In 1890, Warren and Brandeis asserted privacy as a legal right, a right to be let alone. In 1960, William Prosser introduced the privacy torts: intrusion, public disclosure, false light, and appropriation. Since the 1990s, the Federal Trade Commission has established privacy and data security as a new regulatory area, through dozens of enforcement actions — which scholars have called “a new common law of privacy” — policy reports, and research workshops.
Throughout this period, spanning three decades and a transition from the dawn of personal computing and the commercial internet to an age of machine-to-machine communications, smart cars, wearable devices, big data, and the cloud, Jessica Rich, who announced her departure yesterday as director of the Bureau of Consumer Protection, has conceived, initiated, driven, and spearheaded the agency’s emergence as the nation’s primary technology regulator. Through a long series of cautious, incremental steps, always meticulous, never flashy, and often with a wry joke and a smile, Rich built the foundation for a substantial body of law, setting the standard for technology regulators in the U.S. and abroad.
In her 26 years at the agency, Rich has served as staff attorney, counsel to then-Bureau Director Jodie Bernstein, assistant director — and later acting associate director – of the Division of Privacy and Identity Protection (DPIP), deputy director of the Bureau of Consumer Protection under David Vladeck, associate director of the Division of Financial Practices, and, since June 2013, director of the Bureau during the chairwomanship of Edith Ramirez. Starting in the mid-to-late 1990s, together with Bernstein and FTC Chair Robert Pitofsky, Rich was one of the pioneers of the FTC’s privacy program, participating in workshops on the development of the internet, fielding surveys to determine whether companies were posting privacy policies, issuing the COPPA Rule, and initiating the first enforcement actions. In the early 2000s, with Tim Muris as chair and Howard Beales Bureau Director, Rich led the agency’s data security program, issuing the Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program, and bringing the first data security cases.
With Vladeck as Bureau Director, Rich, as Deputy Director, helped supercharge the FTC’s privacy and data security jurisdiction, setting forth a new privacy framework.
With Vladeck as bureau director, Rich, as deputy director, helped supercharge the FTC’s privacy and data security jurisdiction, setting forth a new privacy framework, including a series of tech-focused workshops and reports, culminating in the agency’s influential 2012 staff report “Protecting Consumer Privacy in an Era of Rapid Change,” as well as high profile enforcement actions against the likes of Google, Facebook and Twitter. During this period, the agency greatly enhanced its global footprint, engaging with policymakers and data protection authorities all over the world and bringing its first cases against companies allegedly violating the EU-U.S. Safe Harbor program.
Over the past three and a half years, as bureau director, Rich directed more than 400 enforcement actions, including dozens in the field of privacy and data security, against Snapchat, Yelp, Sprint, Oracle, Wyndham, TRUSTe, and many more. Together with Chairwoman Ramirez, she led the FTC’s efforts to expand its technological expertise, including by establishing the Office of Technology Research and Investigations (OTech), hiring leading technologists, and hosting public workshops on issues ranging from big data and the internet of things to cross device tracking, drones, crowdfunding, and smart TVs.
It would not do justice to Rich’s enforcement record to reduce it to a handful of cases. A complete index of her law enforcement record appears in the IAPP’s FTC Casebook, which collects, categorizes, and annotates nearly 200 enforcement actions in this space, all of which were brought during Rich’s tenure at the FTC. A few landmarks are worth mentioning, however, demonstrating the sheer breadth of the agency’s program.
In 2004, in Gateway Learning, the FTC for the first time established breach of contract as a privacy violation. The FTC deemed Gateway’s retroactive privacy policy change to be an unfair trade practice, requiring the company obtain opt-in consent from individuals prior to implementing a material change to its privacy policy involving data collected prior to that change. This rationale was extended in the Facebook settlement, with the FTC considering retroactive changes to privacy settings to also constitute an unfair practice. More recently, the agency warned Facebook against effecting retroactive changes to promises made in WhatsApp’s privacy policy, pursuant to Facebook’s acquisition of the messaging app.
In 2005, in its enforcement action against Choicepoint, the agency aggressively pursued a data breach case based on California’s newly minted breach notification statute, imposing a significant monetary penalty in an amount of $10 million, as well as $5 million for consumer redress. The requirement to remediate the harm to consumers paved a path for later cases such as Frostwire and HTC, where the agency required defendants to implement proactive remediation toward consumers, including deploying security patches and offering free software updates. Furthermore, ChoicePoint shone a spotlight on data brokers, an industry closely scrutinized by the FTC, including in calls for legislation and in-depth policy reports.
With the parting of Rich as Bureau Director, on the heels of the departure of privacy powerhouse Commissioner Julie Brill and Chairwoman Ramirez, the FTC’s privacy and data security program may be reeling.
In 2006, in its BJ Warehouse case, the FTC for the first time used its unfairness authority in a data security case, alleging that even absent deceptive conduct, failing to maintain appropriate safeguards over sensitive personal information constitutes a violation of Section 5 of the FTC Act. In that case, then-Chairwoman Deborah Platt Majoras stated, “This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information. … Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security.”
To this day, the FTC’s use of its unfairness authority to enforce against companies suffering security breaches remains controversial, with LabMD continuing to challenge the agency’s jurisdiction, arguing the agency’s enforcement comes in the absence of clear standards and effectively punishes the victims. So far, the FTC has had the upper hand in courts, notably with the Third Circuit Court of Appeals’ 2015 ruling against Wyndham, holding that Congress “explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ ... by enumerating the particular practices to which it was intended to apply.”
Criticism of the FTC’s aggressive enforcement activity has recently come from within the agency. With her appointment as acting chairwoman, Maureen Ohlhausen, who dissented in the Nomi Technologies case, argued that the FTC “lacked any evidence of consumer harm,” and promised to “make sure our enforcement actions address concrete consumer injury.” Implying criticism of past action, Chairwoman Ohlhausen stated, “when the FTC has strayed from a focus on actual harm, it has struggled, both in influence and in the courts.” She promised to “deepen the FTC’s understanding of the economics of privacy,” including “studying consumer preferences and the relationship between access to consumer information and innovation.”
With the parting of Rich as bureau director, on the heels of the departure of privacy powerhouse Commissioner Julie Brill and Chairwoman Ramirez, the FTC’s privacy and data security program may be reeling. To be sure, the remaining commissioners, Acting Chairwoman Ohlhausen and Commissioner McSweeny, are longtime supporters of the privacy and data security program. Now more than ever, however, the critical value of trust in the digital economy, as well as the position of the U.S. as policy leader abroad, should motivate the agency to continue to strengthen the privacy and data security practices of companies across industry sectors and states.