Chapter 3

Question 1

FTC Background

Answer 1

• Independent agency governed by 5 commissioners (with one being the Chair).
• Has authority to enforce against “unfair and deceptive trade practices.”
• Specific authority to enforce COPPA, and CAN-SPAM.
• Prominent role in development of U.S. privacy standards.

-

Question 2

Federal privacy areas covered by federal agencies.

Answer 2

Medical - HHS Office of Civil Rights

Financial - CFPB generally; Federal Reserve and Comptroller of Currency for institutions under their jurisdiction pursuant to GLBA.

Education - ED

Telemarketing and marketing privacy - FCC (with FTC) under TCPA and other statutes.

Workplace privacy - EEOC and others.

Question 3

State Dept role in privacy

Answer 3

Negotiating internationally on privacy issues with other countries and multinational groups like OECD.

Question 4

US Dept of Commerce

Answer 4

Leading role in policy development and administered Privacy Shield Framework.

Question 5

US Dept of Transportation

Answer 5

Enforced privacy shield violations between US and EU for some transportation companies.

FAA, on drone policy.

National Highway Traffic Safety Administration, on connected cars.

Question 6

OMB

Answer 6

Interpreting Privacy Act of 1974.

Also issues guidance to agencies and contractors on privacy information security issues, such as data breach disclosure and privacy impact assessments.

Question 7

IRS

Answer 7

Subject to privacy rules re. tax records.

Other Dept of Treasury parts involved with financial records issues, including compliance with money laundering rules at the Financial rimes Enforcement Network.

Question 8

US Dept of Homeland Security

Answer 8

E-verify program for new employees, rules for air traveler records (TSA), and immigration and other border issues (ICE).

Question 9

Dept of Justice

Answer 9

DOJ is sole federal agency to bring criminal enforcement actions, which can result in imprisonment or criminal fines. Some statutes provide for civil and criminal, so DOJ works with other enforcement agency (eg HHS for HIPAA).

Question 10

FTC Jurisdiction - Section 5 of FTCA

Answer 10

• Section 5 of the FTC Act is perhaps the single most important piece of U.S. privacy law. Section 5 notably says that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful,” although it does not mention privacy or information security.
• During the 1990s, the FTC began bringing privacy enforcement cases under its powers to address unfair and deceptive practices.
• Congress added privacy-related responsibilities to the FTC over time, such as those under the Children’s Online Privacy Protection Act (COPPA) of 1998 and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003.
• Among other authoritative powers, Section 6 of the FTC Act vests the commission with the authority to conduct investigations and to require businesses to submit investigatory reports under oath.
• FTCA Section 5 not apply to nonprofits, banks and common carriers.

Question 11

FTC Jurisdiction - specific laws

Answer 11

• FTCA Section 5 - Enforcement, but rulemaking is only in theory under burdensome Magnuson-Moss Act of 1975.
• Rulemaking and enforcement for COPPA.
• Rulemaking and enforcement for CAN-SPAM (shared with FCC).
• Rulemaking and enforcement for Telemarketing Sales Rule (shared with FCC).
• Enforcement shared with CFPB for financial institutions not covered by other regulator (like Fed or Comptroller) WRT GLBA , FCRA (and FACTA). No rulemaking authority.
• Rulemaking and enforcment authority shared with HHS for data breaches related to medical records under HITECH Act of 2009.

Question 12

FTC Consent Decrees

Answer 12

• Defendant not admit fault, but promises to change its practices and avoid further litigation on the issue. States what must do or must not do, and requires maintain proof of compliance, maintain privacy program, subject to audits, inform relevant persons of the CD.
• Posted publicly.Provide guidance re. what practices FTC considers inappropriate.
• Any violation of the CD can lead to enforcement in federal district court, including civil penalties, injunction and other relief.
• CDs monitored by Enforcement Division within the Bureau of Consumer Protection.

