Cross-sector FTC Privacy Protection Flashcards

5-7 questions

You may prefer our related Brainscape-certified flashcards:
1
Q

Define:

Section 5 of FTC Act

A

unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

FTC authority over information and privacy security

A

established by FTC v. Wyndham (2015) and FTC v. LabMD (2018)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

FTC administrative enforcement

A
  • relies on Section 5(1)
  • FTC issues a complaint and then determines via an administrative proceeding whether a violation has occurred; and if a violation is found, FTC issues a cease-and-desist order and can pursue civil penalties if company subsequently violates the order
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

FTC judicial enforcement

A
  • relies on Section 13(b)
  • used by FTC to seek “equitable money relief” such as restitution and disgorgement without first issuing a final cease-and-desist order
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define:

restitution

A

recouping money losses of consumers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define:

disgorgement

A

requiring companies to repay profits from wrongful conduct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

FTC has general authority to…

A

issue regulations under FTC Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How does the FTC issue regulations?

A
  • must comply with procedures under Section 18 of the FTC Act aka Magnuson-Moss Warranty Federal Trade Commission Improvements Act of 1975 (“Magnuson-Moss”)
  • can promulgate a trade rule regulation, which defines an act or a practice as unfair or deceptive “only where it has reason to believe that the unfair or deceptive acts of practices which are subject of the proposed rulemaking are prevalent”
  • FTC must establish the prevalence of acts or practices; how the acts or practices are unfair or deceptive; and the economic effect of the rule, including on consumers and small businesses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the effect of West Virginia v. EPA (2022)?

A
  • could narrow breadth of rules that FTC can enact in future
  • case evinced a shift from courts deferring to agency rules as appropriate to an expectation that courts would review agency rules to determine compliance based on the “major questions doctrine
  • major questions doctrine restricts the authority of federal agencies to issue substantial regulations without precise directions from Congress
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

typical FTC enforcement process

A
  1. claim that company has committed an unfair or deceptive practice or has violated a specific consumer protection law
  2. FTC has broad investigative authority, including authority to subpoena witnesses, demand civil investigation, and require businesses to submit written reports under oath
  3. commission may initiate an enforcement action and issue a complaint, and an administrative trial can proceed before an ALJ
  4. if violation is found, ALJ can enjoin company from continuing the practices that caused the violation
  5. decision of ALJ can be appealed to five commissioners, and that decision can be appealed to federal court
  6. although FTC lacks authority to assess civil penalties, if an FTC ruling is ignored the FTC can seek civil penalties in federal court of up to $50,120 per violation and can seek compensation for those harmed by the unfair or deceptive practices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define:

consent decree

A
  • respondent does not admit fault but promises to change its practices and avoids further litigation on the issue
  • respondent often required to maintain proof of compliance and must inform FTC if changes will affect ability to adhere to terms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happens if you violate a consent decree?

A

any violation of that decree can lead, following an FTC investigation, to enforcement in federal court, including civil penalties (or injunctions or other forms of relief)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does the FTC’s Enforcement Division do?

A

monitors and litigates violations of consent decrees in cooperation with the DOJ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

incentives to negotiate consent decree (on both sides)

A
  • company avoids prolonged trial and negative ongoing publicity, and avoids having details of its business exposed to public
  • FTC achieves consent decree that enforces good privacy and security practices, avoids expense and delay of trial, and gains enforcement advantage because monetary fines are much easier to assess in federal court if a company violates a consent decree
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define:

deceptive practice

A

must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

deceptive practice re privacy notice

A

if a company promises a certain level of privacy or security on its website or elsewhere and doesn’t fulfill its promise, FTC considers that breach of promise a “deceptive” practice under Section 5

17
Q

examples of “deceptive” FTC actions

A
  • In the Matter of Facebook (2019): FB agreed to pay $5 billion fine to settle allegations that the company deceived users about their ability to control the privacy of personal data
  • In the Matter of Everalbum (2021): photo app Everalbum agreed to delete facial recognition algorithms developed using consumer data inappropriately obtained (algorithm disgorgement)
18
Q

