Federal and State Regulators and Enforcement of Privacy Law

3.1 Litigation and Enforcement

1. Civil Litigation

   1. Occurs in the courts, when one person (the plaintiff) sues another person (the defendant) to redress a wrong.

   2. The plaintiff often seeks a monetary judgment from the defendant.

   3. The plaintiff often seeks an injunction, court order mandating that certain behaviors cease.

   4. Fair Credit Reporting Act (FCRA), for instance, has a private right of action, allowing individuals to sue a company if their consumer reports have been used inappropriately.

2. Criminal Litigation

   1. involves lawsuits brought by the government for violations of criminal laws.

      1. Example - HIPAA violation breach

   2. Criminal prosecution can lead to imprisonment and criminal fines.

   3. Federal prosecutor - DoJ

   4. States typically place criminal prosecutorial power in the hands of the state attorney general and local officials such as district attorneys.

3. Administrative Enforcement Actions

   1. Pursuant to the statutes that create and empower an agency, such as FTC and FCC.

   2. Basic rules for agency enforcement actions occur under the Administrative Procedure Act (APA), which takes place before an Administrative Law Judge (ALJ).

3.2 Federal Privacy Enforcement and Policy Outside of the FTC and FCC

Note: The FTC and the FCC are primarily responsible for privacy enforcement.

Medical Privacy

1. Office of Civil Rights (HHS – Health and Human Services) for the Health Insurance Portability and Accountability Act (HIPAA)

Financial Privacy

1. Consumer Financial Protection Bureau (CFPB) for financial consumer protection issues generally; federal financial regulators such as the Federal Reserve and the Office of Comptroller of the Currency, for institutions under their jurisdiction under the Gramm-Leach- Bliley Act (GLBA)

Education Privacy

1. Department of Education for the Family Educational Rights and Privacy Act (FERPA)

Telemarketing and Marketing Privacy

1. FCC Commission (with FTC), under the Telephone Consumer Protection Act (TCPA), and other statutes

Workplace Privacy

1. EEOC for the ADA and other anti discrimination statutes.

Others

• Department of Energy - Smart Grid

• Department of State - OECD or UN, negotiate on privacy issues

• Department of Commerce - US Privacy shield administers policies

• Department of Transportation

  • Enforces privacy shield

  • addresses privacy and security issues for connected cars.

  • Addresses privacy for drones

• OMB -

  • President’s Office of Management and Budget (OMB) is the lead agency for interpreting the Privacy Act of 1974, which applies to all federal agencies

  • issues guidance to agencies and contractors on privacy and information security issues, such as data breach disclosure and privacy impact assessments federal agencies

  • Overall Mission: serves the President of the United States in overseeing the implementation of his vision across the Executive Branch. Specifically, OMB’s mission is to assist the President in meeting his policy, budget, management and regulatory objectives and to fulfill the agency’s statutory responsibilities.

• Dept of Treasury - Financial CEN - crimes enforcement network

  • IRS - privacy for tax frecords

  • CFPB - within Federal Reserve shars enforcement FCRA and CFPB with FTC,

• US DHS

  • Transportation Security Administration, TSA records

  • Immigration and customs enforcement

  • ICE, Everify program) - many privacy issues

• Enforcement for criminal actions

  • DOJ is the sole federal agency to bring criminal enforcement actions, which can result in imprisonment or criminal nes.

  • Some statutes, such as HIPAA, provide for both civil and criminal enforcement. In such cases, procedures exist for the roles of both HHS and DOJ.

3.3 FTC Jurisdiction

1. Origin

   1. FTC was founded in 1914 to enforce antitrust laws. It’s general consumer protection mission was established by a statutory change in 1938. FTC “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” Although it does not mention privacy or information security, it is clearly established today.

   2. “in commerce” – does not apply to non-profit organizations.

   3. Certain industries – banks and other federally regulated financial institutions; common carriers – transportation and communications industries.

2. Enforcement

   1. FTC enforced privacy violations for decades beginning with FCRA of 1970.

   2. 1990’s, FTC began bringing privacy enforcement cases under its powers to address unfair and deceptive practices.

   3. Congress added privacy-related responsibilities to the FTC over time, such as Children’s Online Privacy Protection Act (COPPA) of 1998 and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003.

3. Authority

   1. FTC also retains separate and specific authority over privacy and security issues under other federal statutes.

   2. General authority -,Section 5 of the FTC Act applies to unfair and deceptive practices “in commerce,” and does not apply to nonprofit organizations.

4. COPPA

   1. FTC is the rule-making and enforcement agency for COPPA.

5. FCC/FTC Authority Sharing

   1. FTC, sharing rule-making and enforcement power with FCC under the Telemarketing Sales Rules and the CAN-SPAM.

   2. CFPB has authority to issue rules for FCRA, FACTA, and GLBA. Shares enforcement with FTC for financial institutions not covered by a separate financial regulator.

