Enforcing Privacy Rights: Prepping the FTC for the Challenge

By Chris Hoofnagle

Posted on January 11, 2011

The Department of Commerce's Green Paper recommends that “The FTC should remain the lead consumer privacy enforcement agency for the U.S. Government.” This is an enormous task, and I wonder whether it is generally understood how challenging it will be for the FTC to undertake it. Consider these problems with the Department of Commerce’s recommendation:

  • The FTC lacks civil penalty enforcement. This stands in stark contrast to other nations’ privacy authorities. For instance, all European Union countries have civil penalty enforcement—Spain can levy a €600,000 fine.

  • The FTC has curtailed its own authority, in ways that hamper effective enforcement of privacy rules. For instance, over the past decade, the FTC has followed a “harm-based” approach as a voluntary constraint on its ability to bring privacy cases. There was no empirical support for the idea that consumers preferred this policy option. And, the Federal Trade Commission Act (FTCA) clearly does not require harm. Its text does not mention harm, in fact, the very idea of “deception” is not even defined by the FTCA.

The harm-based approach was built upon an earlier voluntary limitation of the agency’s power. The 1983 statement, drafted by the FTC to explain its broad, undefined deception power was recognized at the time as a political power grab, from the FTC to businesses, by then Regan appointee FTC Chairman James Miller.
  • The FTC believes that it cannot bring cases against aiders and abettors. This is problematic for a strong privacy enforcement narrative, because modern large scale frauds are dependent on many different actors who are repeat players—adware/spyware vendors, money mules and their managers are key for identity theft rings, and botnets and operators of botnet armies are essential for a wide variety of computer frauds. The use of affiliate marketing generally, while legitimate in certain circumstances, is often a technique to divorce advertisers from less-than-legal schemes to enroll consumers in continuity programs and the like. Aiding and abetting authority makes it possible to do more than simply play whack-a-mole with the advertiser of the week by attacking the infrastructures that act as a force multiplier for fraud.
  • The FTC’s staffing remains at 1960s levels. The FTC is responsible for policing a vast section of the US economy. The agency has some responsibility for over 40 laws now. It shoulders this burden with about 1,200 employees. This is down from its peak of about 1,750 employees in the late 1970s. It is simply not possible for one division within one agency to police the broad spectrum of privacy problems that exist.

  • If the FTC is too aggressive, it may suffer from blowback. Historically, the FTC has been “rewarded” for its work by threats from Congress. The meatpackers, baby-blanket manufacturers, cigarette companies, and advertisers have all played a part in threatening the agency’s powers (and very existence). Fallout from the KidVid proceeding caused Congress to stop funding for the agency, and Congress even banned it from taking enforcement actions in the advertising space for two years. The Department of Commerce’s sudden interest in privacy is interesting in light of this history.

  • The FTC may have allowed “efficient” violations of privacy rules. For instance, in the agency’s Adinteractive case, the company settled with the FTC and agreed to pay $650,000 in civil penalties for alleged deceptive advertising practices, when the company reported annual revenues exceeding $115 million; Similarly, in the DirectRevenue case, the FTC settled for $1.5 million for a business practice that gained the company $20 million in investment revenue.
  • Taken together, these factors limit the FTC’s pressure against companies in cases it labels as “privacy initiatives.” The FTC has obtained 8-figure damage awards in only two privacy initiative cases—ChoicePoint ($15M) and LifeLock ($11M). In the agency’s other privacy initiative cases, it has levied about $7M in fines. Most cases involving fines are those where the FTC has invoked a sector-specific statute empowering the agency to levy a civil penalty. For instance, the agency obtained $1M settlements against Sony BMG and Xanga for violations of the Children’s Online Privacy Protection Act. ValueClick paid $2.9M for violations of the spam law. In the remaining 31 cases—the bulk of the FTC’s privacy initiatives where no civil penalties were obtained in settlement—the agency relied upon two tools to punish violators of privacy: long periods of oversight and the reputational damage of a settlement agreement. 
For the enforcement recommendation to hold, the Green Paper should acknowledge these limits and alter its approach to buttress the FTC. In recent years, Chairman Leibowitz has petitioned Congress to address the APA rulemaking issue and aiding and abetting authority. The Department of Commerce should support these initiatives in order to bolster its narrative surrounding FTC enforcement. 
Critically, the FTC needs a constituency—it needs a base of support among industry so that narrow business interests cannot call for the agency’s neutering or decapitation whenever the FTC is aggressive. Thus, the Commerce should consider whether the very activities it proposes to do—standard setting and the like—should be done instead by the FTC. Industry must be invested in the FTC or it may pursue a capture strategy at Commerce to influence the substantive rules and attempt to limit the FTC’s resources, leadership competence, and authority to reduce enforcement.