Chapter 3: Federal and State Regulators and Enforcement of Privacy Law Flashcards
What is Civil Litigation?
Occurs in courts when one person sues another person to redress a wrong.
What types of relief may a person seek in civil litigation?
- Monetary Judgment
2. Injunction
When may person sue based on a violation of law?
When a law creates a private right of action (ex. FCRA)
What is Criminal Litigation?
Lawsuits brought by the government for violations of criminal laws.
What types of punishment are typical associated with Criminal Litigation?
- Imprisonment
2. Criminal Fines
Who initiates Criminal Litigation?
- DOJ
2. State attorney generals
What are Administrative Enforcement Actions?
Actions carried out pursuant to the statues that create and empower an agency. In the federal government, the basic rules for agency enforcement actions occur under the Administrative Procedure Act (APA)
What is the Administrative Procedure Act (APA)?
An act laying out the basic rules for agency enforcement actions, where court hearing may take place before an administrative law judge
What Act and Agency(ies) govern Medical Privacy?
Agencies
Office of Civil Rights (OCR)
The Centers for Medicare & Medicaid Services (CMS)
both in the U.S. Department of Health and Human Services (HHS)
Act
Health Insurance Portability and Accountability Act (HIPAA)
What Act and Agency(ies) govern Financial Privacy?
Agencies
Consumer Financial Protection Bureau (CFPB)
Federal Reserve (FED)
The Office of Comptroller of the Currency (OCC)
Act
Gramm-Leach-Bliley Act (GLBA)
What Act and Agency(ies) govern Education Privacy?
Agencies
Dept. of Education (ED)
Act
Family Educational Rights and Privacy Act
What Act and Agency(ies) govern Telemarking and Marketing Privacy?
Agencies
FCC and FTC
Act
Telephone Consumer Protection Act and other statues
What Act and Agency(ies) govern Workplace Privacy?
Agencies
Equal Employment Opportunity Commission (EEOC)
Act
ADA other statutes
Which Acts give the FTC power to govern privacy issues?
- FTC Act Section 5
- FCRA (Fair Credit Report Act)
- Children’s Online Privacy Protection Act (COPPA)
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
- Telemarking Sales Rule
California Notice Law
California requires companies and organizations doing in-state business to post privacy policies on their websites
What does FTC section 5 not apply to?
Does not apply to:
- nonprofit organizations
- banks or other federally regulated financial institutions
What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?
FTC
- Achieves a consent decree that incorporates good privacy and security practices
- Avoids the expense and delay of trial
- Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree
Company
- Avoids a prolonged trial
- Avoids negative publicity
What is “deceptive”
when a practice involves a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.
examples:
1. false promises, misrepresentation, and failures to comply with representations made to consumers, such as statements in privacy policies or Privacy Shield certifications
Deceptive Case: In the Matter of Facebook
The company deceived users about their ability to control the privacy of personal data. Facebook violated a consent order that prohibited the company from misrepresenting the extent to which users could control the privacy of their information and the extent to which users could control the privacy of their information and the extent to which the company makes the information available to third parties.
Deceptive Case: In the Matter of BLU Products
Inappropriately shared customer information (text messages, contact lists, and call logs) with a Chinese-based third party. And, misrepresented the extent to which it protected customers information
Deceptive Case: In the Matter of Snapchat
failure to secure certain data concerning customers’ friends. Snapchat promised its customers that its app provided a private, short-lived messaging service, known as “snap” that disappears after a short time. In addition, Snapchat’s app included a feature to “find friends” that appeared to the user as the only means to choose to provide information to the company about individuals the user knew. According to the FTC, the company was aware of numerous methods that could be employed to save chats indefinitely, and it was actually collecting the names and phone numbers of all contacts in the users mobile device
Deceptive Case: In the Matter of Google
Google failed to comply with a previous consent order restricting the company’s ability to make representations about the control users had over their information and its collection
What is considered “unfair”?
Where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoidable by consumers
examples
- When it publishes a privacy policy to attract customers who are concerned about data privacy
- fails to make good on that promise by investing inadequate resources in cybersecurity
- exposes its unsuspecting customers to substantial financial injury
- and retains the profits for their business
FTC v. Wyndham
Third Circuit
ruled that FTC has the authority to require the company to meet more that the minimum standards set forth in Section 5 of the FTC Act
FTC v. Matter of LabMD
Eleventh Circuit
ruled the FTC order does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LasMD’s data security program and says precious little about how this is to be accomplished
What are the Consumer Privacy Bill of Rights?
- Individual Control
- Transparency
- Respect for Context
- Security
- Access and Accuracy
- Focused Collection
- Accountability
What areas did the FTC Report emphasize?
- Privacy by Design
- Simplified Consumer Choice
- Transparency
What five priorities did the FTC announce for attention?
- Do Not Track
- Mobile
- Data Brokers
- Large Platform Providers
- Promoting enforceable self-regulatory codes
How do states enforce against unfair and deceptive practices?
Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. In addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.
UDAP laws?
Each state has a law roughly similar to Section of the FTC Act. In addition to covering unfair and deceptive acts and practices (UDAP)
enforced by the state attorney generals
How does self-regulation occur?
Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication
What does legislation refer to?
To the question of who should define the appropriate rules for protecting privacy.
What does enforcement refer to?
To the question of who should initiate enforcement actions.
What does adjudication refer to?
To the question of who should decide whether a company has violated the privacy rules, and with what penalties.
Where does self-regulation occur with Section 5 of the FTC and state UDAP laws?
At the legislation stage - companies write their privacy policies.
What is PCI DSS?
Payment Card Institute Data Security Standard
Where does self regulation occur with PCI DSS?
At all three stages.
What is GPEN?
Global Privacy Enforcement Network. it aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
What is APEC?
Asia-Pacific Economic Cooperation. The Asia-PAcific Cross-Border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating member to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region.
