Limits on Private-sector Collection and Use of Data - FTC (1 of 5) Flashcards
Provide an initial overview of the limits of private-sector collection and use of data.
The Federal Trade Commission Act
Codified in 15 USC section 45. Section 5(a) of the FTC act empowers the agency to enforce against - “unfair or deceptive acts or practices in or affecting commerce” are hereby declared unlawful.
Limits on FTC Authority
- Applies to commerce, excluding nonprofits
2. Excludes financial institutions
FTC Privacy & Enforcement Actions
The FTC brings enforcement actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices which holds businesses to fair and transparent privacy and security standards.
Two outcomes of FTC enforcement actions
- Information Resolutions
2. Consent Decree
Consent Decree
Formal contract between the government requiring modification of business practices
Information Resolution
Agreement that the accused company will modify business practices without a formal enforcement action
Privacy Enforcement Actions
- No broad privacy law in the US
- Corporate privacy policies often provide the basis for FTC enforcement actions
- Authority derived from FTCs power to regulate deceptive trade practices
- First action occurred in 1999, FTC files an enforcement action against GeoCities. Case settled with a consent degree requiring a privacy policy and new privacy controls.
- In 2014 – Trustee promised that they would conduct annual reviews of website they would certify but did not do that. Consent decree required a $200k fine and to follow-through on policy.
FTC Security Enforcement Actions
- Authority to regulate unfair business practices
- May arise after a security breach
- May occur on a proactive basis
- Windham – credit card information.
FTC Sunset Policy
Sets a 20-year maximum length on consent agreements
The Children’s Online Privacy Protection Act of 1998 (COPPA)
FTC has regulatory authority over COPPA. COPPA does not apply to most nonprofit organizations. Federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13.
Organizations in Scope:
- Commercial sites that are direct at children under the age of 13
- Commercial sites with knowledge of use by children under 13
COPPA Requirements
- To post a privacy notice on the homepage of the website
- Provide notice about collection practices to parents
- Obtain verifiable parental consent before collection personal information from children
- Give parents a choice as to whether their child’s PI will be disclosed to third parties;
- Provide parents access and the opportunity to delete the child’s PI and opt out of future collection or use of the information and maintain the confidentiality, security, and integrity of PI collected from the children
COPPA Security Requirements
- Protect the confidentiality, security, and integrity of personal information
- Delete information when no longer needed
- Do not require that children provide unnecessary information
COPPA Safe Harbor
Encourage self-regulatory programs to limit legal exposure
Data Brokers
Entities that collect, aggregate and sell individuals’ personal data, derivatives and inferences from disparate public or private sources. FTC report calls for transparency from brokers of where their data comes from.
Internet of Things (IoT)
A term used to describe the many devices that are connected to the internet. Any device that is built with a network interface can be assigned an IP address to allow for automation and remote access. FTC report discusses the benefits and risks of IoT with privacy principles connected to technology.
