Ch. 3: Federal and State Regulators and Enforcement of Privacy Laws Flashcards
FTC Background
1) Independent agency governed by 5 commissioners (with one being the Chair).
2) Has authority to enforce against “unfair and deceptive trade practices.”
3) SPECIFIC authority to enforce COPPA, and CAN-SPAM.
4) Prominent role in development of U.S. privacy standards.
-
Federal privacy areas covered by federal agencies.
Medical - HHS Office of Civil Rights
Financial - CFPB generally; Federal Reserve and Comptroller of Currency for institutions under their jurisdiction pursuant to GLBA.
Education - ED
Telemarketing and marketing privacy - FCC (with FTC) under TCPA and other statutes.
Workplace privacy - EEOC and others.
State Dept role in privacy
Negotiating internationally on privacy issues with other countries and multinational groups like OECD.
US Dept of Commerce
Leading role in policy development and administered Privacy Shield Framework.
US Dept of Transportation
Enforced privacy shield violations between US and EU for some transportation companies.
FAA, on drone policy.
National Highway Traffic Safety Administration, on connected cars.
OMB
Interpreting Privacy Act of 1974.
Also issues guidance to agencies and contractors on privacy information security issues, such as data breach disclosure and privacy impact assessments.
IRS
Subject to privacy rules re. tax records.
Other Dept of Treasury parts involved with financial records issues, including compliance with money laundering rules at the Financial rimes Enforcement Network.
US Dept of Homeland Security
E-verify program for new employees, rules for air traveler records (TSA), and immigration and other border issues (ICE).
Dept of Justice
DOJ is sole federal agency to bring criminal enforcement actions, which can result in imprisonment or criminal fines. Some statutes provide for civil and criminal, so DOJ works with other enforcement agency (eg HHS for HIPAA).
FTC Jurisdiction - Section 5 of FTCA
- Section 5 of the FTC Act is perhaps the single most important piece of U.S. privacy law. Section 5 notably says that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful,” although it does not mention privacy or information security.
- During the 1990s, the FTC began bringing privacy enforcement cases under its powers to address unfair and deceptive practices.
- Congress added privacy-related responsibilities to the FTC over time, such as those under the Children’s Online Privacy Protection Act (COPPA) of 1998 and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003.
- Among other authoritative powers, Section 6 of the FTC Act vests the commission with the authority to conduct investigations and to require businesses to submit investigatory reports under oath.
- FTCA Section 5 not apply to nonprofits, banks and common carriers.
FTC Jurisdiction - specific laws
- FTCA Section 5 - Enforcement, but rulemaking is only in theory under burdensome Magnuson-Moss Act of 1975.
- Rulemaking and enforcement for COPPA.
- Rulemaking and enforcement for CAN-SPAM (shared with FCC).
- Rulemaking and enforcement for Telemarketing Sales Rule (shared with FCC).
- Enforcement shared with CFPB for financial institutions not covered by other regulator (like Fed or Comptroller) WRT GLBA , FCRA (and FACTA). No rulemaking authority.
- Rulemaking and enforcment authority shared with HHS for data breaches related to medical records under HITECH Act of 2009.
FTC Consent Decrees
- Defendant not admit fault, but promises to change its practices and avoid further litigation on the issue. States what must do or must not do, and requires maintain proof of compliance, maintain privacy program, subject to audits, inform relevant persons of the CD.
- Posted publicly.Provide guidance re. what practices FTC considers inappropriate.
- Any violation of the CD can lead to enforcement in federal district court, including civil penalties, injunction and other relief.
- CDs monitored by Enforcement Division within the Bureau of Consumer Protection.
FTC Enforcement Process
- Broad investigatory powers.
- FTC issues complaint, and leads to administrative trial before ALJ.
- If violation found, ALJ can enjoin (appeal to comissioners, and then to district court).
- order of commission is final within 60 days after serve on company.
- FTC lacks civil fine authority, but if FTC ruling ignored, can seek civil penalties in federal court up to $40,654 per violation and seek compensation for those harmed.
Privacy notices required?
- Although there is no omnibus federal law requiring companies to have public privacy notices, certain sector-specific statutes such as HIPAA, Gramm-Leach-Bliley, and COPPA do impose notice requirements.
