Limits on Private Sector Collection and Use of Data (25 questions) Flashcards
FTC Act as passed in 1914
founded federal trade commission which was independent admin agency designed to enforce anti trust law and consumer protection
governed by chairperson + 4 commissioners
FTC act as amendment by wheeler lea actin 1938
added section 5 authority (unfair or deceptive acts or practices in or affecting commerce are hereby unlawful)
limitations on authority= only applies to acts that affect interstate commerce not:
- nonprofit orgs
- banks
- financial institutions
- common carriers
FTC act- Magnuson moss warranty federal trade commission improvement act
passed in 1975
FTC is permitted to issue regulations under section 5 authority pursuant to Magnuson moss regulation
FTC has never utilized this for privacy or data protection
FTC act amendment 2006
section 5 amendment to apply to acts of foreign commerce as well
must
1. cause or likely to cause reasonably foreseeable injury within US or
2. involve material conduct occurring within US
FTC regulation today
- privacy related legislation
- FCRA
- CAN-SPAM Act
- TSR
- COPPA
- FTC act
FTC enforcement- minor actions
FTC will reach out to company and seek to resolve violation informally
FTC enforcement- severe violation- pre complaint investigation
section 6 of FTC act gives broad investigatory power including power to gather and compile info
business must submit written reports under oath
has broad subpoena power
FTC enforcement- severe violation- enforcement proceeding
- FTC files formal complaint if reason to believe person or company engaged in unfair or deceptive trade practices
- complaints are heard before ALJ who may issue injunction prohibiting behavior if violation
CAN NEVER IMPOSE CIVIL PENALTIES
What constitutes deceptive trade practices for FTC enforcement action
FTC must show company made
1. material statement or omission
2. that is likely to mislead consumers who are acting reasonably under circumstances
ex. false statement in privacy notice
what constitutes unfair trade practices for FTC enforcement action
FTC must establish that a practice results in
1. substantial injury
2. with lack of off setting benefits
3. injury is one that consumers themselves could not reasonable have avoided
doesn’t require false statement
ex. privacy policy published that fails to make good on promise by inadequate resources in cybersecurity
FTC enforcement- severe violation- appeal
- 5 member commission
- circuit court of appeals
decision is effective 60 days after serviced on offending company
can issue injunction only (no civil penalties)
FTC federal court enforcement
FTC can seek
1. enforcement of injunction in federal court
2. go directly to court under section 13
remedies
1. injunctions
2. compensation for those harmed by illegal conduct
3. civil penalties ($50120/violation)
is there a private cause of action for FTC
no
FTC enforcement- consent degree
most FTC enforcement actions are resolved by consent degrees
D must generally maintain proof of compliance
benefits
1. enforce good practice
2. avoid cost of trial
3. easily enforceable
4. avoid negative press
5. limit exposure of business practices
importance of in the matter of geocities inc
1st privacy enforcement action taken by FTC against company based on web based promises
holding= settlement through consent decree where company agreed to post accurate online privacy notice and comply with its terms
importance of in the matter of Eli Lilly and co
1st enforcement action where FTC entered into consent decree requiring company to develop and maintain info privacy and security program
holding= settlement through consent degree requiring company to create and maintain privacy and security program
importance of FTC v Wyndham worldwide corp
court upheld authority of FTC to regulate cyber security under section 5 authority
holding- settlement through consent degree where company agreed to maintain info security program and submit annual security audits to ensure compliance with PCI-DSS for 20 years
importance of labmd inc v ftc
cease and desist orders must be specific not general
holding- FTC cease and desist order based on company’s general negligence failure to act was unenforceable because prohibitions and directive to implement reasonable security program were not specific enough
importance of US v tech electronics ltd
1st FTC section 5 and COPPA enforcement action maker of internet connected toys
holding- settlement through consent degree
importance of in the matter of uber tech
FTC considers the following reasonable data security practices:
1. requiring engineers to use unique access keys
2. requiring engineers to use multi factor authentication to access customer info
3. storing sensitive info in encrypted form
importance of in the matter of Lenovo inc
FTC considers the following a reasonable data security practice
1. confidentiality clause indicating that processor will not share the controllers data with 3rd parties without consent
importance of in the matter of blu products inc
FTC considers the following a reasonable data security practice
adequately overseeing 3rd party contractors and software suppliers
