US Private Sector Privacy Chapter 05 Federal and State Regulatorsp1.pdf

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP CHAPTER 5 Federal and State Regulators and Enforcement of Privacy Law In the U.S., privacy is regulated at both the federal and state level. At the federal level, the U.S. has numerous regulators whose jurisdictions can overlap – with these regulators primarily dedicated to specific sectors such as medical, financial, and education. The Federal Trade Commission (FTC) is often considered to be the lead privacy enforcer as this agency can address a variety of privacy violations that relate to consumer protection. At the state level, all 50 states have in place Unfair and Deceptive Acts and Practices (UDAP) statutes that, although there are variations among these state laws, provide similar consumer-protection safeguards to those found in the FTC Act. As of the writing of this book, the U.S. has not enacted a federal-level comprehensive privacy law. In the absence of such a federal law, state privacy enforcement takes on additional importance, particularly as states have begun enacting their own comprehensive privacy laws. This chapter introduces the interplay of federal and state regulators of privacy, including many concepts that will be developed in later chapters of the book. The chapter begins with an overview of the many agencies that play a part in regulating privacy at the federal level. Much of the chapter then focuses on the Federal Trade Commission (FTC) and Section 5 of the FTC Act. We examine the prominent role that the FTC has played among federal agencies in the development of U.S. privacy standards as well as in the enforcement of privacy protections at the federal level. The chapter then gives an overview of state laws that provide privacy protections and examines the role of State Attorneys Generals in enforcing these laws. The chapter concludes with a discussion of selfregulation. This Chapter begins our examination of this interplay between federal and state enforcement of privacy. Chapter 6 examines recently enacted state comprehensive privacy laws. Chapter 7 examines state data breach notification laws, state data security laws, and state data security laws. Chapters 8, 9, 10, 11, and 12 return to a focus on federal privacy protections, looking in turn at medical privacy, financial privacy, education privacy, privacy in telecommunications and marketing, and workplace privacy. 5.1 Types of Litigation and Enforcement For non-lawyers, it is useful to define the main categories of legal actions: civil litigation, criminal prosecution and administrative enforcement actions. As a reminder, these topics are discussed in additional detail in Chapter 2 (U.S. Legal Framework). Civil litigation occurs in the courts, when one person (the plaintiff) sues another person (the defendant) to redress a wrong. The plaintiff often seeks a monetary judgment from the defendant. The plaintiff may also seek an injunction, which is a court order mandating the defendant to stop engaging in certain behaviors. Important categories of civil litigation include contracts and torts. For instance, a plaintiff might sue for a breach of a contract that promised confidential treatment of personal information. In a tort action, a plaintiff might sue for an invasion of privacy—for example, where the defendant surreptitiously took pictures in a changing room and broadcast the pictures to the public. Some privacy laws create “private rights of action,” enabling an individual plaintiff to sue 1 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP based on violations of the statute. The Fair Credit Reporting Act of 1970 (FCRA), for instance, has a private right of action, allowing individuals to sue a company if their consumer reports have been used inappropriately. Criminal prosecution involves actions brought by the government for violations of criminal laws. This contrasts with civil litigation, which generally involves an effort by a private party to correct specific harms. Criminal prosecution can lead to imprisonment and criminal fines. In the federal government, criminal laws are prosecuted by the U.S. Department of Justice (DOJ). States typically place criminal prosecutorial power in the hands of the state attorney general and local officials such as district attorneys. Administrative enforcement actions are carried out pursuant to the statutes that create and empower an agency, such as the FTC. In the federal government, the basic rules for agency enforcement actions occur under the Administrative Procedure Act (APA). 1 The APA sets forth rules for adjudication within an agency, where court-like hearings may take place before an administrative law judge (ALJ). Federal agency adjudications can generally be appealed to federal court. In addition, a federal agency may sue a party in federal court, with the agency as the plaintiff in a civil action. How the FTC typically conduct privacy enforcement actions, notably by the use of consent decrees, is discussed in more detail in Section 3.4. 5.2 Federal Privacy Enforcement and Policy Outside of the FTC Much of this chapter examines the FTC and its focus on unfair and deceptive trade practices as well as children’s privacy. Before concentrating on the FTC, it is important to highlight federal agencies other than the FTC that may be responsible for privacy enforcement, depending on the statutes or regulations violated. In certain instances, the FTC may have overlapping responsibilities with these agencies to enforce privacy protections. 