The FTC and the New Common Law of Privacy
ARTICLE SUMMARY
Since the 1990s, the Federal Trade Commission (FTC) has negotiated settlement agreements addressing privacy with many companies. Although the FTC’s authority is limited, the agency has developed detailed rules about privacy and data security.
POLICY RELEVANCE
The FTC has transformed scant privacy “self-regulation” into a comprehensive set of rules. The FTC should extend these rulings further, focusing on consumer’s expectations of privacy.
KEY TAKEAWAYS
- Some complain that privacy law in the United States is sparse compared with that of the European Union. Because of the FTC’s rulings, these complaints are no longer valid.
- The FTC regulates privacy as an unfair or deceptive trade practice, but has limited enforcement power and cannot pass new privacy rules.
- Favoring self-regulation, businesses heed the FTC to avoid top-down federal privacy legislation.
- Almost all FTC privacy complaints are resolved in negotiated settlements; businesses and the general public look to the FTC’s settlement agreements for guidance on privacy norms.
- Most FTC rulings concern deceptive practices, but privacy and security practices can be unfair.
- Deceptive practices include a firm’s failure to follow terms of its own privacy policy.
- Failure to keep data reasonably secure is also deceptive.
- Unfair practices include false claims of affiliation with another firm (phishing).
- Deceptive practices include a firm’s failure to follow terms of its own privacy policy.
- Originally, privacy principles were vague, but the FTC’s rules have become coherent and specific.
- A long list of best practices for data security, such as the use of secure socket layer (SSL) encryption, can be derived from the FTC’s agreements.
- The FTC’s agreements also extend liability to third parties such as firms that violate the privacy policies of other firms.
- A long list of best practices for data security, such as the use of secure socket layer (SSL) encryption, can be derived from the FTC’s agreements.
- Often the FTC looks at the effect of a data practice on consumers, rather than the company’s intent; this makes sense because many consumers do not read privacy policies.
- The FTC should be aggressive in making rulings based on consumer expectations, product design, and cultural and industry norms, moving beyond privacy policies.
QUOTE
TAGS
About Daniel J. Solove
Daniel J. Solove is the Eugene L. and Barbara A. Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. He is an internationally-known expert in privacy law.
See more with Daniel J. Solove
About Woodrow Hartzog
Woodrow Hartzog is Professor of Law at Boston University School of Law. Professor Hartzog’s scholarship and advocacy focuses on privacy and technology law. His research focuses on the complex problems that arise when people, organizations, and governments use powerful new technologies to collect, analyze, and share human information. He is an internationally recognized expert in the area of privacy, media, and robotics law.
