Ftc Privacy and Data Security Enforcement and Guidance Under Section 5

• Publication year: 2016
• Author: By Alexander E. Reicher and Yan Fang

FTC PRIVACY AND DATA SECURITY ENFORCEMENT AND GUIDANCE UNDER SECTION 5

By Alexander E. Reicher and Yan Fang¹

I. INTRODUCTION

Section 5 of the FTC Act does not itself mention privacy or data security, yet it is the legal basis for well over a hundred Federal Trade Commission privacy and data security enforcement actions. The Commission has used the broad language of Section 5—which prohibits "unfair or deceptive acts or practices," among other things—to hold individuals and companies accountable for everything from broken privacy and data security promises to "unfair" collection of personal information. To better understand the contours of the FTC's privacy and data security enforcement under Section 5, this article examines the agency's litigated cases, public settlements, and guidance materials. This article's modest purpose is to serve as an introduction to some of those materials. It proceeds in four sections. The balance of Section I provides an overview of FTC privacy and data security enforcement and guidance. Section II addresses FTC privacy enforcement and guidance under Section 5, including the agency's early privacy actions and those involving social networks, internet tracking, browser toolbars, cookies and behavioral advertising, mobile devices, data brokers, and the misappropriation of consumer data. Section III discusses FTC data security enforcement and guidance under Section 5, including the agency's recent data security litigation and enforcement actions that help define "reasonable" data security. The article concludes in Section IV.

A. Enforcement

In its privacy and data security actions, the Commission has used its Section 5 authority to investigate and file complaints against companies and individuals for privacy and data security violations that are "deceptive," "unfair," or both. Section 5 of the FTC Act states, in relevant part, that the Commission is "empowered and directed to prevent persons, partnerships, or corporations"—excluding certain types of entities, such as banks and credit unions, as well as certain activities such as common carrier activities—"from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce."²

A deceptive act or practice under the FTC Act is (1) a representation, omission, or practice (2) that is likely to mislead consumers acting reasonably in the circumstances and (3) that is material.³ An unfair act or practice is one that (1) causes or is likely to cause substantial injury to consumers, (2) is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or to competition.⁴ Though early privacy and data security cases focused on deception, the FTC has increasingly used its unfairness authority to bring cases in the areas of privacy and data security.⁵

[Page 89]

In addition to the FTC Act, the FTC also enforces a number of other privacy and data security laws, including the following (among others):

• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)⁶ and the corresponding CAN-SPAM Rule;⁷
• Fair Credit Reporting Act (FCRA)⁸ and a number of corresponding rules;
• Gramm-Leach-Bliley Act (GLBA)⁹ and the corresponding Privacy of Consumer Financial Information Rule (Financial Privacy Rule)¹⁰ and Standards for Safeguarding Customer Information (Safeguards Rule);¹¹ and
• The Children's Online Privacy Protection Act (COPPA)¹² and the corresponding Children's Online Privacy Protection Rule.¹³

The FTC investigates companies and individuals whose conduct may violate Section 5 ora specific statute or rule that the agency enforces. In privacy and data security investigations, the Commission has the authority to issue civil investigative demands (CIDs) for documents, interrogatory responses, and "tangible things," and to compel individuals and companies to attend investigational hearings, which are similar to depositions.¹⁴

FTC investigations may lead to one of several outcomes: (1) the agency's decision to close the investigation, (2) a settlement between the FTC and the target of the investigation, (3) the agency's filing of an administrative complaint, or (4) the agency's filing of a complaint in federal district court. The Commission has resolved the majority of its publicly announced privacy and data security investigations through consent order settlements, but more recently, has filed three complaints, one in federal court and two before its administrative tribunal.

B. Guidance

In addition to enforcement, the Commission has issued a number of reports and guides for businesses on privacy and data security topics. These guidance documents, written by FTC staff and occasionally approved by the FTC's commissioners, outline how to comply with various privacy laws or present the Commission's view of industry best practices.