2 For example, the following agencies are discussed in the chapters noted: Medical privacy (Chapter 8). The Office of Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) enforces the Health Insurance Portability and Accountability Act (HIPAA). Financial privacy (Chapter 9). The Consumer Financial Protection Bureau (CFPB) is responsible generally for financial consumer protection issues. Federal financial regulators such as the Federal Reserve and the Office of Comptroller of the Currency have privacy enforcement responsibilities for institutions under their jurisdiction under the GrammLeach-Bliley Act (GLBA). Education privacy (Chapter 10). The U.S. Department of Education (ED) enforces the Family Educational Rights and Privacy Act (FERPA). Telecommunications and marketing privacy (Chapter 11). The Federal Communications Commission (FCC) has responsibilities under the Telephone Consumer Protection Act (TCPA) and other statutes. Workplace privacy (Chapter 12). Agencies, including the Equal Employment Opportunity Commission (EEOC), are responsible for enforcing the protections in the Americans with Disabilities Act (ADA) and other antidiscrimination statutes. 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP As new technologies emerge, federal agencies seek to address negative impacts - often by using the regulatory frameworks that are already in place. 3 For example, as of the writing of this book, the United States lacks a federal law that specifically regulates the privacy concerns raised by artificial intelligence (AI). OCR is expected to address improper collection of protected health information by companies employing AI. 4 The EEOC is expected to address complaints of discrimination when companies utilize algorithms to make decisions in the hiring process. 5 In addition, other federal agencies are involved in privacy oversight, enforcement and policy. Privacy professionals should thus be alert to the possibility that federal agencies other than the FTC will be relevant to their organizations’ activities. 6 The U.S. Department of State (DOS) has been increasingly active over time on privacy, especially by negotiating internationally on privacy issues with other countries and in multinational groups such as the United Nations or the Organisation for Economic Cooperation and Development (OECD). The U.S. Department of Commerce (DOC) plays a leading role in federal privacy policy development and has traditionally administered the agreement on privacy protections for data flows between the United States and the EU. 7 The DOC negotiates internationally on privacy issues with other countries and in multinational groups, such as the UN and the OECD. The U.S. Department of Transportation (DOT) is the agency responsible for transportation companies under its jurisdiction and has traditionally enforced violations of the agreement on privacy protections for data flows between the United States and the European Union (EU) for some transportation companies. Within DOT, the Federal Aviation Administration (FAA) has recently played an increasing role for drones. The National Highway Traffic Safety Administration (NHTSA), also within DOT, addresses privacy and security issues for connected cars. The President’s Office of Management and Budget (OMB) is the lead agency for interpreting the Privacy Act of 1974, which applies to federal agencies and private-sector contractors to those agencies. OMB also issues guidance to agencies and contractors on privacy and information security issues, such as data breach disclosure and privacy impact assessments. The Internal Revenue Service (IRS) is subject to privacy rules concerning tax records, including disclosures of such records in the private sector. Other parts of the U.S. Department of Treasury are also involved with financial records issues, including compliance with money-laundering rules at the Financial Crimes Enforcement Network (FinCEN). The U.S. Department of Homeland Security (DHS) faces numerous privacy issues, such as: the E-Verify program for new employees; rules for air traveler records, under the Transportation Security Administration (TSA); and immigration and other border issues, under Immigration and Customs Enforcement (ICE). As new technologies emerge, additional agencies become involved in privacy. For instance, the development of the smart grid has made privacy an important issue for the electric 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP utility system, thus involving the Department of Energy (DOE). The increased use and surveillance implications of unmanned aerial vehicles (UAVs), or drones, have raised privacy issues for the Federal Aviation Administration (FAA). In short, almost every agency in the federal government is or may soon become involved with privacy in some manner within that agency’s jurisdiction. The U.S. Department of Justice (DOJ) is the sole federal agency to bring criminal enforcement actions, which can result in imprisonment or criminal fines. Some statutes, such as HIPAA, provide for both civil and criminal enforcement. In such cases, procedures exist for the roles of both HHS and DOJ. 8 5.3 The FTC and the FTC Act The Federal Trade Commission (FTC) is typically considered the lead privacy enforcer in the United States. The FTC is an independent agency governed by the decision of its chair and four other commissioners, instead of falling under the direct control of the president as the head of the executive branch. 