Question 13

FTC Enforcement Process

Answer 13

• Broad investigatory powers.
• FTC issues complaint, and leads to administrative trial before ALJ.
• If violation found, ALJ can enjoin (appeal to comissioners, and then to district court).
• order of commission is final within 60 days after serve on company.
• FTC lacks civil fine authority, but if FTC ruling ignored, can seek civil penalties in federal court up to $40,654 per violation and seek compensation for those harmed.

Question 14

Privacy notices required?

Answer 14

• Although there is no omnibus federal law requiring companies to have public privacy notices, certain sector-specific statutes such as HIPAA, Gramm-Leach-Bliley, and COPPA do impose notice requirements.
• Also, California requires companies and organizations doing in-state business to post privacy policies on their websites.
• By 2000, the vast majority of commercial websites posted privacy notices even in the absence of a legal requirement.
• By then, privacy notices had become a standard feature of legitimate commercial websites.

Question 15

First FTC Internet privacy enforcement action?

Answer 15

In the Matter of GeoCities, Inc. (1999)
Company promised not to sell data without consent, but they did, and entered into CD with FTC. Company had to post conspicuous privacy notice.

Question 16

Eli Lilly case (2002)

Answer 16

Privacy notice made promises about security and privacy of user data provided to website. Company sent email to users revealing email addresses of all subscribers. CD with FTC , for first time, required company to develop and maintain an information security and privacy program.

• So not just require company to refrain from unfair/deceptive practice, but was adding a proactive requirement.

Question 17

Deceptive practice standard?

Answer 17

• For a practice to be deceptive, it must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.
• Deceptive practices include false promises, misrepresentations, and failures to comply with representations made to consumers,

Question 18

In the Matter of Nomi

Answer 18

• Placed sensors in brick and mortar businesses to detect MAC address of mobile devices searching for wifi, and used data to analyze customer retail traffic patterns.

Misled consumers about opt-out ability, and did not inform consumers where this was taking place.

CD made them stop this.

Question 19

In the Matter of Snapchat

Answer 19

Deceptively led consumers to believe that snaps went away, when were many ways to keep.

Also, deceptively collected names and numbers of all contacts on user’s mobile device address book.

Also, did not secure find a friend feature.

Hackers compiled database using address book data.

CD had company agree not to continue doing these things.

Question 20

In Matter of TRUSTe, Inc.

Answer 20

Failed to conduct annual recerts in more than 1k instances, despite claim to conduct annual recerts (COPPA and Safe Harbor).

• Comprehensive records required by CD and 200k civil penalty.

Question 21

Unfair claims under FTCA, re. privacy

Answer 21

• By 2004, the FTC began to enforce “unfair” practices as well.

Unfair claims can exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers.

Wyndham standard: Unfair “when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits for their business.”

Question 22

In the Matter of Wyndham Worldwide Corp.

Answer 22

• Company challenged unfairness authority of FTC to require more than minimum standards.
• 3rd Circuit upheld FTC authority.
• Then company entered into CD. Agreed to maintain comprehensive infosec program, etc.

Question 23

In the Matter of LabMD, Inc.

Answer 23

• Company chose to fight rather than settle.
• Hack led to sensitive info of customers being stolen.
• FTC brought action - lost at ALJ level, won at commissioner level, but lost at 11th circuit. 11th said standard of requiring “reasonable” data security measures to achieve fairness was too vague and violated company’s due process rights because not know prior what the standard is.

Question 24

FTC Enforcement History

Answer 24

• From late 1990s - Chairman Pitofsky approach = “notice and choice”. Enforcement actions based on deception and failure to comply with privacy notice, rather than specific, tangible harm to consumers.
• From 2001 to 2009, Chairman Muris and Platt-Majors emphasized “harm-based model” for enforcement, i.e. harms due to identity theft, and invoked unfairness.
• 2009, Chairman Leibowitz, began including requirement of comperhensive privacy program in CDs, and beyond tangible harm.
• 2009 approach reflected in 2012 White House and FTC reports.

Question 25

2012 White House Consumer Privacy Bill of Rights

Answer 25

• based on traditional FIPs.
• Individual control, on collection and use
• Transparency, of privacy and security practices.
• Respect for context, ie process in ways consistent with context in which data provided by consumer.
• Security
• Access and accuracy,
• Focused collection - ie reasonable limits on collection and retention.
• Accountability -

Also emphasized international interoperability, and FTC enforcement.

