Privacy Under the Federal Trade Commission: Enforcement Actions of the FTC
Congress created the Federal Trade Commission (FTC) in 1914 to prevent unfair methods of competition in commerce. In 1938, Congress gave the FTC the grant to enforce the prohibition on “unfair and deceptive acts or practices”, which, in the area of privacy, has largely centered on false and misleading statements concerning companies’ privacy policies and data collection processes. The FTC develops policy in the field of privacy by issuing opinions in its enforcement actions against companies that violate the FTC Act prohibition on unfair or deceptive acts and practices. The FTC is driven largely by the desire to protect consumers from unfair and deceptive business practices in the marketplace. The FTC conducts investigations into alleged violations of the FTC Act and responds to consumer complaints of alleged wrongdoing on the part of businesses. The FTC has filed dozens of complaints against companies for violation of the FTC Act and other companies often use these opinions to ensure that they are complying with the provisions of the Act. The FTC also has the power to administer the Children’s Online Privacy Protection Act (COPPA), the Privacy Rule, the Safeguards Rule and the Fair Credit Reporting Act (FCRA).
Violation of the FTC Act was the most common source of complaints against companies. The most common violation of the FTC Act was the failure to comply with the terms of Section 5, which prohibits unfair or deceptive acts or practices in or affecting commerce. Misrepresentations may constitute deceptive acts or practices prohibited by Section 5 of the FTC Act. A common misrepresentation is a company stating that it has implemented adequate and appropriate security measures when in fact it has not. The act of failing to provide reasonable and appropriate security for consumers’ personal information may constitute an unfair act or practice under the Act, even if the company did not make claims to the contrary.
The FTC’s power to enforce the prohibition on unfair and deceptive acts or practices also extends to the U.S.-EU Safe Harbor program. The U.S.-EU Safe Harbor Framework allows American companies to transfer personal data outside of Europe in a manner that is compliant with the European Union Directive on Data Protection (“Directive”). The Directive sets standards for privacy and data security protection. The Directive requires EU member states to prohibit the transfer of personal data outside the EU unless the European Commission has approved of the recipient. The U.S.-EU Safe Harbor Framework creates a mechanism to allow for data transfer outside of the EU. In order to join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with the seven principles of the Safe Harbor. The seven principles are notice, choice, onward transfer, access, security, data integrity and enforcement. Companies that are under the jurisdiction of the FTC are eligible to join the Safe Harbor. Companies must re-certify their Safe Harbor status each year in order to be current members of the Safe Harbor. If a company fails to re-certify but does not notify the Department of Commerce this is a misrepresentation and a violation of Section 5 of the FTC Act. If a company self-certifies to the Safe Harbor but fails to adequately abide by the principles, the FTC has the authority to bring an enforcement action against them based on the FTC Act, which prohibits unfair or deceptive acts or practices.
The Fair Credit Reporting Act (FCRA), which is administered by the FTC, applies to companies that are in the business of furnishing consumer reports. Consumer reports are reports that bear on a consumer’s character, general reputation, personal characteristics, or mode of living or other attributes, and are used, or are expected to be used, as a factor in determining a consumer’s eligibility for employment or credit and insurance determinations. Section 607(b) of the FCRA requires all companies that create consumer reports to follow reasonable procedures to assure the maximum possible accuracy of the information contained in the reports. A consumer-reporting agency may only furnish reports to a person or business, which has a permissible purpose in obtaining the report. Under the FCRA, consumer-reporting agencies must make a reasonable effort to determine that the parties that it furnishes reports to are using the reports for permissible purposes. The most common reason for an enforcement action by the FTC was failure by the companies to adequately ensure that the reports were being used for permissible purposes as defined by the FCRA.
Two types of violations of the FTC Act were present in all of the FTC enforcement cases over the past five years. The FTC either charged companies with deceptive acts or practices in violation of Section 5 or unfair acts or practices in violation of Section 5. Misrepresentations were the most common source of an FTC complaint as they constitute deceptive acts or practices. Misrepresentations arose when companies claimed that they provided adequate protections for consumers’ personal information but failed to do so. The FTC most commonly uncovered these security and privacy failures when breaches occurred in which unauthorized users were able to access consumer information. The FTC most often cited companies for making these types of misrepresentations when they failed to ensure that adequate password protections were in place and when they stored and transmitted personal information in plain text. The FTC also accused companies of misrepresenting the adequacy of their security measures when it was evident that the company did not have a comprehensive privacy and security procedure in place. The FTC charged companies with unfair acts or practices when their security procedures were so inadequate that the lack of security for consumers’ personal information could be considered unfair to consumers.
Lisa Lansio is a J.D. candidate, ’15, at the NYU School of Law.