9 The FTC was founded in 1914 to enforce antitrust laws, and its general consumer protection mission was established by a statutory change in 1938. 10 The FTC navigates both roles today, and privacy and information security issues have become an important part of its work. 11 This section details: (1) FTC Jurisdiction; (2) FTC Enforcement Process and Consent Decrees; (3) Deceptive Trade Practices; and (4) Unfair Trade Practices. 5.3.1 FTC Jurisdiction The FTC enforces consumer protections for nearly all areas of commerce. 12 Before proceeding with a discussion of the details related to Section 5 of the FTC Act, it is important to mention those entities that are not covered due to limitations found in the act itself. Because Section 5 of the FTC Act refers to unfair and deceptive practices “in commerce,” this means that nonprofit organizations are not covered. 13 Also, under the FTC Act, the commission’s powers do not extend to certain industries, including banks and other federally regulated financial institutions, as well as common carriers, such as the transportation and communications industries. 14 This subsection examines: the FTC’s authority under the FTC Act and its application to privacy and information security; the FTC’s enforcement tools under the FTC Act; the FTC’s rulemaking authority under Magnuson-Moss; and the FTC’s joint enforcement with states. 5.3.1.1 FTC’s Authority under the FTC Act and its Application to Privacy and Information Security Section 5 of the FTC Act is perhaps the single most important piece of U.S. privacy law. Section 5 notably says that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 To date, the FTC has pursued notable enforcement actions related to privacy and cybersecurity against social media companies, data brokers, mobile app developers, and others. 16 Despite the fact that Section 5 of the FTC Act does not mention privacy or information security, the application of Section 5 to privacy and information security is clearly established today. 17 The FTC has enforced privacy violations for decades, beginning with credit reporting and debt collection practices under the Fair Credit Reporting Act (FCRA). 18 During the 1990s, the FTC began bringing privacy enforcement cases under its jurisdiction to address unfair and deceptive practices. 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP Several recent court cases about privacy and information security have confirmed and clarified the FTC’s authority related to the application of Section 5 to privacy and information security - the 2015 case in FTC v. Wyndham Worldwide Corporation and the 2018 case of FTC v. LabMD. FTC v. Wyndham. The FTC’s unfairness authority related to cybersecurity was upheld in the federal courts in litigation against Wyndham Worldwide Corporation. The facts of this enforcement action relate to three hacks suffered by Wyndham, a hotel company, from 2008 to 2009. Based on these breaches, the FTC investigated Wyndham for unfair and deceptive trade practices. When the FTC sought to sanction Wyndham, the company initially chose not to settle the case. In 2012, the FTC filed suit against the company in U.S. District Court. Wyndham challenged the FTC’s authority to require the company to meet more than the minimum standards set forth in Section 5 of the FTC Act. The federal district court ruled for the FTC. In a 2015 decision, the Third Circuit Court of Appeals (a federal appellate court) confirmed that the FTC’s longstanding authority to regulate “unfair methods of competition in or affecting commerce” under Section 5 of the FTC Act extended to regulation of cybersecurity practices that are harmful to consumers. 19 FTC v. LabMD. In this case, the federal courts recognized the FTC’s authority to regulate privacy and information security, while announcing constraints on the ability of the FTC to require companies to institute comprehensive cybersecurity programs. 20 The underlying facts of the case focus on LabMD being significantly hacked on two separate occasions in 2009 and 2012. 21 In 2013, the FTC brought an enforcement action against LabMD under Section 5 of the FTC Act. Rather than enter into a consent order with the FTC, LabMD chose to proceed with an administrative hearing before an ALJ. The ALJ dismissed the action against LabMD, citing the FTC’s failure to establish harm to the consumers. 22 The FTC reversed the decision by the ALJ, and issued a Final Order requiring the company to implement a comprehensive security program. LabMD appealed the FTC’s Final Order to the Eleventh Circuit Court of Appeals (another federal appellate court). 23 In 2018, that court vacated the FTC’s order—meaning the FTC order was unenforceable. According to the Eleventh Circuit, the FTC order “does not enjoin a specific act or practice. Instead, it mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.” 24 5.3.1.2 FTC’s Enforcement Tools under the FTC Act The FTC has traditionally relied on a variety of enforcement tools in the FTC Act – including Section 5(l) for administrative enforcement and Section 13(b) and Section 19 for judicial enforcement. 