Chapter 3 - Federal and State Regulators and Enforcement of Privacy Law Flashcards
Deceptive Trade Practices
In the context of U.S. federal law, a term associated with corporate entities who mislead or misrepresent products or services to consumers and customers. These practices are regulated in the U.S. by the Federal Trade Commission at the federal level and typically by an attorney general or office of consumer protection at the state level. Law typically provides for both enforcement by the government to stop the practice and individual actions for damages brought by consumers who are hurt by the practices.
FTC
The United States’ primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.
FTC Act, Section 5
Section 5(a) of the FTC Act empowers the agency to enforce against “unfair or deceptive acts or practices in or affecting commerce.” Over the past two decades, the FTC has used this authority extensively to hold businesses to fair and transparent privacy and security standards.
Unfair Trade Practices
Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.
UDAP
Unfair and Deceptive Acts and Practices
The Self-Regulation Model
Self-regulation refers to stakeholder-based models for ensuring privacy. The term “self-regulation” can refer to any or all of three pieces: legislation, enforcement and adjudication. Legislation refers to question of who defines privacy rules. For self-regulation, this typically occurs through the privacy policy of a company or other entity, or by an industry association. Enforcement refers to the question of who should initiate enforcement action. Actions may be brought by data protection authorities, other government agencies, industry code enforcement or, in some cases, the affected individuals. Finally, adjudication refers to the question of who should decide whether an organization has violated a privacy rule. The decision maker can be an industry association, a government agency or a judicial officer. These examples illustrate that the term “self-regulation” covers a broad range of institutional arrangements. For a clear understanding of data privacy responsibilities, privacy professionals should consider who defines the requirements, which organization brings enforcement action and who actually makes the judicial decisions.
PCI Data Security Standard
A self-regulatory system that provides an enforceable security standard for payment card data. The rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies. Except for small companies, compliance with the standard requires hiring a third party to conduct security assessments and detect violations. Failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties.
PCI Security Standards Council
The PCI Security Standards Council is a council that is responsible for the development and management of the Payment Card Industry Security Standards, most notably the PCI Data Security Standard. The council is made up of American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. and other affiliate members.
GPEN
Global Privacy Enforcement Network. Organized following an OECD recommendation for cooperation among member countries on enforcement of privacy laws, GPEN is collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, GPEN counted 50 member countries.
APEC
Asia-Pacific Economic Coopoeration. The APEC aims to establish a framework for participating members to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific Region.
OECD Guidelines
First released in 1980, and then updated in 2013, these guidelines represent perhaps the most widely accepted and circulated set of internationally agreed upon privacy principles along with guidance for countries as they develop regulations surrounding cross-border data flows and law-enforcement access to personal data. The principles, widely emulated in national privacy laws, include Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability (see entries for each principle under their own listing elsewhere in the glossary).
