Chapter 3: Federal and State Regulators and Enforcement of Privacy Law

Question 1

What is Civil Litigation?

Answer 1

Occurs in courts when one person sues another person to redress a wrong.

Question 2

What types of relief may a person seek in civil litigation?

Answer 2

1. Monetary Judgment

2. Injunction

Question 3

When may person sue based on a violation of law?

Answer 3

When a law creates a private right of action (ex. FCRA)

Question 4

What is Criminal Litigation?

Answer 4

Lawsuits brought by the government for violations of criminal laws.

Question 5

What types of punishment are typical associated with Criminal Litigation?

Answer 5

1. Imprisonment

2. Criminal Fines

Question 6

Who initiates Criminal Litigation?

Answer 6

1. DOJ

2. State attorney generals

Question 7

What are Administrative Enforcement Actions?

Answer 7

Actions carried out pursuant to the statues that create and empower an agency. In the federal government, the basic rules for agency enforcement actions occur under the Administrative Procedure Act (APA)

Question 8

What is the Administrative Procedure Act (APA)?

Answer 8

An act laying out the basic rules for agency enforcement actions, where court hearing may take place before an administrative law judge

Question 9

What Act and Agency(ies) govern Medical Privacy?

Answer 9

Agencies
Office of Civil Rights (OCR)
The Centers for Medicare & Medicaid Services (CMS)
both in the U.S. Department of Health and Human Services (HHS)

Act
Health Insurance Portability and Accountability Act (HIPAA)

Question 10

What Act and Agency(ies) govern Financial Privacy?

Answer 10

Agencies
Consumer Financial Protection Bureau (CFPB)
Federal Reserve (FED)
The Office of Comptroller of the Currency (OCC)

Act
Gramm-Leach-Bliley Act (GLBA)

Question 11

What Act and Agency(ies) govern Education Privacy?

Answer 11

Agencies
Dept. of Education (ED)

Act
Family Educational Rights and Privacy Act

Question 12

What Act and Agency(ies) govern Telemarking and Marketing Privacy?

Answer 12

Agencies
FCC and FTC

Act
Telephone Consumer Protection Act and other statues

Question 13

What Act and Agency(ies) govern Workplace Privacy?

Answer 13

Agencies
Equal Employment Opportunity Commission (EEOC)

Act
ADA other statutes

Question 14

Which Acts give the FTC power to govern privacy issues?

Answer 14

1. FTC Act Section 5
2. FCRA (Fair Credit Report Act)
3. Children’s Online Privacy Protection Act (COPPA)
4. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
5. Telemarking Sales Rule

Question 15

California Notice Law

Answer 15

California requires companies and organizations doing in-state business to post privacy policies on their websites

Question 16

What does FTC section 5 not apply to?

Answer 16

Does not apply to:

1. nonprofit organizations
2. banks or other federally regulated financial institutions

Question 17

What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?

Answer 17

FTC

1. Achieves a consent decree that incorporates good privacy and security practices
2. Avoids the expense and delay of trial
3. Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree

Company

1. Avoids a prolonged trial
2. Avoids negative publicity

Question 18

What is “deceptive”

Answer 18

when a practice involves a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.

examples:
1. false promises, misrepresentation, and failures to comply with representations made to consumers, such as statements in privacy policies or Privacy Shield certifications

Question 19

Deceptive Case: In the Matter of Facebook

Answer 19

The company deceived users about their ability to control the privacy of personal data. Facebook violated a consent order that prohibited the company from misrepresenting the extent to which users could control the privacy of their information and the extent to which users could control the privacy of their information and the extent to which the company makes the information available to third parties.

Question 20

Deceptive Case: In the Matter of BLU Products

Answer 20

Inappropriately shared customer information (text messages, contact lists, and call logs) with a Chinese-based third party. And, misrepresented the extent to which it protected customers information

Question 21

Deceptive Case: In the Matter of Snapchat

Answer 21

failure to secure certain data concerning customers’ friends. Snapchat promised its customers that its app provided a private, short-lived messaging service, known as “snap” that disappears after a short time. In addition, Snapchat’s app included a feature to “find friends” that appeared to the user as the only means to choose to provide information to the company about individuals the user knew. According to the FTC, the company was aware of numerous methods that could be employed to save chats indefinitely, and it was actually collecting the names and phone numbers of all contacts in the users mobile device

Question 22

Deceptive Case: In the Matter of Google

Answer 22

Google failed to comply with a previous consent order restricting the company’s ability to make representations about the control users had over their information and its collection

Question 23

What is considered “unfair”?

Answer 23

Where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoidable by consumers

examples

1. When it publishes a privacy policy to attract customers who are concerned about data privacy
2. fails to make good on that promise by investing inadequate resources in cybersecurity
3. exposes its unsuspecting customers to substantial financial injury
4. and retains the profits for their business

Question 24

FTC v. Wyndham

Answer 24

Third Circuit

ruled that FTC has the authority to require the company to meet more that the minimum standards set forth in Section 5 of the FTC Act

Question 25

FTC v. Matter of LabMD

Answer 25

Eleventh Circuit

ruled the FTC order does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LasMD’s data security program and says precious little about how this is to be accomplished

Question 26

What are the Consumer Privacy Bill of Rights?

Answer 26

1. Individual Control
2. Transparency
3. Respect for Context
4. Security
5. Access and Accuracy
6. Focused Collection
7. Accountability

Question 27

What areas did the FTC Report emphasize?

Answer 27

1. Privacy by Design
2. Simplified Consumer Choice
3. Transparency

Question 28

What five priorities did the FTC announce for attention?

Answer 28

1. Do Not Track
2. Mobile
3. Data Brokers
4. Large Platform Providers
5. Promoting enforceable self-regulatory codes

Question 29

How do states enforce against unfair and deceptive practices?

Answer 29

Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. In addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.

Question 30

UDAP laws?

Answer 30

Each state has a law roughly similar to Section of the FTC Act. In addition to covering unfair and deceptive acts and practices (UDAP)

enforced by the state attorney generals

Question 31

How does self-regulation occur?

Answer 31

Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication

Question 32

What does legislation refer to?

Answer 32

To the question of who should define the appropriate rules for protecting privacy.

Question 33

What does enforcement refer to?

Answer 33

To the question of who should initiate enforcement actions.

Question 34

What does adjudication refer to?

Answer 34

To the question of who should decide whether a company has violated the privacy rules, and with what penalties.

Question 35

Where does self-regulation occur with Section 5 of the FTC and state UDAP laws?

Answer 35

At the legislation stage - companies write their privacy policies.

Question 36

What is PCI DSS?

Answer 36

Payment Card Institute Data Security Standard

Question 37

Where does self regulation occur with PCI DSS?

Answer 37

At all three stages.

Question 38

What is GPEN?

Answer 38

Global Privacy Enforcement Network. it aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.

Question 39

What is APEC?

Answer 39

Asia-Pacific Economic Cooperation. The Asia-PAcific Cross-Border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating member to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region.