25 Under Section 5(l), the FTC issues a complaint and then determines via an administrative proceeding whether a violation has occurred. If a violation is found, the FTC issues a cease-and-desist order; the FTC can pursue civil penalties if the company subsequently violates the order. 26 Section 13(b) has been used by the FTC to seek “equitable money relief” such as restitution and disgorgement without first issuing a final cease-and-desist order. Restitution refers to recouping money losses of consumers while disgorgement means requiring companies to repay profits from wrongful conduct. 27 Section 19 allows courts to grant necessary relief if the FTC first issued a final cease-and-desist order to the company. 28 In the 2021 case of AMG Capital Management v. FTC, the United States Supreme Court determined that the FTC was not authorized to obtain monetary relief, or damages, pursuant to Section 13(b) of the FTC Act. 29 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP 5.3.1.3 FTC’s Joint Enforcement with States The FTC shares its consumer protection responsibility with the states. All 50 states have enacted statutes to protect consumers commonly known as Unfair and Deceptive Acts and Practices (UDAP) statutes, as discussed in Section 3.6. 30 In 2022, FTC Chair Lina Khan spoke to a gathering of State Attorneys General where she stated that, while there was already an incentive for federal/state partnerships in privacy enforcement, “[t]he AMG decision underscored how state partnerships help maximize relief for Americans subject to unlawful behavior.” 31 5.3.1.4 FTC’s Rulemaking Authority Under Magnuson-Moss The FTC has general authority in theory to issue regulations to implement protections against unfair and deceptive acts and practices. 32 Such regulations, however, are not promulgated under the usual rulemaking procedures of the Administrative Procedures Act (APA), where the agency publishes a notice of proposed rule, the public comments, and the agency finalizes the rule. Instead, any such regulation must comply with the complex and lengthy procedures under Section 18 of the FTC Act, also known as the Magnuson-Moss Warranty Federal Trade Commission Improvements Act of 1975 (“Magnuson-Moss”). 33 According to Magnuson-Moss, the FTC can promulgate a trade rule regulation, which defines an act or a practice as unfair or deceptive “only where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.” 34 For rulemaking pursuant to Magnuson-Moss, the FTC must establish the following (among other requirements): the prevalence of the acts or practices; how the acts and practices are unfair or deceptive; and the economic effect of the rule, including on consumers and small businesses. 35 In 2022, the FTC announced its intent to consider rules on surveillance practices and data security. As of this writing, possible topics for inclusion in the rules include: data minimization and targeted advertisements; consent framework; algorithmic discrimination; dark patterns; misuse of apps; and harm to minors. 36 Also, in 2022, the FTC responded to the AMG decision, discussed in this subsection, by proposing rules that would allow the FTC to recover funds for harm suffered by consumers. 37 It is worth noting that the 2022 United States Supreme Court case of West Virginia v. EPA could narrow the breadth of rules that the FTC can enact in the future. Although the details of the legal rationale are beyond the scope of this book, this case evinced a shift from courts deferring to rules that agencies believe are appropriate to an expectation that courts would review agency rules to determine compliance based on the “major questions doctrine” – which restricts the authority of federal agencies to issue substantial regulations without precise directions from Congress. At the writing of this book, commentators have speculated that this case could curtail the FTC’s traditionally broad approach to defining unfair and deceptive trade practices. 38 5.3.2 FTC Enforcement Process and Consent Decrees The FTC enforcement process has numerous steps, beginning with the FTC alleging a claim against a company. When discussing enforcement by the FTC, it is important to recognize that the vast majority of enforcement actions end in consent decree. 39 5.3.2.1 Enforcement Process The typical FTC enforcement action pursuant to Section 5 of the FTC Act begins with a claim that a company has committed an unfair or deceptive practice or has violated a specific consumer protection law. The need for an enforcement action can be brought to the FTC’s attention in 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP numerous ways such as press reports covering questionable practices or complaints from consumer groups or competitors. If the violation is minor, the FTC may work with the company to resolve the problem without launching a formal investigation. If the violation is more significant, or there is a pattern of noncompliance, the FTC may proceed to full enforcement. The FTC has broad investigatory authority, including the authority to subpoena witnesses, demand civil investigation, and require businesses to submit written reports under oath. 40 Following an investigation, the commission may initiate an enforcement action if it has reason to believe a law is being or has been violated. 