Privacy Issues in Consumer Protection

• Pages: 131-342

131

CHAPTER II

PRIVACY ISSUES IN CONSUMER PROTECTION

A. Introduction

The United States1 generally has a sectoral approach to privacy law,

although almost all sectors of the economy are governed by the FTC’s

general authority under Section 5 of the Federal Trade Commission Act

to prohibit “unfair and deceptive acts and practices,” and most states

have equivalent authority under similar state laws. The sectors regulated

include financial institutions, entities within the healthcare and insurance

sector and their business associates, educational institutions, purveyors of

online Internet sites directed towards children, consumer credit providers

and telephone, video and cable service providers. These laws can be

enforced by federal regulators and state attorneys general, and, in some

cases, by individual consumers pursuant to private causes of action.

Remedies may include civil penalties and damages for private actions;

some of these laws have criminal penalties as well. There is also a degree

of self-regulation, especially in the marketing area.

U.S. privacy laws apply to Personal Information (PI); that is,

information about an identified or identifiable person. A category of

information requiring additional protections is “Sensitive Personal

Information” (SPI) which, in the United States, generally encompasses

information that may be used for identity theft, such as “first name and

last name or first initial and last name in combination with any one or

more of the following data elements …: (a) Social Security number; (b)

driver’s license number or state-issued identification card number; or (c)

financial account number, or credit or debit card number”2 or particularly

intimate personal information such as health care information. The line

between personal information and non-personal information is unclear at

the margins, where, for example, individuals are acting in a business

capacity or persons are not specifically identified but their mobile device

or IP address is tracked.

Technology is evolving quickly. This includes use of mobile

platforms and applications, social media, “Big Data” (using data for

predictive analytics) and cloud computing. The new technologies and

1. The scope of this chapter is limited to privacy law in the United States.

2. 201 MASS.CODE REGS. 17.03.

Position 169 1602567 ABA-tx-Consumer Vol1 16-03-28 16:02:20

132 CONSUMER PROTECTION LAW DEVELOPMENTS

applications, at times, raise concerns by some as to whether the existing

regulatory framework described in this Chapter is appropriate. The law

is also evolving quickly in this area.

B. Overview of the U.S. Regulatory Structure

1. Fair Information Practice Principles

The use of privacy policies and consumer choice emerged from the

Fair Information Practice Principles (FIPPs), sometimes known as just

the Fair Information Practices (FIPs).3 FIPs are a set of internationally

recognized practices for addressing the privacy of information about

individuals. FIPPs were first articulated in a 1973 report by the U.S.

Department of Health, Education, and Welfare (HEW), and they became

extremely influential in shaping privacy law in the United States and

around the world.4 While there is broad international agreement on the

substance of FIPs, the actual formulation of the FIPs can look different.

In the United States, several agencies have offered their own version of

FIPs.

In a 1998 report, the Federal Trade Commission identified the “five

core principles of privacy protection: (1) Notice/Awareness; (2)

Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5)

Enforcement/Redress.”5 In 2000, the Commission issued a report,

entitled Privacy Online: Fair Information Practices in the Electronic

Marketplace, in which it recommended that commercial websites that

collect personal identifying information from or about consumers online

should be required to comply with “the four widely-accepted fair

information practices.”6 Those practices included:

3. Solove, Daniel J. and Woodrow Hartzog, The FTC and the New Common

Law of Privacy, 114 COLUMBIA L. REV. 583, 592 (2013).

4. U.S. Dep’t of Health, Educ., & Welfare, Records, Computers, and the

Rights of Citizens: Report of the Secretary’s Advisory Committee on

Automated Personal Data Systems 41–42 (1973). The various regimes

around the world follow, to various degrees, the OECD Privacy

Principles, http://oecdprivacy.org/ which are also reflected in the FIPPs.

5. Federal Trade Commission, Privacy Online: A Report to Congress 7

(1998), http://www.ftc.gov/sites/default/files/documents/public_events

/exploring-privacy-roundtable-series/priv-23a_0.pdf

6. Federal Trade Commission, Privacy Online: Fair Information Practices

in the Electronic Marketplace 36-37, (May 2000) (footnote omitted),

http://www.ftc.gov/sites/default/files/documents/reports/privacy-online-

Position 170 1602567 ABA-tx-Consumer Vol1 16-03-28 16:02:20

PRIVACY ISSUES IN CONSUMER PROTECTION 133

1. Notice - Web sites would be required to provide

consumers clear and conspicuous notice of their

information practices, including what information they

collect, how they collect it (e.g., directly or through non-

obvious means such as cookies), how they use it, how they

provide Choice, Access, and Security to consumers,

whether they disclose the information collected to other

entities, and whether other entities are collecting

information through the site.

2. Choice - Web sites would be required to offer consumers

choices as to how their personal identifying information is used

beyond the use for which the information was provided (the

“primary use,” e.g., to consummate a transaction). Such choice

would encompass both internal secondary uses (such as

marketing back to consumers) and external secondary uses (such

as disclosing data to other entities).

3. Access - Web sites would be required to offer consumers

reasonable access to the information a Web site has collected

about them, including a reasonable opportunity to review

information and to correct inaccuracies or delete information.

4. Security - Web sites would be required to take reasonable steps

to protect the security of the information they collect from

consumers.

Though the principles set forth by the FTC are only considered

guidelines, in some instances the guidelines have been converted into

law and many businesses have focused on privacy through self-

regulation that adopts the FTC’s principles.

In 2012, the FTC issued its report on privacy, Protecting Consumer

Privacy in an Era of Rapid Change.7 The report appears to support a

framework that the Commission asserts is “consistent with the Fair

Information Practice Principles first articulated almost 40 years ago.”8

The report calls on companies to implement best practices to protect

consumers’ private information (both online and offline), Congress to

fairinformation-practices-electronic-marketplace-federal-trade-

commission-report/privacy2000.pdf

7. FTC, PROTECTING CONSUMER PRIVACY IN AN ERA OF RAPID CHANGE:

RECOMMENDATIONS FOR BUSINESSES AND POLICYMAKERS (2012)

[hereinafter FTC 2012 Privacy Report], available at www.ftc.gov/os/

2012/03/120326privacyreport.pdf.

8. Id. at i.

Position 171 1602567 ABA-tx-Consumer Vol1 16-03-28 16:02:20