The Commission's 2012 report Protecting Consumer Privacy in an Era of Rapid Change¹⁵ (hereinafter "Protecting Consumer Privacy") is among the more significant FTC guidance on privacy and data security matters. Approved by the FTC's commissioners in a 3-1 vote, Protecting Consumer Privacy offers a framework "intended to articulate best practices for companies that collect and use consumer data."¹⁶

The report's privacy framework centers around three principles. First, "[c]ompanies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services"—so-called "privacy by design."¹⁷ Second, "[c]ompanies should simplify consumer choice" when it comes to choices about a company's collection and use of consumer data.¹⁸ Finally, "[c]ompanies should increase the transparency of their data practice."¹⁹ While the report makes specific recommendations under each of these privacy principles, the Commission clarified that these recommendations may go beyond the existing requirements under the privacy laws.²⁰

The report also offers guidance on data security, including the recommendation that companies approach privacy by design by creating substantive and procedural protections. Substantive protections center on reasonableness, including reasonableness in the collection and use of data, in its retention and disposal, and in its security.²¹ Procedural protections focus on integrating substantive privacy protections into an organization's everyday practices.²²

C. Personally Identifiable Information and Sensitive Personal Information

Though some of the Commission's settlements define personally identifiable information or PI I,²³ the agency acknowledged in its 2012 Protecting Consumer Privacy report that "the traditional distinction between PII and non-PII has blurred" and suggested that "it is appropriate to more comprehensively examine data to determine the data's privacy implications."²⁴ In that report, the Commission stated that its privacy framework applies to "consumer data that can be reasonably linked to a specific consumer, computer, or other device" rather than to particular categories of PII.²⁵

For both privacy and data security, the FTC has stated that it expects businesses to pay particular attention to protecting "sensitive personal information," which it has defined, "at a minimum," as data about children, financial and health information, Social Security numbers, and precise geolocation data.²⁶ Some of the privacy and data security statutes and rules enforced by the agency also provide specific definitions of protected information. For example, the Children's Online Privacy Protection Rule applies to online contact information, screen names, certain geolocation information, and "persistent identifiers," which can be used to recognize a user over time and across different online services.²⁷ In recent reports, the FTC has also highlighted that biometric data²⁸ and data collected through the "Internet of Things"²⁹ may pose heightened privacy and physical safety concerns.

* * *

The following sections—"FTC Privacy Enforcement and Guidance Under Section 5" and "FTC Data Security Enforcement and Guidance Under Section 5"—focus on the Commission's actions brought under Section 5 of the FTC Act.

II. FTC PRIVACY ENFORCEMENT AND GUIDANCE UNDER SECTION 5

A. Early FTC Privacy Cases under Section 5

The FTC has been a privacy enforcer for over forty years, beginning with its first case under the FCRA in 1972.³⁰ As consumer privacy issues moved online, the agency began bringing cases against internet and software companies toward the very end of the 1990s and the early 2000s. This section discusses some of the agency's early privacy cases brought under Section 5 of the FTC Act. Two of these early cases, In re Geocities and In re Microsoft Corporation, focused on the companies' alleged misrepresentations in privacy policies and elsewhere concerning the purpose or scope of the data collected. The final case in this section, In re Gateway Learning Corp., involved both unfairness and deception counts relating to the company's privacy policy changes.

1. GeoCities

The FTC's 1999 settlement with the web host GeoCities was the agency's first public settlement in the area of internet privacy. GeoCities' members, known as "homesteaders," totaled more than 1.8 million, approximately 200,000 of whom were minors between the ages of three and fifteen.³¹ The site was one of the top ten most visited websites at the time.³² To become a homesteader, all users, including children, were required to complete GeoCities' "New Member Application" form, which required certain information (first and last name, zip code, email address, gender, date of birth, and member name) and solicited, but did not require, other personal information (education level, income, marital status, occupation, and interests).³³

The Commission alleged that GeoCities deceived consumers, including children, about the purpose of its collection of personal information. Geocities' privacy statements in its New Member...