41 The commission issues a complaint, and an administrative trial can proceed before an ALJ. If a violation is found, the ALJ can enjoin the company from continuing the practices that caused the violation. The decision of the ALJ can be appealed to the five commissioners. That decision, in turn, can be appealed to federal court. 42 Although the FTC lacks the authority to assess civil penalties, if an FTC ruling is ignored the FTC can seek civil penalties in federal court of up to $50,120 per violation, as of the writing of this book, and can seek compensation for those harmed by the unfair or deceptive practices. 43 5.3.2.2 Consent Decrees In practice, FTC privacy enforcement actions have usually been settled through consent decrees and accompanying consent orders. In a consent decree, the respondent does not admit fault but promises to change its practices and avoids further litigation on the issue. Consent decrees are posted publicly on the FTC’s website, and the details of these decrees provide guidance about what practices the FTC considers inappropriate. Once an individual or company has agreed to a consent decree, any violation of that decree can lead, following an FTC investigation, to enforcement in federal court, including civil penalties, as discussed above. The federal court can also grant injunctions and other forms of relief. The FTC’s Enforcement Division, within the Bureau of Consumer Protection (BCP), monitors and litigates violations of consent decrees in cooperation with DOJ. Consent decree terms vary depending on the violation. Usually, the consent decree states what affirmative actions the respondent needs to take and which practices the respondent must refrain from engaging in. Consent decrees often require the respondent to maintain proof of compliance with the decree and to inform all related individuals of the consent decree obligations. The respondent is also usually required to provide the FTC with confirmation of its compliance with the decree and must inform the FTC if company changes will affect the respondent’s ability to adhere to its terms. Respondents may also face civil penalties. Increasingly, in privacy cases, companies are subject to periodic outside audits or reviews of their practices, or they may be required to adopt and implement a comprehensive privacy program. Over time, consent decrees have become more specific in nature. Both the company and the FTC have incentives to negotiate a consent decree rather than proceed with a full adjudication process. The company avoids a prolonged trial as well as negative ongoing publicity. It also avoids having the details of its business practices exposed to the public. The FTC: (1) achieves a consent decree that incorporates good privacy and security practices, (2) avoids the expense and delay of a trial, and (3) gains an enforcement advantage because monetary fines are much easier to assess in federal court if a company violates a consent decree than if no decree is in place. 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP 5.3.3 Deceptive Trade Practices Today, the application of “deceptive trade practices” in Section of the FTC Act to privacy and information security is well established. As the FTC is tasked with addressing concerns raised by emerging technology, this interpretation evolved during the commercialization of the internet. In the 1990s, organizations began to post privacy notices on their websites. These privacy notices helped inform consumers about how their personal information was being collected and used. During this period, the FTC, along with the Department of Commerce (DOC), began convening public workshops and conducting other activities to highlight the importance of privacy protection on websites. 44 By 2000, privacy notices had become a standard feature of legitimate commercial websites. 45 If a company promised a certain level of privacy or security on its website or elsewhere and did not fulfill its promise, then the FTC considered that breach of promise a “deceptive” practice under Section 5 of the FTC Act. 46 In addition, the absence of a privacy notice is easily visible—any consumer advocate or regulator visiting the site can tell whether a notice is posted. In practice, today most commercial websites are expected to post a privacy notice. Although there is no omnibus federal law requiring companies to have public privacy notices, certain federal sector-specific statutes such as HIPAA, GLBA, and COPPA, discussed in Chapter 8 (Medical Privacy), Chapter 9 (Financial Privacy), and Section 3.4 of this chapter, do impose notice requirements. Also, as discussed in Chapters 6 (State Comprehensive Privacy Laws) and Chapter 7 (State Data Breach Notification Laws), state laws often require companies and organizations doing in-state business to post privacy policies on their websites. The early focus on privacy notices by the FTC has evolved into numerous privacy and security “deceptive” practices cases in a typical year. For a practice to be deceptive, it must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances. 47 Deceptive practices include false promises, misrepresentations, and failures to comply with representations made to consumers, such as statements in privacy policies or certifications of compliance with an industry or government set of standards. 48 Two recent cases highlight enforcement practices of the FTC related to deceptive trade practices – In the Matter of Facebook and In the Matter of Everalbum. 