On Monday, presaging his sixth State of the Union Address, U.S. President Barack Obama visited the Federal Trade Commission (FTC) bearing a message of sweeping privacy reform. Coincidentally, it was almost exactly 101 years ago that President Woodrow Wilson, in his January 20, 1914, State of the Union Address, announced his antitrust initiative to Congress, declaring, “We are all agreed that ‘private monopoly is indefensible and intolerable.’” The result of that speech was the passage of the FTC and Clayton Acts of 1914, which led to the establishment of a new agency dedicated to protecting consumers and competition from deceptive or unfair trade practices.
Now, 80 years after the last visit by a president to the FTC—Obama quipped, “you would think one of the presidents would come into the building by accident”—Obama’s visit and announcement heralds the arrival of privacy on the central stage of the national policy agenda.
As the FTC enters its second century, privacy has become the new antitrust. The role that antitrust played in the wake of the Industrial Revolution is being captured by privacy in the Digital Age. Privacy has become the boundary, the limiting principle, the litmus test for the delicate balance between the tremendous benefits and formidable risks of a dizzying array of technological innovations. Swap “privacy” for “competition,” and Marc Winerman’s writing about the birth of the FTC in the 1900s seems to reflect on our day and age: “The United States enjoyed unprecedented prosperity accompanied by unprecedented corporate consolidation. Competition policy moved toward center stage as the country sought to preserve the benefits of the one without the costs of the other.”
The FTC was formed as an antitrust regulator. A reaction to the excesses of corporate America at the turn of the 20th century, with its emerging class of “robber barons,” the agency defended consumers and competitors from concentrations of market power. Fast-forward a hundred years, and market power, typically defined as control over price, has become an elusive notion. In the digital economy, as everyone knows, the prevalent price is “free” and competition is always a click away.
To be sure, over the past century, the raw materials, means of production and currency have changed. Yesterday’s oil, steel and railroads are today’s personal information, collected in massive troves from our every online interaction and fueling the surging Internet economy. And while competition is there in principle, it is tempered by strong network effects and steep switching costs. Try breaking away from a Twitter account with thousands of followers, a Facebook profile with hundreds of friends or the Microsoft Office suite with its cozy keyboard shortcuts.
The result is remarkably similar: a concentration of corporate control over markets, consumers and, alarmingly, the political process. Intuitively, we sense that the power of Brin, Zuckerberg and Gates is not unlike that of Ford, Rockefeller and Carnegie before them. Then, as now, the inchoate harm of monopolies, mergers and privacy infringements has been difficult to articulate, much less quantify. Some of the same Chicago school critics who blasted antitrust policy as based on flimsy economics now argue that privacy harms are fickle and ill-defined.
The FTC, with its dual jurisdiction over antitrust and consumer protection, remains the fulcrum of policy in both fields. Indeed, over the past 100 years, some of the policy questions remained the same: “Should Congress entrust the application (of its statutory standards) to courts or to an administrative agency? If Congress relied on an administrative agency, how should the agency operate? Should it challenge conduct after-the-fact, perhaps through administrative proceedings? Should it opine on proposed conduct in advance, and should its advice provide a shield against (at least) criminal prosecution?”
Others are specific to privacy in the Digital Age: What is a reasonable level of security for the protection of personal information? When is information sufficiently de-identified to escape the binds of data regulation? How will traditional principles such as notice and choice and data minimization be applied in a reality of ubiquitous data collection by a plethora of “things”?
Building incrementally, from case to case, the FTC continues to expand its tremendously influential corpus of statutory interpretation. With more than 180 enforcement actions in privacy and data security, the agency provides precious insight—one case at a time—into what it views as legitimate corporate data-management practices.
Over the past year, the IAPP Westin Research Center, including its first four fellows, Kelsey Finch, CIPP/US, Dennis Holmes, Patricia Bailin, CIPP/US, and Arielle Brown, have devoted hundreds of hours to collecting, organizing and analyzing this body of law. The result, which we launch today as an IAPP member benefit, is a casebook of FTC privacy and data security enforcement actions. The casebook is a digital resource, collecting all 180 FTC enforcement actions and making them easily accessible, full-text searchable, tagged, indexed and annotated. We trust that the casebook will help privacy professionals, including not only lawyers but also product designers, IT managers and business executives, tap into this rich resource to better assess responsible industry practices.
To be sure, the casebook is no panacea. The FTC has not analyzed all possible factual scenarios; every new case brings additional nuance, and nearly none of the FTC enforcement actions have been challenged in court. But it provides clear signposts to help businesses navigate the treacherous waters of a constantly shifting techno-social terrain. For example, a developer creating an environment for business applications on employee mobile devices will know that re-delegation of user consent violates the FTC’s holding in HTC. An entrepreneur launching a new social network service will not upload users’ contact details without express notification, based on the FTC’s holding in Path.
Want to see how it works? It works like this:
The casebook allows you to search the FTC enforcement materials either through tags, i.e., an index, or full text.
Tag search draws on the editorial work of the research fellows, who categorized the 180 cases into dozens of categories. You can search by industry, e.g., data brokers (22 cases), social networking (7); legal issue, e.g., Section 5 deception by omission (16 cases), opt-in v. opt-out (23); remedy, e.g., fine over $1 million (17 cases), data deletion (42), and more. Notice that tag searches are “AND” searches, meaning that by checking multiple tags you will significantly narrow down the results.
Full-text search drills deep into every corner of the FTC’s jurisprudence. For example, you can search for “television” (35 cases), “IP address” (29), “antivirus” (11), “operating system” (12) or “two-factor authentication” (1). Full-text searches are “OR” searches, meaning that by entering multiple terms you greatly expand the list of results. At the same time, the order that the results are shown in is set to “relevancy” by default (you can alternatively set it to chronological or reverse chronological), meaning that the top search results will in fact typically resemble those of an “AND” search.
And you can also combine the two methods—searching both by tag, e.g., encryption (itself, 30 results) and full-text term, e.g., “IP address,” together yielding eight results.
The results page provides a short summary of each case as well as the complete, case-specific list of tags for a tag search and a short excerpt containing the search term for a full-text search.
Each case has a home page, which is either the IAPP case-analysis (for the top 40 cases) or the FTC’s news release announcing the enforcement action (for the others). The case summaries contain a brief statement of the facts, complaint, order and commissioners as well as a case analysis with footnotes and cross-references to additional relevant content. In addition, the sidebar features the other documents relevant to the case, including the all-important complaint, the decision and order and the agency’s news release.
Importantly, the FTC casebook is a living, breathing resource. The Westin Research Center will continue to follow the agency’s work to bring you search functionality, analysis and cross-references for all future cases. In addition, we invite you to contact us with any comments and ideas for improvement, whether it is a proposed new format or an additional tag. We trust that this resource will help you tap into the FTC’s growing body of work to better protect the interests of your organizations, consumers and yourselves. Please send your comments and ideas to email@example.com.
The IAPP’s FTC Casebook is your best resource for researching the FTC’s privacy and security complaints and consent decrees. Find it here.
If you want to comment on this post, you need to login.