6. FCC/HHS Authority Sharing

   1. FTC also sharing rule-making an enforcement power with HHS for data breaches related to medical records under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

7. General Authority

   1. FTC – general authority in theory to issue regulations to implement protections against unfair and deceptive acts and practices.

   2. When the FTC develops regulations for UDAP must comply with the complex procedures under the Magnuson-Moss Warranty FTC Improvement Act (MMW-FTC-IA) of 1975.

3.4 FTC Enforcement Process and Consent Decrees

1. Investigative Authority

   1. Starts with a Claim, complaint, or consumer protection law.

   2. FTC has broad investigatory authority, including the authority to subpoena witnesses, demand civil investigation and require business to submit written reports under oath.

   3. Following investigation, the commission may initiate an enforcement action if it has reason to believe a law is being violated.

   4. The commission issues a complaint, and an administrative trial can proceed before an ALJ (Office of Administrative Law Judges)

   5. If a violation is found, ALJ can enjoin the company from continuing the practices that caused the violation.

   6. ALJ decision can be appealed to the five commissioners. Then can be appealed to federal district court.

   7. An order by the commission becomes final 60 days after it is served on the company.

   8. FTC lacks authority to assess civil penalties, if an FTC ruling is ignored, FTC can seek civil penalties in federal court and can seek compensation for those harmed but the unfair/deceptive practices. viii. In practice, FTC usually settled through consent decrees and accompanying consent orders.

      1. Consent Decree – the respondent does not admit fault, but promises to change its practices and avoids further litigation on the issue.

         1. Benefits for FTC:

            1. Achieves a consent decree that incorporates good privacy and security practices

            2. Avoids the expense and delay of a trial

            3. Gains an enforcement advantage because monetary fines are much easier to assess in federal court if a company violates a consent decree than if no decree is in place.

         2. Benefits for Plaintiff

            1. company avoids

               1. a prolonged trial

               2. negative ongoing publicity.

               3. details of its business practices exposed to the public

         3. These are posted publicly on the FTC website, and the details provide guidance about what practices the FTC consider inappropriate.

         4. Any violation of consent decrees can lead to enforcement in the federal district court (civil penalties, etc.)

         5. Consent decree, under FTC’s “Sunset Policy,” are imposed for up to 20 years.

3.5 Privacy Policies and Notices and Early FTC Enforcement Actions

1. Privacy Notices Required for Websites

   1. HIPAA

   2. GLB

   3. COPPA

   4. CA - Law Businesses in state must post

   5. Most sites post policy

2. Examples

   1. Geocities 1999 -

      1. Collected personal information on website

      2. Privacy Promise on website said information would not be sold.

   2. Eli Lilly and Company 2002

      1. Created website to tell people when to take meds

      2. Privacy Notice - made security and privacy promises

      3. Breach - email addresses disclosed of all users to every subscriber

      4. FTC Enforcement - develop a security and privacy program

         1. For the first time in an online privacy and security case, an action that required conpany develop and maintain an information privacy and security program.

         2. Before this case, the FTC had only required companies to stop current unfair and deceptive practices

3.6 Enforcement Actions and Deceptive Trade Practices

1. Deceptive Trade Practices

   1. Involves a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.

   2. False promises, misrepresentation, and failures to comply with representations made to consumers (such as statements in privacy policies and Safe Harbor or Privacy Shield certifications).

2. In the Matter of Nomi

   1. Nomi placed sensors in retail businesses to detect MAC addresses of mobile devices that are searching Wi-Fi.

   2. Nomi used the information collected to provide an analytics report regarding retail traffic patterns.

   3. Nomi was found to misled consumers regarding the ability to opt out of their service and failed to inform about the location of stores where the tracking was taking place.

   4. Consent Order for 20 years.

3. In the Matter of Snapchat – short-lived messaging “snaps.”

   1. FTC found that they were aware of methods that can save chats indefinitely, and it was actually collecting the names and phone number of all contacts in the user’s mobile address book.

   2. Snapchat also failed to adequately secure the Find Friends feature.

   3. Hackers managed to compile a database for spamming.

   4. Consent Order in 2014 that it would not engage in these business practices for 20 years.

4. In the Matter of TRUSTe, Inc.

   1. What they do -

      1. Provide certifications to companies regarding privacy issues.

      2. Provide seals to companies in compliance with COPPA and US-EU Safe Harbor.

      3. They failed to conduct annual recertifications in more than 1000 instances, despite claiming to conduct recertifications every year on the website.

      4. FTC required them to maintain comprehensive records for 10 years related to its certifications and to pay $200k civil penalty.