5.3.3.1 In the Matter of Facebook In 2019, Facebook agreed to pay a $5 billion fine to settle allegations that the company deceived users about their ability to control the privacy of personal data. 49 At the time of the consent order, this fine was the largest penalty that the FTC had ever imposed on a company for alleged violations of consumer privacy. 50 In 2012, Facebook agreed to a consent order that prohibited the company from misrepresenting the extent to which users could control the privacy of their information and the extent to which the company makes the information available to third parties. According to the allegations by the FTC that resulted in the 2019 fine, Facebook violated this 2012 consent order. The FTC alleged that Facebook failed to restrict third-party developers from accessing and collecting the data of users’ friends. 51 As part of the 2019 settlement agreement, Facebook agreed to restructure its corporate approach to privacy and to create increased accountability at the level of the board of directors. 52 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP 5.3.3.2 In the Matter of Everalbum In a 2021 settlement, the photo app Everalbum agreed to a novel remedy. The company agreed to delete the facial recognition algorithms developed using consumer data inappropriately obtained – a remedy referred to as algorithmic disgorgement. 53 Much as the FTC has historically sought to have companies disgorge profits from unlawful practices, it may also seek disgorgement of the algorithmic fruits of unlawful behavior. With regard to the facts of the enforcement action, Everalbum told users that the company would not apply facial recognition technology to users’ content, such as photos and videos, unless they affirmatively chose (opted in) to facial recognition. Everalbum also informed users that, when users deactivated accounts, their content would be deleted. At the time of the FTC complaint, Everalbum had 12 million users globally. According to the allegations by the FTC, Everalbum misled users by automatically activating the facial recognition feature – noting that the facial recognition could not be turned off by most users. In addition, Everalbum failed to keep its promise to users to delete their account when users deactivated accounts. Instead, Everalbum kept the users’ photos and videos indefinitely. 54 After the United States Supreme Court case of AMG Capital Management v. FTC (discussed in Section 5.3.1), that precluded the FTC from seeking “equitable monetary remedies” (damages) pursuant to Section 13(b), the FTC can likely still seek non-monetary remedies such as algorithmic disgorgement – which is seen as an important new remedy for the FTC. As of the writing of this book, the FTC lacks specific regulation related to artificial intelligence (AI), which is software reliant on algorithms. To address unfair or deceptive AI practices, algorithmic disgorgement may become a more prominent enforcement tool. Experts suggest that the FTC is likely to continue to use this new remedy in consent orders unless and until courts rule that the remedy exceeds the Commission’s authority. 5.3.4 Unfair Trade Practices Section 5 of the FTC Act applies to “unfair” as well as “deceptive” trade practices. The FTC began to enforce “unfair” practices by 2004. The scope of the term unfairness has been clarified by the FTC numerous times over the years. Unfair practices are those that: cause or are likely to cause substantial injury to consumers (which are not merely speculative); which is not reasonably avoidable by consumers themselves; and not outweighed by countervailing benefits to consumers or competition. Claims of unfair trade practices can exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers. 55 Each step involves a detailed, fact-specific analysis that must undergo careful consideration by the commission. 56 The FTC has sanctioned companies for unfair practices when they failed to implement adequate protection measures for sensitive personal information or when they provided inadequate disclosures to consumers. 57 Two recent cases highlight enforcement practices of the FTC related to unfair trade practices - In the Matter of Equifax and In the Matter of Uber. 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP 5.3.4.1 In the Matter of Equifax The 2019 Equifax settlement showed the significant consequences faced by a company for a massive data breach. Equifax suffered a breach in 2017 which affected approximately 150 million consumers. The breach exposed Social Security numbers and home addresses of these individuals. According to the allegations in the case, the credit reporting agency’s failure to engage in reasonable security measures to protect its network led to the 2017 data breach, which affected 147 million consumers. 58 In the 2019 settlement with the FTC, the CFPB, and 50 states and territories, Equifax agreed to pay $300 million to set up a fund for affected customers to receive credit monitoring; $175 million to 48 states, the District of Columbia, and Puerto Rico; and $100 million in civil penalties to the CFPB. 59 In addition, Equifax agreed to implement a comprehensive security program for 20 years. 