in the control of 3rd party vendors. They also collected and shared more info than claimed int he privacy notice.
What happened in the FB case?
deceptive case. FB repeatedly changed services so previously private info was made public. Settlement required FC to provide users with clear notice and obtain consent before making these changes.
What was Obama’s big privacy report?
2012 - Consumer Data Privacy in a Networked Word: a Framework for protecting Privacy and Promoting innovation. Ushered in the “notice and consent approach.” The rights that were stressed to apply were
- Individual control
- Transparency
- Respect for context
- Security
- Access and Accuracy
- Focused collection
- Accountability
FTC report written around the same time as the 2012 Obama. report.
Emphasizes three areas
1. Privacy by Design - incorporate privacy at all stages of business.
2. Simplified Consumer choice.
Transparency
also
Do Not Track Mobile Data brokers Large platform providers Promoting enforceable self-regulatory codes.
What does Section 5(a) under the FTC Act prohibit?
“Unfair or deceptive acts or practices in or affecting commerce.”
True or false?
For data breach notification, state laws require email notice to be the default mode of communication.
False
Briefly summarize the FTC’s powers.
Preventing unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce,
seeking monetary redress and other relief for conduct injurious to consumers,
prescribing trade regulation rules, defining with specificity acts or practices that are unfair or deceptive,
establishing requirements designed to prevent such acts or practices.
True or false? At the state level, the FTC brings a variety of privacy-related enforcement actions pursuant to state laws prohibiting unfair and deceptive practices.
False. State attorneys general enforce state privacy-related laws.
Which U.S. statutes provide the FTC with additional enforcement authority over privacy issues?
The Children’s Online Privacy Protection Act (COPPA),
the Fair Credit Reporting Act (FCRA),
the Gramm-Leach Bliley Act (GLBA),
the CAN-SPAM Act
What does Section 5(a) under the FTC Act prohibit?
“Unfair or deceptive acts or practices in or affecting commerce.”
What additional technologies or areas that may be of concern to the FTC now or in the near future?
A few are listed below:
• Algorithms
• Artificial intelligence
• Predictive analytics
“In the Matter of Wyndham Worldwide Corp.
The FTC’s unfairness authority was upheld in the federal courts in litigation against Wyndham Worldwide Corporation, a hotel company that suffered three hacks to its systems from 2008 to 2009. Based on these breaches to its systems, the FTC investigated Wyndham for unfair and deceptive trade practices. The FTC asserted that Wyndham:
1) Stored credit card information in unencrypted text
2) Permitted passwords for property management systems to be easily guessable
3) Failed to use firewalls between individual hotels, corporate systems and theInternet
4) Allowed out-of-date operating systems to run on property management systems and failed to update these computers with timely security updates”
5) Failed to adequately control computer access by third-party vendors
6) Did not have unauthorized access detection measures in place
7) Failed to add security measures after they suffered known breaches
