Those with experience working with the U.S. Federal Trade Commission exchange any number of acronyms freely: CPB (Bureau of Consumer Protection, and, yeah, lawyers always seem to put the B last), DPIP (Division of Privacy and Identity Protection, part of the CPB), and, perhaps the most cryptic, CID.
That stands for “civil investigative demand,” and if you receive one of these letters, it means the CPB is investigating possible “unfair or deceptive acts or practices” at your organization.
Generally speaking, it’s not a letter you welcome, but neither must it be a disaster, said Christopher Olsen, who’s both issued these CIDs as deputy director of the CPB and helped companies manage them as part of his new role as a partner with Wilson Sonsini Goodrich & Rosati. He spoke to the topic alongside Venable partner Emilio Cividanes, who has represented many clients in front of the FTC, as part of the IAPP’s Practical Privacy Series in Washington last month.
While the FTC can use any number of avenues for collecting information, including workshops where commissions might ask industry players to present information about a new technology, the CID carries an enforceable weight. Should you not comply with a CID’s requests for information, a federal district court can be brought to bear, much like a subpoena. However, CIDs can go beyond a subpoena to compel a company to “file written reports or answers to questions,” even tangible things that go beyond simple documents.
It’s notable, said Olsen, that a CID has to go to the bureau chief and then to a commissioner’s office for approval. If you’ve received one, it wasn’t on a whim. Best to get hustling and prepare for the “meet and confer” requirement 14 days following the letter’s arrival.
“I have a better appreciation for this today than when I was at the FTC,” Olsen said. “There is a ton of work that goes into that 14-day period. [A company has] to set up a series of interviews, identify the key documents, understand the scope, and say, ‘Here’s the situation, the employees and documents involved.’ There’s not a lengthy amount of time for that. If the company doesn’t have a handle on what happened when, that can be an issue. The tendency is to try to tell the company’s best story early on, but if you tell story A and you’re gathering information and story A isn’t actually complete or accurate, you’ve really damaged yourself, and you’ve got limited time to figure out the facts.
“That’s something to be careful about.”
"FTC staff are in a dark room. They don’t know the size of the room; they don’t know if it’s a stall or the coliseum." —Emilio Cividanes, Venable
Sometimes, said Cividanes, the request presents a real burden on the organization, so his goal is to reduce that burden. “One way to do that is get a better handle on what they’re really curious about," he said. "Then you can start triaging, marshaling the right documents, get to a meeting of the minds with FTC staff about what’s helpful in their inquiry.”
Of course, he said, “Some staff will be more forthcoming than others.”
“Often,” said Cividanes, “the analogy I make is that FTC staff are in a dark room. They don’t know the size of the room; they don’t know if it’s a stall or the coliseum. They put together questions to try to figure out the size. If you can help them understand the size and burden of asking the questions, they’ll work with you to make it less burdensome, but still get at the information they think is critical for making an assessment.”
The good news is that that vast majority — Olsen estimated 80 percent — of CIDs don’t result in any enforcement action whatsoever.
Often, the FTC genuinely wants to know what happened, gets the details, and sees there’s nothing unfair or deceptive going on.
"As soon as you lose the staff, they say, ‘We’re being jerked around.’ And the bureau director will hear about it, I guarantee." —Chris Olsen, Wilson Sonsini
“It can be super beneficial to bring someone in who’s not a lawyer but who is operational and can discuss what happened, and when, and why,” said Olsen. That might be a chief privacy officer or someone on the IT staff. “But the risk is that you may not have done enough due diligence to make sure it’s a helpful story. And you also have a company official that’s at the mercy of FTC staff, who may have had some other questions occur to them while they were drinking their coffee that morning, and you’re not prepared for that.
“That has led to other tangents of an investigation,” Olsen said. “That’s the downside.”
What should you absolutely not do? Cividanes emphasized, “Don’t go over anyone’s head until you’ve remedied the conversations with the FTC line staff.” Bureau directors and commissioners do not appreciate having their staff disrespected.
Further, said Olsen, “it’s critical to retain credibility with the FTC staff. If you negotiate a production schedule with FTC staff, you need to meet that. Otherwise, they’ll think you’re playing games, or being strategic. As soon as you lose the staff, they say, ‘We’re being jerked around.’ And the bureau director will hear about it, I guarantee.”