Cross-sector FTC Privacy Protection

Question 1

Define:

FTC jurisdiction

Answer 1

• enforces consumer protection in nearly all areas of commerce
• doesn’t cover nonprofit entities or certain industries, including banks and other federally regulated financial institutions, and common carriers (transportation and communications industries)

Question 2

Define:

Section 5 of FTC Act

Answer 2

unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful

Question 3

FTC authority over information and privacy security

Answer 3

established by FTC v. Wyndham (2015) and FTC v. LabMD (2018)

Question 4

FTC administrative enforcement

Answer 4

• relies on Section 5(1)
• FTC issues a complaint and then determines via an administrative proceeding whether a violation has occurred; and if a violation is found, FTC issues a cease-and-desist order and can pursue civil penalties if company subsequently violates the order

Question 5

FTC judicial enforcement

Answer 5

• relies on Section 13(b)
• used by FTC to seek “equitable money relief” such as restitution and disgorgement without first issuing a final cease-and-desist order

Question 6

Define:

restitution

Answer 6

recouping money losses of consumers

Question 7

Define:

disgorgement

Answer 7

requiring companies to repay profits from wrongful conduct

Question 8

FTC has general authority to…

Answer 8

issue regulations

Question 9

How does the FTC issue regulations?

Answer 9

• must comply with procedures under Section 18 of the FTC Act aka Magnuson-Moss Warranty Federal Trade Commission Improvements Act of 1975 (“Magnuson-Moss”)
• can promulgate a trade rule regulation, which defines an act or a practice as unfair or deceptive “only where it has reason to believe that the unfair or deceptive acts of practices which are subject of the proposed rulemaking are prevalent”
• FTC must establish the prevalence of acts or practices; how the acts or practices are unfair or deceptive; and the economic effect of the rule, including on consumers and small businesses

Question 10

What is the effect of West Virginia v. EPA (2022)?

Answer 10

• could narrow breadth of rules that FTC can enact in future
• case evinced a shift from courts deferring to agency rules as appropriate to an expectation that courts would review agency rules to determine compliance based on the “major questions doctrine”
• major questions doctrine restricts the authority of federal agencies to issue substantial regulations without precise directions from Congress

Question 11

typical FTC enforcement process

Answer 11

1. claim that company has committed an unfair or deceptive practice or has violated a specific consumer protection law
2. FTC has broad investigative authority, including authority to subpoena witnesses, demand civil investigation, and require businesses to submit written reports under oath
3. commission may initiate an enforcement action and issue a complaint, and an **administrative trial **can proceed before an ALJ
4. if violation is found, ALJ can** enjoin** company from continuing the practices that caused the violation
5. decision of ALJ can be appealed to five commissioners, and that decision can be appealed to federal court
6. although FTC lacks authority to assess civil penalties, if an FTC ruling is ignored the FTC can seek civil penalties in federal court of up to $50,120 per violation and can seek compensation for those harmed by the unfair or deceptive practices

Question 12

Define:

consent decree

Answer 12

• respondent does not admit fault but promises to change its practices and avoids further litigation on the issue
• respondent often required to maintain proof of compliance and must inform FTC if changes will affect ability to adhere to terms

Question 13

What happens if you violate a consent decree?

Answer 13

any violation of that decree can lead, following an FTC investigation, to enforcement in federal court, including civil penalties (or injunctions or other forms of relief)

Question 14

What does the FTC’s Enforcement Division do?

Answer 14

monitors and litigates violations of consent decrees in cooperation with the DOJ

Question 15

incentives to negotiate consent decree (on both sides)

Answer 15

• company avoids prolonged trial and negative ongoing publicity, and avoids having details of its business exposed to public
• FTC achieves consent decree that enforces good privacy and security practices, avoids expense and delay of trial, and gains enforcement advantage because monetary fines are much easier to assess in federal court if a company violates a consent decree

Question 16

Define:

deceptive practice

Answer 16

must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances

Question 17

deceptive practice re privacy notice

Answer 17

if a company promises a certain level of privacy or security on its website or elsewhere and doesn’t fulfill its promise, FTC considers that breach of promise a “deceptive” practice under Section 5

Question 18

examples of “deceptive” FTC actions

Answer 18

• In the Matter of Facebook (2019): FB agreed to pay $5 billion fine to settle allegations that the company deceived users about their ability to control the privacy of personal data
• In the Matter of Everalbum (2021): photo app Everalbum agreed to delete facial recognition algorithms developed using consumer data inappropriately obtained (algorithm disgorgement)

