Privacy Issues in Consumer Protection

A. Introduction
The United States1 generally has a sectoral approach to privacy law,
although almost all sectors of the economy are governed by the FTC’s
general authority under Section 5 of the Federal Trade Commission Act
to prohibit “unfair and deceptive acts and practices,” and most states
have equivalent authority under similar state laws. The sectors regulated
include financial institutions, entities within the healthcare and insurance
sector and their business associates, educational institutions, purveyors of
online Internet sites directed towards children, consumer credit providers
and telephone, video and cable service providers. These laws can be
enforced by federal regulators and state attorneys general, and, in some
cases, by individual consumers pursuant to private causes of action.
Remedies may include civil penalties and damages for private actions;
some of these laws have criminal penalties as well. There is also a degree
of self-regulation, especially in the marketing area.
U.S. privacy laws apply to Personal Information (PI); that is,
information about an identified or identifiable person. A category of
information requiring additional protections is “Sensitive Personal
Information” (SPI) which, in the United States, generally encompasses
information that may be used for identity theft, such as “first name and
last name or first initial and last name in combination with any one or
more of the following data elements …: (a) Social Security number; (b)
driver’s license number or state-issued identification card number; or (c)
financial account number, or credit or debit card number”2 or particularly
intimate personal information such as health care information. The line
between personal information and non-personal information is unclear at
the margins, where, for example, individuals are acting in a business
capacity or persons are not specifically identified but their mobile device
or IP address is tracked.
Technology is evolving quickly. This includes use of mobile
platforms and applications, social media, “Big Data” (using data for
predictive analytics) and cloud computing. The new technologies and
1. The scope of this chapter is limited to privacy law in the United States.
2. 201 MASS.CODE REGS. 17.03.
Position 169 1602567 ABA-tx-Consumer Vol1 16-03-28 16:02:20
applications, at times, raise concerns by some as to whether the existing
regulatory framework described in this Chapter is appropriate. The law
is also evolving quickly in this area.
B. Overview of the U.S. Regulatory Structure
1. Fair Information Practice Principles
The use of privacy policies and consumer choice emerged from the
Fair Information Practice Principles (FIPPs), sometimes known as just
the Fair Information Practices (FIPs).3 FIPs are a set of internationally
recognized practices for addressing the privacy of information about
individuals. FIPPs were first articulated in a 1973 report by the U.S.
Department of Health, Education, and Welfare (HEW), and they became
extremely influential in shaping privacy law in the United States and
around the world.4 While there is broad international agreement on the
substance of FIPs, the actual formulation of the FIPs can look different.
In the United States, several agencies have offered their own version of
In a 1998 report, the Federal Trade Commission identified the “five
core principles of privacy protection: (1) Notice/Awareness; (2)
Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5)
Enforcement/Redress.”5 In 2000, the Commission issued a report,
entitled Privacy Online: Fair Information Practices in the Electronic
Marketplace, in which it recommended that commercial websites that
collect personal identifying information from or about consumers online
should be required to comply with “the four widely-accepted fair
information practices.”6 Those practices included:
3. Solove, Daniel J. and Woodrow Hartzog, The FTC and the New Common
Law of Privacy, 114 COLUMBIA L. REV. 583, 592 (2013).
4. U.S. Dep’t of Health, Educ., & Welfare, Records, Computers, and the
Rights of Citizens: Report of the Secretary’s Advisory Committee on
Automated Personal Data Systems 41–42 (1973). The various regimes
around the world follow, to various degrees, the OECD Privacy
Principles, which are also reflected in the FIPPs.
5. Federal Trade Commission, Privacy Online: A Report to Congress 7
6. Federal Trade Commission, Privacy Online: Fair Information Practices
in the Electronic Marketplace 36-37, (May 2000) (footnote omitted),
Position 170 1602567 ABA-tx-Consumer Vol1 16-03-28 16:02:20
1. Notice - Web sites would be required to provide
consumers clear and conspicuous notice of their
information practices, including what information they
collect, how they collect it (e.g., directly or through non-
obvious means such as cookies), how they use it, how they
provide Choice, Access, and Security to consumers,
whether they disclose the information collected to other
entities, and whether other entities are collecting
information through the site.
2. Choice - Web sites would be required to offer consumers
choices as to how their personal identifying information is used
beyond the use for which the information was provided (the
“primary use,” e.g., to consummate a transaction). Such choice
would encompass both internal secondary uses (such as
marketing back to consumers) and external secondary uses (such
as disclosing data to other entities).
3. Access - Web sites would be required to offer consumers
reasonable access to the information a Web site has collected
about them, including a reasonable opportunity to review
information and to correct inaccuracies or delete information.
4. Security - Web sites would be required to take reasonable steps
to protect the security of the information they collect from
Though the principles set forth by the FTC are only considered
guidelines, in some instances the guidelines have been converted into
law and many businesses have focused on privacy through self-
regulation that adopts the FTC’s principles.
In 2012, the FTC issued its report on privacy, Protecting Consumer
Privacy in an Era of Rapid Change.7 The report appears to support a
framework that the Commission asserts is “consistent with the Fair
Information Practice Principles first articulated almost 40 years ago.”8
The report calls on companies to implement best practices to protect
consumers’ private information (both online and offline), Congress to
[hereinafter FTC 2012 Privacy Report], available at
8. Id. at i.
Position 171 1602567 ABA-tx-Consumer Vol1 16-03-28 16:02:20

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT