While I often use these pages to talk about issues important to the NAI, today I want to share some personal advice for privacy professionals: It is critically important for privacy professionals to have a deep understanding of the authority, jurisdiction and enforcement powers of the Federal Trade Commission (FTC). Equally important, privacy pros need a comprehensive understanding of the FTC’s past privacy and security enforcement actions brought under the FTC Act and the statutes and rules enforced by the FTC, including COPPA, GLBA, FCRA and the Health Breach Notification Rule.

Any doubt of the FTC’s paramount role in privacy and security enforcement was put to rest by President Barack Obama’s visit to the FTC on Monday, January 12. He not only praised the work of the commission in protecting consumer privacy but also announced new initiatives and proposed legislation that, if passed, would further expand the FTC’s authority in this area.   

Since the late 1990s, the FTC has brought approximately 180 privacy and data security related enforcement actions, most of which have resulted in the publication of consent agreements with the defendants. I worked at the commission from 2000 to 2011 and had the opportunity to work on many of these cases in different roles—staff attorney litigating cases, counsel to the director of the Bureau of Consumer Protection and finally as chief privacy officer in the chairman’s office. From this experience, I can assure you that it is the commission’s intent that industry pay close attention to these FTC enforcement actions. The FTC wants industry to learn best practices—or how to avoid bad practices—illustrated by the allegations and remedies in each case so that companies improve their own privacy and security practices.

For privacy attorneys and professionals, regardless of your views of the FTC and its use of its authority, here’s some advice: If you understand the FTC’s enforcement actions, you’ll be much better positioned to provide informed advice regarding consumer privacy in the United States. Some scholars have gone so far as to suggest that the FTC’s privacy enforcement actions have developed a new common law for privacy in the absence of a comprehensive federal privacy law. I’m not sure I agree or would go quite that far, as settlements do not act as binding precedent for other companies. Regardless, I firmly believe it is critical for privacy professionals—and in particular privacy attorneys—to review and understand the FTC’s privacy enforcement actions. At the very least, the factual allegations in the complaints (and they are just allegations in most cases) help illustrate the types of conduct that the FTC believes violates the FTC Act. Perhaps more importantly, when reviewed together, these cases can help suggest best practices for privacy and data security programs. Understanding those practices and implementing them as appropriate may help a company avoid becoming the subject of an investigation or help you explain why certain client conduct was reasonable in a given situation should you receive an inquiry from commission staff. 

Binding or not, the enforcement actions serve as useful guides both for FTC staff and for outside counsel. When I was at the FTC, staff often looked to prior settlements and cited such settlements when recommending new enforcement actions. It would not be unusual to see a recommendation memo state, “The factual allegations in this case are similar to the allegations in case X.” On the flip side, counsel representing companies would often cite prior settlements in great detail during discussions about a potential new case and settlement negotiations. I recall being impressed when counsel had a deep understanding of FTC law and prior settlements, even if the arguments didn’t win the day for their clients each time. However, sometimes their arguments did sway the FTC, obtaining more favorable terms in a settlement or ending an investigation without a complaint recommendation at all.

As many privacy pros and attorneys know, it has not always been easy to search FTC enforcement actions and identify those cases that are most relevant to your practice, industry, business model or even your FTC investigation. Cases address different fact patterns, legal theories, have different forms of relief and penalties and illustrate a diverse range of corrective actions that may reflect the FTC’s views of privacy and data security best practices. Members of the privacy bar and others often need to understand under what circumstances will the FTC name an individual in a privacy case, what terms does the FTC consider material, what practices does the FTC currently consider to be unfair, when did the FTC deviate from standard terms in a privacy consent order and so on.

When representing a client in this space and looking for prior FTC actions related to the facts you are facing, you may need to identify FTC cases about mobile apps, cases regarding electronic data security vs. electronic records or the use of precise location information. How has the commission interpreted requirements for reasonable security? Does my company engage in any practices that the FTC has questioned, such as the failure to encrypt data or the failure to train employees?

As we approach 200 privacy cases in 2015, a new resource is needed help privacy pros search cases, analyze allegations, highlight key principles and identify different terms in different consent orders and settlements. As a privacy professional and a member of the IAPP Board, I am very pleased that IAPP is releasing a new tool that will provide the type of resource that I think professionals will find very valuable as they tackle the complex task of sorting through the FTC’s cases. The bottom line is that however you get that information, my own experience suggests the importance of understanding how the FTC has approached similar issues when dealing with current fact patterns.