Question 19

Define:

unfair practice

Answer 19

must:
1. cause or is likely to cause substantial injury to consumers (which is not merely speculative)
2. not be reasonably avoidable by consumers themselves
3. not be outweighed by countervailing benefits to consumers or competition

Question 20

examples of “unfair” FTC actions

Answer 20

• In the Matter of Equifax (2019): Equifax suffered breach in 2017 that affected 150 million customers and exposed SS numbers and home addresses and FTC alleged Equiax’s failure to engage in reasonable security measures to protect its network led to the breach
• In the Matter of Uber (2018): hackers gained access to PI of drivers and riders and FTC alleged Uber failed to monitor employees’ access to consumers’ personal information; reasonably secure sensitive consumer data in the cloud; and timely disclose the second breach

Question 21

FTC has specific authority over…

Answer 21

privacy and security issues beyond Section 5, including COPPA, Health Information Technology for Economic and Clinical Health (HITECH), and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)

Question 22

Define:

COPPA

Answer 22

• passed in 1998
• specifically protects children’s use of the internet, particularly websites and services targeted towards children, who are defined as under the age of 13

Question 23

What are key requirements under COPPA?

Answer 23

1. requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to website privacy policy on every page where PI is collected
2. requires consent by parents prior to collection of PI for children under age of 13
3. operators required to utilize a method of consent that is reasonably designed, in light of the technology available, to make sure that the consent is provided by the parent of the child

Question 24

Define:

HITECH

FTC

Answer 24

• applies to personal health record providers
• FTC shares rulemaking and enforcement authority with HHS for data breaches related to medical records

Question 25

FTC authority over FCRA

Answer 25

• until creation of CFPB, FTC issued rules and guidances for the FCRA
• CFPB shares enforcement authority with the FTC for financial institutions that are not covered by a separate financial regulator
• state AGs are required to give notice to the FTC prior to filing suit, and FTC retains authority to intervene in cases brought by state AGs

Question 26

FTC authority over CAN-SPAM

Answer 26

• both FTC and FCC have authority to issue regulations implementing CAN-SPAM
• FTC, FCC and state AGs have enforcement authority

Question 27

important guidance from FTC on future of privacy and security enforcement has come from…

Answer 27

• 2022 Proposed Rules concerning Commercial Surveillance
• 2020 Workshop on Data Portability
• 2022 Advice for Health App Developers
• 2022 Staff Report on Dark Patterns
• 2022 Vision on Section 5 Authority to Address Unfair Methods of Competition

Question 28

Define:

Proposed Rules concerning Commercial Surveillance

Answer 28

proposed rules focus on surveillance practices defined as “collection, aggregation, analysis, retention, transfer or monetization of commercial data and the direct derivatives of that info”

Question 29

Define:

FTC Workshop on Data Portability (2020)

Answer 29

held workshop concerning benefits and challenges posed by data portability: ability of individuals to obtain and reuse their personal data for their own purposes across different services

Question 30

Define:

FTC Advice for Health App Developers (2022)

Answer 30

FTC issued advice tailored to health app developers regarding data security, including data minimization, limiting access and permissions, focusing on authentication, considering the mobile ecosystem, and implementing security by design

Question 31

Define:

FTC Staff Report on Dark Patterns (2022)

Answer 31

focuses on four common dark practices:
1. disguising ads and misleading consumers about content
2. making it difficult to cancel charges or subscriptions
3. hiding or obscuring key terms and sham fees
4. tricking consumers into sharing data

Question 32

Define:

dark pattern

Answer 32

sophisticated design practices that can trick or manipulate consumers into buying services/products or into giving up personal information

Question 33

Define:

FTC Vision on Section 5 Authority to Address Unfair Methods of Competition (2022)

Answer 33

• announced intent to broaden vision on Section 5 FTC enforcement
• Section 5 analysis focuses on “stopping unfair methods of competition in their incipiency based on their tendency to harm competitive conditions” (and not just whether actual harm is caused)
• focus is on whether the company’s conduct has a tendency to create negative consequences, such as: raise prices; limit choices; lower quality; reduce innovation; impair other market participants; or reduce likelihood of competition
• emphasized that Section 5 “does not require a separate showing of market power or market definition” when the evidence indicates a tendency of anticompetitive effects (such a showing is required for virtually all other antitrust statues)