60 5.3.4.2 In the Matter of Uber In 2018, Uber entered into a consent order with the FTC related to two data breaches – the first in 2014 and the second in 2016. The Uber case is significant because it marks the first time that a company executive has faced criminal prosecution related to the handling (or mishandling) of a data breach. In the 2014 data breach, an intruder gained access to personal information of about 100,000 drivers. A second, larger breach occurred in 2016 where hackers accessed the personal information of approximately 60 million Uber drivers and riders. According to the allegations in the FTC enforcement action, Uber failed to monitor employees’ access to consumers’ personal information; reasonably secure sensitive consumer data in the cloud; and timely disclose the second breach. 61 The criminal prosecution focused on events in 2016. At that time, Uber was under investigation by the FTC related to the 2014 breach. Uber’s Chief of Security (and his team) learned of the second breach when hackers demanded $100,000 ransom from Uber. The team did not report the 2016 breach to Uber’s General Counsel, as required by internal policies of the company. Instead, they paid the ransom and had the hackers sign a non-disclosure agreement. The Chief of Security (and his team) failed to notify the FTC of the breach. In 2017, Uber hired a new CEO. After the CEO took office, Uber publicly disclosed the 2016 breach and notified the FTC of the event. In 2022, Uber’s former Chief of Security was found guilty by a jury of the following crimes: obstructing an FTC investigation and concealing a felony from authorities. 62 5.4 Additional FTC Authority to Protect Consumer Privacy and Security The FTC has specific authority over privacy and security issues beyond Section 5 of the FTC Act, including the Children’s Online Privacy Protection Act (COPPA), the Health Information Technology for Economic and Clinical Heath (HITECH), the Fair Credit Reporting Act (FCRA), and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. 5.4.1 COPPA The FTC is the rulemaking and enforcement agency for COPPA. This 1998 law was passed specifically to protect children’s use of the internet—particularly websites and services targeted toward children, who are defined as under the age of 13. 63 COPPA requires website operators to 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires consent by parents prior to collection of personal information for children under the age of 13. This means COPPA requires express consent from a parent before a child’s personal information is collected. Although COPPA does not mandate a precise method that website operators must employ to obtain consent from parents, operators are required to utilize a method that is reasonably designed, in light of the technology available, to make sure that the consent is provided by the parent of the child. 64 As states begin to enact comprehensive privacy laws, these state laws generally contain protections for children and often make reference to COPPA – particularly in relation to the requirements for obtaining consent from parents. These state laws are discussed in Chapter 6 (State Comprehensive Privacy Laws). 5.4.2 HITECH The FTC shares rulemaking and enforcement authority with the U.S. Department of Health and Human Services (HHS) for data breaches related to medical records under HITECH, which applies to “personal health record” providers. The notice of breach requirements under HITECH are similar to those under HIPAA. These requirements apply even if the provider does not seek electronic reimbursement from the U.S. government. This rule is enforced by the FTC. HITECH will be discussed in more detail in Chapter 8 (Medical Privacy). 5.4.3 FCRA The FCRA regulates the consumer reporting industry and provides privacy rights in consumer reports. Until the creation of the Consumer Financial Protection Bureau (CFPB), the FTC issued rules and guidance for the FCRA, as amended by the Fair and Accurate Credit Transactions Act (FACTA) of 2003. The CFPB now has authority to issue rules for those areas. The CFPB shares enforcement authority with the FTC for financial institutions that are not covered by a separate financial regulator. Also, state attorneys general are required to give notice to the FTC prior to filing suit, and the FTC retains the authority to intervene in the cases brought by the state attorneys general. Additional discussion of this topic can be found in Chapter 9 (Financial Privacy). 5.4.4 CAN-SPAM CAN-SPAM restricts unsolicited commercial electronic mail. Both the FTC and the FCC have the authority to issue regulations implementing CAN-SPAM. The FCC has issued rules regarding mobile service commercial messages (MSCMs), including many commercial text messages. CAN-SPAM grants enforcement authority to the FTC and the FCC as well as state attorneys general. This law is discussed further in Chapter 11 (Telecommunications and Marketing). 5.5 Future of Federal Enforcement by the FTC The focus of the FTC’s regulatory efforts evolves with changing technology and practice. The FTC’s mandate includes a focus on cutting edge of emerging technology and practices. 65 In 2023, the FTC created an Office of Technology to further this part of its mandate. 66 This focus on emerging technology and practices by the FTC means that it is important for privacy practitioners to examine recent publications of the FTC to learn where future enforcement actions are likely to be directed. 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.