The FTC and the New Common Law of Privacy

Privacy and Security

Article Snapshot


Woodrow Hartzog and Daniel J. Solove


Columbia Law Review, Vol. 114, No. 4, pp. 583-676, 2014


Since the 1990s, the Federal Trade Commission (FTC) has negotiated settlement agreements addressing privacy with many companies. Although the FTC’s authority is limited, the agency has developed detailed rules about privacy and data security.

Policy Relevance

The FTC has transformed scant privacy “self-regulation” into a comprehensive set of rules. The FTC should extend these rulings further, focusing on consumer’s expectations of privacy.

Main Points

  • Some complain that privacy law in the United States is sparse compared with that of the European Union. Because of the FTC’s rulings, these complaints are no longer valid.
  • The FTC regulates privacy as an unfair or deceptive trade practice, but has limited enforcement power and cannot pass new privacy rules.
  • Favoring self-regulation, businesses heed the FTC to avoid top-down federal privacy legislation.
  • Almost all FTC privacy complaints are resolved in negotiated settlements; businesses and the general public look to the FTC’s settlement agreements for guidance on privacy norms.
  • Most FTC rulings concern deceptive practices, but privacy and security practices can be unfair.
    • Deceptive practices include a firm’s failure to follow terms of its own privacy policy.
    • Failure to keep data reasonably secure is also deceptive.
    • Unfair practices include false claims of affiliation with another firm (phishing).
  • Originally, privacy principles were vague, but the FTC’s rules have become coherent and specific.
    • A long list of best practices for data security, such as the use of secure socket layer (SSL) encryption, can be derived from the FTC’s agreements.
    • The FTC’s agreements also extend liability to third parties such as firms that violate the privacy policies of other firms.
  • Often the FTC looks at the effect of a data practice on consumers, rather than the company’s intent; this makes sense because many consumers do not read privacy policies.
  • The FTC should be aggressive in making rulings based on consumer expectations, product design, and cultural and industry norms, moving beyond privacy policies.


Get The Article

Find the full article online

Search for Full Article