In recent years, the Federal Trade Commission (FTC) has solidified its position as the most influential consumer privacy and data security regulator in the United States—as reflected by President Barack Obama’s recent visit to the FTC to announce his administration’s latest privacy initiatives. Even critics of the U.S. privacy regime typically do not dispute that the FTC, through its active enforcement docket, has become the preeminent consumer privacy and security enforcer worldwide.
In this environment, businesses that handle consumer data act at their peril if they ignore the FTC’s views on privacy and data security. But what does the FTC expect companies to do to stay on the right side of the law?
As a former advisor to FTC Chairwoman Edith Ramirez, I know that answering that question correctly—deciphering the FTC’s expectations—often demands an examination of FTC enforcement actions in the privacy and security arena. Collectively, these authorities comprise what Daniel Solove and Woodrow Hartzog have called the “common law of privacy.” In the absence of a vast body of judicial decisions on consumer privacy, which can take years to accrue, FTC complaints and consent orders are especially important.
The FTC’s complaint, which must be approved by the FTC’s commissioners, provides the commission’s view of the facts of the case and the applicable law. No matter what the media may have reported about an event or business practice, it is the complaint that lays out what the FTC thought was both supported by the evidence and legally relevant.
The FTC is not interested in being mysterious—it wants companies to pay attention to and learn from its complaints and orders in order to understand how the FTC approaches privacy and security issues.
FTC consent orders, moreover, do more than establish the remedy a company must follow; they can also be a window into the FTC’s view of compliant data practices. For example, for any business looking to institute Privacy by Design, the organizational requirements of the comprehensive privacy and security programs spelled out in FTC consent orders should be a starting point.
The FTC is not interested in being mysterious—it wants companies to pay attention to and learn from its complaints and orders in order to understand how the FTC approaches privacy and security issues. For this reason, as a former FTC official, I am heartened to see the IAPP launch a fully searchable, annotated, indexed database of all FTC privacy and security complaints, orders and analyses to aid public comments and commission responses, along with the IAPP’s analysis of the case. This free resource for IAPP members should help privacy practitioners to identify and learn from relevant FTC enforcement actions.
From my current role, I know how important it is to be able to do that in a business environment that demands speed. On a daily basis, my colleagues in the privacy and security practice at Perkins Coie LLP and I address complex privacy and security questions for businesses as they seek to roll out new products and services or add features to existing products and services in a privacy-protective manner. What has the FTC said about de-identification? Encryption? The over-collection of information? Opt-in versus opt-out choice? These are just a handful of the types of questions that we, and privacy practitioners everywhere, routinely face. Answering them quickly and correctly is imperative.
FTC enforcement materials can be found on the FTC website but not in the easily searchable, indexed format that the new IAPP tool seeks to provide, annotated according to legal issues, industries and practices. Now that I am in the business of deciphering the FTC, I am pleased that the IAPP is seeking to facilitate the review and synthesis of the growing body of FTC cases.
It looks like my job—and that of privacy professionals everywhere—just got easier.
Find the FTC Casebook Here
The IAPP’s FTC Casebook is your best resource for researching the FTC’s privacy and security complaints and consent decrees. Find it here.
If you want to comment on this post, you need to login.