In an August 19, 2013 address to the Technology Policy Institute Aspen Forum, FTC Chairwoman Edit Ramirez suggested that the FTC should employ its unfairness authority to regulate the evolution of Big Data in the interest of consumer privacy “to ensure that these advance [in data collection and use] are accomplished by sufficiently rigorous privacy safeguards.” Ramirez likened her role to that of a Bay Watch lifeguard: “Like a vigilant lifeguard the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt. With big data, the FTC’s job is to get out of the way of innovation while making sure that consumer privacy is respected.” The rest of her speech, however, suggested not recommendations of best practices but what could be interpreted as mandates for industry. She also opined that consumers are in fact harmed when companies gather more data than they need and do not give consumer’s meaningful choice prior to collection and at the point of collection. Actual harm is a requirement of the FTC’s unfairness authority.
Use of unfairness authority under Section 5 of the FTC Act is a long controversial issue and invocation of it in the privacy context should be cause for concern. Basically the FTC must establish (1) an act or practice likely to cause substantial harm or injury to consumers; (2) that injury is not reasonably avoidable; and (3) that injury is not outweighed by countervailing benefits to consumer or competition. Many feel that this is not a clear standard sufficient to give companies notice of what they can and cannot do with respect to consumer privacy and its application to big data would allow the FTC to essentially create law without the clear authority or direction of Congress and outside of the rule making process, which requires notice and public comment. It is a matter of notice and due process, or rather the lack thereof. Deception, the other Section 5 authority, is pretty clear cut and companies are more hard pressed to argue they lack notice of the rules of the road – don’t make privacy representations that are not true or are misleading.
Technically, there should not be a common law built on FTC consent orders, in the same way judicial precedent builds the common law. That is not the way executive branch and administrative law are supposed to operate. But, it is the practical reality. We all look to consent orders for direction on what is and is not appropriate, notwithstanding that the FTC is really just exercising “fencing in” of a specific alleged bad actor through a settlement. A suggestion that the FTC may take such an approach to establishing rules rather than best practices with regard to consumer privacy is disturbing.
This one of the key complaints of Wyndahm Hotels in its challenge of the FTC’s authority to regulate data security. Whether or not Wydham is successful, its challenge to FTC unfairness authority, and to essentially regulation by enforcement actions and consent orders rather than legislation or administrative rule making, is very important. It may serve to check the creeping expanse of authority of the current FTC in the area of consumer protection where there is no Congressional mandate and no process for vetting out what makes good public policy in the open light where all stakeholders have an opportunity to contribute their thoughts and opinions.
The FTC should maintain its course of recommending privacy best practices, encouraging industry self-regulation, bringing deception cases and enforcing laws where Congress has given it specific authority like the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act. If a national legal standard for data privacy and security is to be set, it is the role of Congress not the executive branch to develop that policy. However, Chairwoman Ramirez seems to be signaling a willingness to step in and fill the void left by Congressional inaction. Accordingly, companies should be looking at the FTC’s best practice directions, such as in its 2012 Privacy Report (cited approvingly by Ramirez in her speech) and think of them not as mere recommendations.
Edwards Wildman’s Privacy & Data Security and Advertising, Digital Media & e-Commerce practice groups assist clients in assessing data privacy and security laws, best practices and industry self-regulation on a global basis and help them create, implement, monitor and access data protection policies and compliance programs. The opinions expressed are that of the author and not necessarily that of Edwards Wildman or its clients.