The U.S. Federal Trade Commission (FTC) has understandably been the focus of much attention in the data privacy world. The FTC is considered by many to be the primary U.S. data privacy regulator, and this blog has gone so far as calling the FTC the U.S.’s de facto data protection authority (DPA). We respectfully disagree. The FTC is facing unprecedented challenges, while state attorneys general (AGs), who have similar—and in some instances greater—authority, are taking more and more steps to protect the privacy of their citizens.
Although the FTC has used its authority under Section 5 of the FTC Act to regulate data privacy, it is facing a number of hurdles that could curtail such use, including:
AGs, on the other hand, do not face these same barriers.
Most AGs have authority to protect privacy under their state unfair and deceptive trade practice statutes (UDAP statutes, often referred to as “mini-the FTC Acts”), which, notably, do not contain the same limitations on recovery of civil penalties as does the FTC Act (the FTC cannot, under Section 5, recover penalties for violations of the act itself but only for a rule or final order issued by the FTC), as well as a wide range of other state data privacy laws and regulations (including a host of new California laws, Massachusetts data privacy regulations, Nevada PCI compliance law, etc.).
AGs also have concurrent authority with the FTC or other federal regulators under various federal laws, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA) and others. AGs are demonstrating that they are not hesitant to use their authority to enforce the privacy rights of their states’ citizens. For example:
These are by no means the only examples of AGs exercising their authority to police data privacy but more than amply show that the FTC has some stiff competition as to whether it’s the U.S. DPA. The FTC is certainly a significant concern, but companies that are cavalier with their customers’ privacy ignore AGs at their peril. Thus, rather than having one de facto DPA in the FTC, the U.S. actually has 50+ such DPAs.
Although the FTC has used its authority under Section 5 of the FTC Act to regulate data privacy, it is facing a number of hurdles that could curtail such use, including:
- Challenges from litigants: The FTC now is facing not one, but two high-profile challenges to its authority to regulate data privacy and cybersecurity. In addition to the Wyndham case, LabMD also is fighting the FTC’s allegations that the company failed to protect consumer data, claiming, like Wyndham, that the FTC lacks authority under Section 5 of the FTC Act to bring a data security enforcement action on unfairness grounds. If successful, the FTC’s authority to regulate consumer data privacy could be radically restricted.
- Congressional skepticism: Last week, all four sitting FTC commissioners testified in their first-ever joint appearance in Congress before the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade. The commissioners called for federal privacy legislation while facing inquiries from lawmakers who questioned the FTC’s budget and scope of its regulatory actions.
- Dissension in its own ranks: Last week’s hearing highlighted another issue nagging the FTC—the scope of its “unfairness” authority. Although the FTC Act provides the FTC with the authority to prevent unfair acts affecting commerce, Commissioner Joshua Wright has suggested that the FTC has not sufficiently outlined its interpretation of “unfair,” a criticism echoing the challenges made by Wyndham and LabMD.
AGs, on the other hand, do not face these same barriers.
Most AGs have authority to protect privacy under their state unfair and deceptive trade practice statutes (UDAP statutes, often referred to as “mini-the FTC Acts”), which, notably, do not contain the same limitations on recovery of civil penalties as does the FTC Act (the FTC cannot, under Section 5, recover penalties for violations of the act itself but only for a rule or final order issued by the FTC), as well as a wide range of other state data privacy laws and regulations (including a host of new California laws, Massachusetts data privacy regulations, Nevada PCI compliance law, etc.).
AGs also have concurrent authority with the FTC or other federal regulators under various federal laws, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA) and others. AGs are demonstrating that they are not hesitant to use their authority to enforce the privacy rights of their states’ citizens. For example:
- Over the past 18 months, numerous AG offices have opened dedicated units to combat data privacy, including in California, Connecticut and Maryland.
- Data privacy—Privacy in the Digital Age—was the Presidential Initiative topic of the National Association of Attorneys General in 2012-2013, bringing the attention of all AGs and their staff to the issue.
- AGs have brought numerous enforcement actions, using their own authority under state UDAP statutes ($7M multistate settlement with Google over its Street View project and California’s Delta mobile app privacy policy lawsuit) as well as authority under various federal laws (New Jersey’s recent settlement with Dokogeo, Inc., alleging violations of COPPA).
- California has continued its activity on a variety of fronts, including releasing in January Privacy on the Go, a best-practices guide for mobile app developers that urges them to consider consumer privacy early in the development process; issuing the state’s first-ever report summarizing the data breaches affecting California residents that occurred in 2012 and providing key recommendations and “lessons learned,” and guidelines on preventing and remedying medical identity theft, including best-practice recommendations for the healthcare industry and tips for consumers.
These are by no means the only examples of AGs exercising their authority to police data privacy but more than amply show that the FTC has some stiff competition as to whether it’s the U.S. DPA. The FTC is certainly a significant concern, but companies that are cavalier with their customers’ privacy ignore AGs at their peril. Thus, rather than having one de facto DPA in the FTC, the U.S. actually has 50+ such DPAs.