Question 26

2012 FTC Report

Answer 26

• Many of same themes as White House Consumer Privacy Bill of Rights
• Privacy by Design
• Simplified consumer choice - not for uses consistent with collection context, but for other uses.
• Transparency - clearer, shorter privacy notices.
• Do not track mechanism.
• Mobile - greater self-regulation
• Data brokers - support legislation giving access to info held by DBs.
• Large platform providers - examine issues of those doing “comprehensive tacking”.
• self-regulatory codes - promoted.

Question 27

2015 FTC Privacy and Data Security Update

Answer 27

Reasonable data security practices should include at least 5 principles:

(1) companies should be aware of what consumer information they have and who has legitimate access to this data;
(2) companies should limit the information they collect and maintain for their legitimate business purposes;
(3) companies should protect the information they maintain by assessing risk and by implementing procedures for electronic security, physical security, employee training and vendor management;
(4) companies should properly dispose of information they no longer need; and
(5) companies should have a plan in place to respond to security incidents, in case they occur.

2015 unfairness trend: FTC bringing enforcement when company unreasonably and unnecessarily exposed consumers personal data to unauthorized access. After hack or malware attack, FTC investigates to determine if they had taken reasonable steps.

Question 28

2016 FTC Privacy and Data Security Update

Answer 28

• Focused on smartTVs, drones and ransomeware.
• letters of warning re. TV beacons collected by phones to target adds.
• InMobi - fine $1M re. deceptively tracking location even when consumer opted out.
• Turn, Inc. settled allegations it continued to track even after consumer deleted cookies and reset identifiers on phone.

Question 29

State privacy enforcement

Answer 29

• Each state has a law similar to Section 5 of FTCA (UDAP statutes).
• In addition to unfair and deceptive, some state laws allow enforcement against “unconscionable” practices.
• Some federal laws, like CAN-SPAM, allow state AGs to bring enforcement actions along with relevant federal agency.
• Several states allow PROA under UDAP.
• State enforcement of data breach notificatoin laws, and related security lapses.
• sector speciic - medical, financial, and workplace. Smart grid and state utilities.
• Privacy torts.contract enforcement in some cases as well, when breach of a promise.
• National Association of Attorneys General Consumer Protection Project.
• California leading way. Eg, mobile app privacy permissions, data breach notice actions, inadequate privacy notice actions.

Question 30

Self regulation and enforcement

Answer 30

3 components:

1. Legislation - Who should define the privacy rules.
2. Enforcement - Who should initiate actions.
3. Adjudication - Who should decide whether violation ocurred.

Sometimes is hybrid, or co-regulation, where company or industry does legislation, and govt. agency (FTC or state AG, eg) investigates and ALJ and courts adjudicate.

PCI-DSS is completely self-regulatory.

Certification programs, if explicitly allowed for in statute (like COPPA) can serve as way to comply with legal requirements. is form of co-reg.

• Digital Advertising Alliance, coalition of media and advertising organizations, is self-reg.

Obama Admin, and 2012 efforts, endorsed self-reg. with all stakeholders involved, including consumer groups. so is multi-stakeholder approach.

• NTIA issued report mid2010s on drones and privacy after multi-stakeholder effort.

Question 31

Cross-border enforcement

Answer 31

• OECD in 2007 called for member countries to work together to promote cross-border enforcement cooperation.
• Led to GPEN- Global Privacy Enforcement Network in 2010. Aim is to promote cross-border info sharing and investigative/enforcement cooperation around the world.
• Also, there is APEC’s Cross Border Privacy Enforcement Arrangement

Question 32

Conflicts Between Privacy and Disclosure Laws

Answer 32

Arise when privacy laws in Country X prohibit disclosure but laws in Country Y compel disclosure.

• Example - US court requires litigant to disclose X document in course of litigation, but its subject to GDPR which prohibits disclosure.
• More details on Ch 4