The FTC and the New Common Law of Privacy

Article Source: Columbia Law Review, Vol. 114, No. 4, pp. 583-676, 2014
Publication Date:
Time to Read: 2 minute read
Written By:

Search for the full article on Bing



Since the 1990s, the Federal Trade Commission (FTC) has negotiated settlement agreements addressing privacy with many companies. Although the FTC’s authority is limited, the agency has developed detailed rules about privacy and data security.


Policy Relevance:

The FTC has transformed scant privacy “self-regulation” into a comprehensive set of rules. The FTC should extend these rulings further, focusing on consumer’s expectations of privacy.


Key Takeaways:
  • Some complain that privacy law in the United States is sparse compared with that of the European Union. Because of the FTC’s rulings, these complaints are no longer valid.
  • The FTC regulates privacy as an unfair or deceptive trade practice, but has limited enforcement power and cannot pass new privacy rules.
  • Favoring self-regulation, businesses heed the FTC to avoid top-down federal privacy legislation.
  • Almost all FTC privacy complaints are resolved in negotiated settlements; businesses and the general public look to the FTC’s settlement agreements for guidance on privacy norms.
  • Most FTC rulings concern deceptive practices, but privacy and security practices can be unfair.
    • Deceptive practices include a firm’s failure to follow terms of its own privacy policy.
    • Failure to keep data reasonably secure is also deceptive.
    • Unfair practices include false claims of affiliation with another firm (phishing).
  • Originally, privacy principles were vague, but the FTC’s rules have become coherent and specific.
    • A long list of best practices for data security, such as the use of secure socket layer (SSL) encryption, can be derived from the FTC’s agreements.
    • The FTC’s agreements also extend liability to third parties such as firms that violate the privacy policies of other firms.
  • Often the FTC looks at the effect of a data practice on consumers, rather than the company’s intent; this makes sense because many consumers do not read privacy policies.
  • The FTC should be aggressive in making rulings based on consumer expectations, product design, and cultural and industry norms, moving beyond privacy policies.



Daniel Solove

About Daniel J. Solove

Daniel J. Solove is the Eugene L. and Barbara A. Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. He is an internationally-known expert in privacy law.

Woodrow Hartzog

About Woodrow Hartzog

Woodrow Hartzog is Professor of Law at Boston University School of Law. Professor Hartzog’s scholarship and advocacy focuses on privacy and technology law. His research focuses on the complex problems that arise when people, organizations, and governments use powerful new technologies to collect, analyze, and share human information. He is an internationally recognized expert in the area of privacy, media, and robotics law.