Define:

unfair practice

A

must:
1. cause or is likely to cause substantial injury to consumers (which is not merely speculative)
2. not be reasonably avoidable by consumers themselves
3. not be outweighed by countervailing benefits to consumers or competition

19
Q

examples of “unfair” FTC actions

A
  • In the Matter of Equifax (2019): Equifax suffered breach in 2017 that affected 150 million customers and exposed SS numbers and home addresses and FTC alleged Equiax’s failure to engage in reasonable security measures to protect its network led to the breach
  • In the Matter of Uber (2018): hackers gained access to PI of drivers and riders and FTC alleged Uber failed to monitor employees’ access to consumers’ personal information; reasonably secure sensitive consumer data in the cloud; and timely disclose the second breach
20
Q

Define:

COPPA

A
  • passed in 1998
  • specifically protects children’s use of the internet, particularly websites and services targeted towards children, who are defined as under the age of 13
21
Q

What are key requirements under COPPA?

A
  1. requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to website privacy policy on every page where PI is collected
  2. requires consent by parents prior to collection of PI for children under age of 13
  3. operators required to utilize a method of consent that is reasonably designed, in light of the technology available, to make sure that the consent is provided by the parent of the child
22
Q

Define:

HITECH

FTC

A
  • applies to personal health record providers
  • FTC shares rulemaking and enforcement authority with HHS for data breaches related to medical records
23
Q

FTC authority over FCRA

A
  • until creation of CFPB, FTC issued rules and guidances for the FCRA
  • CFPB shares enforcement authority with the FTC for financial institutions that are not covered by a separate financial regulator
  • state AGs are required to give notice to the FTC prior to filing suit, and FTC retains authority to intervene in cases brought by state AGs
24
Q

FTC authority over CAN-SPAM

A
  • both FTC and FCC have authority to issue regulations implementing CAN-SPAM
  • FTC, FCC and state AGs have enforcement authority
25
Q

important guidance from FTC on future of privacy and security enforcement has come from…

A
  • 2022 Proposed Rules concerning Commercial Surveillance
  • 2020 Workshop on Data Portability
  • 2022 Advice for Health App Developers
  • 2022 Staff Report on Dark Patterns
  • 2022 Vision on Section 5 Authority to Address Unfair Methods of Competition
26
Q

Define:

Proposed Rules concerning Commercial Surveillance

A

proposed rules focus on surveillance practices defined as “collection, aggregation, analysis, retention, transfer or monetization of commercial data and the direct derivatives of that info”

27
Q

Define:

FTC Workshop on Data Portability (2020)

A

held workshop concerning benefits and challenges posed by data portability: ability of individuals to obtain and reuse their personal data for their own purposes across different services

28
Q

Define:

FTC Advice for Health App Developers (2022)

A

FTC issued advice tailored to health app developers regarding data security, including data minimization, limiting access and permissions, focusing on authentication, considering the mobile ecosystem, and implementing security by design

29
Q

Define:

FTC Staff Report on Dark Patterns (2022)

A

focuses on four common dark practices:
1. disguising ads and misleading consumers about content
2. making it difficult to cancel charges or subscriptions
3. hiding or obscuring key terms and sham fees
4. tricking consumers into sharing data

30
Q

Define:

dark pattern

A

sophisticated design practices that can trick or manipulate consumers into buying services/products or into giving up personal information

31
Q

Define:

FTC Vision on Section 5 Authority to Address Unfair Methods of Competition (2022)

A
  • announced intent to broaden vision on Section 5 FTC enforcement
  • Section 5 analysis focuses on “stopping unfair methods of competition in their incipiency based on their tendency to harm competitive conditions” (and not just whether actual harm is caused)
  • focus is on whether the company’s conduct has a tendency to create negative consequences, such as: raise prices; limit choices; lower quality; reduce innovation; impair other market participants; or reduce likelihood of competition
  • emphasized that Section 5 “does not require a separate showing of market power or market definition” when the evidence indicates a tendency of anticompetitive effects (such a showing is required for virtually all other antitrust statues)