3.7 Enforcement Actions an Unfair Trade Practices

1. Unfair Claims

   1. Exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers.

   2. FTC has sanctioned companies for unfair practices when they failed to implement adequate protection measures for sensitive personal information or when they provided inadequate disclosure to consumers.

   3. “Unfairness” (FTC v. Wyndham Worldwide Corp., 2015) – “when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits for their business.”

   4. In the Matter of Wyndham Worldwide Corp. – Wyndham agreed to enter into a consent order with FTC. They agreed to maintain a comprehensive information security program, which include a formal risk assessment process.

3.8 Future of Federal Enforcement

1. Federal 2012 Privacy Reports (know for exam!! Know FIPP Know Privacy by Design, i.e. Zoom)

   1. “White House Report” defines “Consumer Privacy Bill of Rights” based on traditional fair information practices.

      1. Copy of report: https://obamawhitehouse.archives.gov/sites/default/files/privacy-final.pdf

   2. The report states that these rights should apply to commercial uses of personal data:

      1. Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

      2. Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.

      3. Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

      4. Security. Consumers have a right to secure and responsible handling of personal data.

      5. Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

      6. Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain.

      7. Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

2. FTC Report

   1. Emphasizes three areas:

   2. Privacy by design.

      3. Companies should promote consumer privacy throughout their organizations and at every stage in the development of their products and services. They should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.

   3. Simplified consumer choice.

      3. Companies should simplify consumer choice.

      4. They do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.

      5. For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data.

      6. Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected or (2) collecting sensitive data for certain purposes.

   4. Transparency.

      3. Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices.

      4. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.

      5. All stakeholders should expand their efforts to educate consumers about commercial data privacy practices.

3. FTC Priority

   1. Five priority areas for attention:

   2. Do Not Track mechanism. The FTC has encouraged industry to create a mechanism for consumers to signal if they do not wish to be tracked for online behavioral advertising purposes.

   3. Mobile. The FTC encourages greater self-regulation in the swiftly evolving area of location- and other mobile-related services.

   4. Databrokers. The FTC supports targeted legislation to provide consumers with access to information held about them by data brokers who are not already covered by the FCRA.

   5. Large platform providers. The FTC is examining special issues raised by very large online companies that may do what the FTC calls “comprehensive” tracking.

   6. Promotion of enforceable self-regulatory codes. The FTC will work with the multistakeholder processes that are being facilitated by the DOC. Taken together, the White House Report and FTC Report indicate a significantly more comprehensive approach to privacy protection and enforcement than the FTC’s earlier approaches to enforcement.

3.8.2 Privacy and Data Security:

1. FTC states that reasonable data security practices include at least 5 principles:

   1. Companies should be aware of what consumer information they have and who has legitimate access to this data

   2. Companies should limit the information they collect and maintain for their legitimate business purposes

   3. Companies should protect the information they maintain by assessing risk and by implementing procedures for electronic security, physical security, employee training and vendor management

   4. Companies should properly dispose information they no longer need

   5. Companies should have a plan in place to respond to security incidents

3.9 State Enforcement

1. Each state has a law roughly similar to FTC Act section 5 with expansion on the federal law.

2. These laws are commonly known as Unfair and Deceptive Acts and Practices (UDAP) statutes.

3. State laws are enforced by the state attorney general – chief legal officers of each state while FTC can still enforce things that go across multiple states.

4. Some states allow civil private rights of action under UDAP.

5. Breach Notification - each state has law - identify/notify breach

3.10 Self-Regulation and Enforcement

1. SR can occur through the three separation-of-power components: Legislation, enforcement, and adjudication.

   1. Legislation – industry group; companies

   2. Enforcement – Under §5, FTC

   3. Adjudication – ALJ

2. There are other SR without the involvement of the government.

3. Digital Advertising Alliance (DAA) – coalition of media and advertising organizations.

4. PCI-DSS

   1. Enforces PCI-DSS (visa, MC, Discover)

   2. Action-Lose ability to use card

3.11 Cross-Border Enforcement

1. Cooperation between enforcement agencies

   1. Global Privacy Enforcement Network (GPEN) 2010

      1. promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities.

   2. APEC’s Cross-border Privacy Enforcement Arrangement (CPEA).

      1. The CPEA also will facilitate cooperation and communication between APEC and non-APEC members.

      2. The FTC is a CPEA participant.

2. Conflicts between privacy and disclosure laws

   1. US Privacy Shield - protects disclosure of EU data by US law enforcement

   2. Federal Trade Commission/Department of Commerce are involved with this.

   3. Commerce Department - administers it.

3.13 Conclusion

1. FTC evolved from focusing on deceptive practices to a more comprehensive – moving beyond the mere punishment of violators to requiring the implementation of best practices in privacy and security.