- Also, California requires companies and organizations doing in-state business to post privacy policies on their websites.
- By 2000, the vast majority of commercial websites posted privacy notices even in the absence of a legal requirement.
- By then, privacy notices had become a standard feature of legitimate commercial websites.
Deceptive practice standard?
- For a practice to be deceptive, it must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.
- Deceptive practices include false promises, misrepresentations, and failures to comply with representations made to consumers,
Unfair claims under FTCA, re. privacy
- By 2004, the FTC began to enforce “unfair” practices as well.
Unfair claims can exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers.
Wyndham standard: Unfair “when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits for their business.”
2012 White House Consumer Privacy Bill of Rights
- based on traditional FIPs.
- Individual control, on collection and use
- Transparency, of privacy and security practices.
- Respect for context, ie process in ways consistent with context in which data provided by consumer.
- Security
- Access and accuracy,
- Focused collection - ie reasonable limits on collection and retention.
- Accountability -
Also emphasized international interoperability, and FTC enforcement.
2012 FTC Report
- Many of same themes as White House Consumer Privacy Bill of Rights
- Privacy by Design
- Simplified consumer choice - not for uses consistent with collection context, but for other uses.
- Transparency - clearer, shorter privacy notices.
- Do not track mechanism.
- Mobile - greater self-regulation
- Data brokers - support legislation giving access to info held by DBs.
- Large platform providers - examine issues of those doing “comprehensive tacking”.
- self-regulatory codes - promoted.
2015 FTC Privacy and Data Security Update
Reasonable data security practices should include at least 5 principles:
(1) companies should be aware of what consumer information they have and who has legitimate access to this data;
(2) companies should limit the information they collect and maintain for their legitimate business purposes;
(3) companies should protect the information they maintain by assessing risk and by implementing procedures for electronic security, physical security, employee training and vendor management;
(4) companies should properly dispose of information they no longer need; and
(5) companies should have a plan in place to respond to security incidents, in case they occur.
2015 unfairness trend: FTC bringing enforcement when company unreasonably and unnecessarily exposed consumers personal data to unauthorized access. After hack or malware attack, FTC investigates to determine if they had taken reasonable steps.
2016 FTC Privacy and Data Security Update
- Focused on smartTVs, drones and ransomeware.
- letters of warning re. TV beacons collected by phones to target adds.
- InMobi - fine $1M re. deceptively tracking location even when consumer opted out.
- Turn, Inc. settled allegations it continued to track even after consumer deleted cookies and reset identifiers on phone.
State privacy enforcement
- Each state has a law similar to Section 5 of FTCA (UDAP statutes).
- In addition to unfair and deceptive, some state laws allow enforcement against “unconscionable” practices.
- Some federal laws, like CAN-SPAM, allow state AGs to bring enforcement actions along with relevant federal agency.
- Several states allow PROA under UDAP.
- State enforcement of data breach notificatoin laws, and related security lapses.
- sector speciic - medical, financial, and workplace. Smart grid and state utilities.
- Privacy torts.contract enforcement in some cases as well, when breach of a promise.
- National Association of Attorneys General Consumer Protection Project.
- California leading way. Eg, mobile app privacy permissions, data breach notice actions, inadequate privacy notice actions.
Self regulation and enforcement
3 components:
- Legislation - Who should define the privacy rules.
- Enforcement - Who should initiate actions.
- Adjudication - Who should decide whether violation ocurred.
Sometimes is hybrid, or co-regulation, where company or industry does legislation, and govt. agency (FTC or state AG, eg) investigates and ALJ and courts adjudicate.
PCI-DSS is completely self-regulatory.
Certification programs, if explicitly allowed for in statute (like COPPA) can serve as way to comply with legal requirements. is form of co-reg.
- Digital Advertising Alliance, coalition of media and advertising organizations, is self-reg.
Obama Admin, and 2012 efforts, endorsed self-reg. with all stakeholders involved, including consumer groups. so is multi-stakeholder approach.
- NTIA issued report mid2010s on drones and privacy after multi-stakeholder effort.
Cross-border enforcement
- OECD in 2007 called for member countries to work together to promote cross-border enforcement cooperation.
