Chapter 3 - Federal & State Regulators and Enforcement of Privacy Law Flashcards
2 key agencies in US privacy law
1- FTC
2-FCC
Single most important piece of US privacy law is
Section 5 of the FTC Act
Section 5 of the FTC Act states…
“unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful”
Section 5 of the FTC Act does NOT apply to…
nonprofit organizations, or to certain industries including banks, other federally regulated financial institutions, and common carriers such as the transportation and communications industries
FTC’s investigatory authority include:
1- authority to subpoena witnesses
2-authority to demand civil investigation
3- authority to require businesses to submit written reports under oath.
An order by the FTC commission becomes final when?
60 days after it is served on the company
What is the FTC enforcement process once a violation has been identified?
1- the commission issues a complaint
2- an administrative trial proceeds before an ALJ
3- If a violation is found, ALJ can enjoin the company from continuing practices that caused the violation
4- the decision of ALJ can be appealed to the five commissioners
5- the decision of the five commissioners can be appealed to the federal district court
Can the FTC assess civil penalties?
No, but the FTC can seek civil penalties in federal court of up to $40,654 per violation and can seek compensation for those harmed by an unfair or deceptive practice; each violation of an order is treated as a separate offense and each day the violator fails to comply with the order is considered a separate offense.
How are FTC enforcement actions usually settled?
Through consent decrees and consent orders
3 Advantages of Consent Decrees
1- consent decree incorporate good privacy and security practices
2- avoids the expense and delay of a trial
3- gains an enforcement advantage because monetary fines are easier to assess in federal court if a company violates a consent decree than if no decree is in place
How long can a consent decree be imposed?
Up to 20 years per the FTC’s Sunset Policy
What constitutes a “deceptive practice”
it involves a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances; includes false promises, misrepresentations and failures to comply with representations made to consumers.
Describe “unfair practices” in the privacy realm
- Companies have to be proactive and must make reasonable efforts to protect personal information
- If a company publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits for their business.
FTC states that reasonable data security practices include at least 5 principles:
1- companies should be aware of what consumer info they have and who has legitimate access to the data
2- companies should limit the info they collect and maintain for their legitimate business purposes
3- companies should protect the info they maintain by assessing risk and by implementing procedures for electronic security, physical security, employee training and vendor management
4- companies should properly dispose of information they no longer need
5- companies should have a plan in place to respond to security incidents, in case they occur
FTC considers what 3 factors in assessing a company’s data security measure:
1 - the volume and sensitivity of consumer information the company holds
2- the complexity and breadth of its data operations
3- the cost of tools available to reduce vulnerabilities and improve security