- Led to GPEN- Global Privacy Enforcement Network in 2010. Aim is to promote cross-border info sharing and investigative/enforcement cooperation around the world.
- Also, there is APEC’s Cross Border Privacy Enforcement Arrangement
Conflicts Between Privacy and Disclosure Laws
Arise when privacy laws in Country X prohibit disclosure but laws in Country Y compel disclosure.
- Example - US court requires litigant to disclose X document in course of litigation, but its subject to GDPR which prohibits disclosure.
- More details on Ch 4
What is Civil Litigation?
Occurs in courts when one person sues another person to redress a wrong.
What types of relief may a person seek in civil litigation?
- Monetary Judgment
2. Injunction
When may person sue based on a violation of law?
When a law creates a private right of action (ex. FCRA)
What is Criminal Litigation?
Lawsuits brought by the government for violations of criminal laws.
What types of punishment are typical associated with Criminal Litigation?
- Imprisonment
2. Criminal Fines
Who initiates Criminal Litigation?
- DOJ
2. State attorney generals
What are Agency Enforcement Actions?
Actions carried out pursuant to the statues that create and empower an agency.
What is the Administrative Procedure Act?
An act laying out the basic rules for agency enforcement actions.
What Act and Agency(ies) govern Medical Privacy?
Agencies - OCR and CMS (both roll up to HHS)
Act - HIPAA
What Act and Agency(ies) govern Financial Privacy?
Agencies - CFPB, OCC, FED
Act - GLBA
What Act and Agency(ies) govern Education Privacy?
Agencies - Dept. of Education
Act - Family Educational Rights and Privacy Act
What Act and Agency(ies) govern Telemarking and Marketing Privacy?
Agencies - FCC and FTC
Act - Telephone Consumer Protection Act and other statues
What Act and Agency(ies) govern Workplace Privacy?
Agencies - EEOC and other agencies
Act - ADA other statutes
Which Acts give the FTC power to govern privacy issues?
- FTC Act Section 5
- FCRA
- Children’s Online Privacy Protection Act (COPPA)
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
- Telemarking Sales Rule
What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?
FTC
- Achieves a consent decree that incorporates good privacy and security practices
- Avoids the expense and delay of trail
- Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree
Company
- Avoids a prolonged trial
- Avoids negative publicity
What is considered “unfair”?
An injury that is:
- Substantial
- Without offsetting benefits
- one the consumers cannot reasonably avoid.
Unfair Case: Gateway
Facts: Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out.
Unfair Case: BJ’s Wholesale Club
Facts: BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customers’ identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice.
Unfair Case: Google
Google buzz automatically enrolled consumers and provided personal information to the public. This was in conflict with Google’s privacy notice.
Unfair Case: Facebook
Facts: Facebook repeatedly made designated personal private information public. This was in violation of Facebook’s privacy notice.
What are the Consumer Privacy Bill of Rights?
- Individual Control
- Transparency
- Respect for Context
- Security
- Access and Accuracy
- Focused Collection
- Accountability
What areas did the FTC Report emphasize?
- Privacy by Design
- Simplified Consumer Choice
- Transparency
What five priorities did the FTC announce for attention?
- Do Not Track
- Mobile
- Data Brokers
- Large Platform Providers
- Promoting enforceable self-regulatory codes
How to states enforce against unfair and deceptive practices?
Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. Ina addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.
Who enforces UDAP laws?
State attorney generals
How does self regulation occur?
Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication
What does legislation refer to?
To the question of who should define the appropriate rules for protecting privacy.
What does enforcement refer to?
To the question of who should initiate enforcement actions.
What does adjudication refer to?
To the question of who should decide whether a company has violated the privacy rules, and with what penalties.
Where does self regulation occur with Section 5 of the FTC and state UDAP laws?
At the legislation stage - companies write their privacy policies.
What is PCI DSS?
Payment Card Institute Data Security Standard
Where does self regulation occur with PCI DSS?
At all three stages.
What is GPEN?
Global Privacy Enforcement Network. it aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
What is APEC?
Asia-Pacific Economic Cooperation. The Asia-PAcific Cross-Border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating member to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region.
Cable Communications Privacy Act of 1984
CCPA- regulates required notice of cable TV providers, once at start of service and annually thereafter.
You can request opt-out, but exceptions are:
- legit business activities
- court order
- Name and address only
FCC, FTC
Communications Assistance to Law Enforcement Act of 1994
CALEA, Digital Telephony Bill.
- requires communications companies to design products to allow for lawful government access (wiretaps, etc)
As of 2005, includes internet.
FCC, FTC
CAN-SPAM Consent to Share Requirements
“Express Prior Authorization”- must be an affirmative OK, like a checkbox or button. It can be written, oral, or digital, must there must be a record of it.
CAN-SPAM email requirements
- No false or misleading headers
- clear, working return email address
- clear opt-out without cost
- don’t send to those who have unsubscribed (10 day grace period)
- no aggravated actions, like address harvesting
- pornographic content must have a warning label
Now covers texts, too
Cybersecurity Information Sharing Act of 2015
CISA- federal government can share unclassified, technical data with companies about attacks/breaches, as well as how to defend against them.
No consent needed. PI must be removed.
DHS, DOJ
Electronic Communications Privacy Act of 1986
Collective name of ECPA and Stored Wire Electronic Communications Act, which updates the Federal Wiretap Act.
Protects communications when made, in transit, and stored on computers.
Only one party (provider exception) needs to consent to share.
Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehab Act of 1970
Must have written patient consent to share these types of medical records. Covers any program receiving federal funding.
Exceptions:
- medical emergency
- research
- audits, evaluations
- crimes on premises
- child abuse
- court order
- for the organization to provide services
Often in parallel with HIPAA.
AG.
FERPA vs. HIPAA
HIPAA doesn’t cover a school if FERPA covers them. This is generally a public-funded school with a nurse on staff.
FERPA does NOT apply to private schools, so HIPAA would cover them.
College health centers treating only students = FERPA
College health centers treating students and staff = FERPA for students, HIPAA for staff
5th Amendment
No self-incrimination, which is often interpreted to mean you have a right to privacy in some situations
GINA- what agencies enforce it?
EEOC - Title II (employment discrimination)
DOL, HHS, Treasury- title I (genetic info in health insurance)
Junk Fax Prevention Act
Created the EBR exception in TCPA. Faxes must have a clear opt out.
FTC, FCC, TCPA
21st Century Cures Act of 2016
It’s OK to give researchers health data to “expedite research.”
Provisions:
- OK to view data remotely in compliance with HIPAA
- must have certs of confidentiality
- can’t block pharma’s access to the data
- no personal info
FDA
PATRIOT ACT, Section 215
“Library Records” provision and “Tangible Things” provision: allows FBI director to apply for an order to produce materials that assist in investigations against terrorism.
- things like books, papers, records
Only FISA and magistrate judges can grant it. Does NOT need to say why it was granted!
USA FREEDOM Act of 2015
Modified Patriot Act:
- outs some restriction on bulk collection, following Snowden
- restored roving wiretaps for terrorist tracking
Privacy Protection Act of 1980
PPA- gives the media extra protection from government searches in criminal investigations.
Based on 1978 case Zurcher v Standford Daily, where police used a warrant to look through unpublished photos of a demonstration to find a suspect. SC said this was OK as long as there was strong case that evidence would be found. Still requires warrant or subpoena
Binging Corporate Rules (BCRs)
Internal rules for data transfers within multinational companies, like a code of conduct for transfer.
Standard Contract Clauses (SCCs)
Established by EU to cover data transfer outside of EU:
- 2 for controller to controller
- 1 for controller to processor
4 Types of Privacy
Info (PII, etc)
Communications (mail, phone, email)
Bodily (drug testing, health testing, search, etc)
Territorial (home, work, monitoring, etc)
Data Controller vs. Processor
Per GDPR:
- Controller: determines the purpose and means for processing PI
- Processor: processes data on behalf of controller.
Under GDPR, the controller must make sure the processor takes appropriate security measures.
Is an IP personal data?
In the EU, yes. In the US, under the Privacy Act, no, but the FTC considers it PI if breached
Info Management: Discover, Build, Communicate, Evolve
Discover: ID the issue, self assess, and determine best practice
Build: Make procedures, verify, and implement
Communicate: document and educate
Evolve: affirm, monitor, and adapt