All posts in FTC

FTC v. AT&T Mobility

Daniel Solove
Founder of TeachPrivacy

FTC v. ATT Mobility

In a very important decision, FTC v. AT&T Mobility (9th Cir. 2018 en banc),  the U.S. Court of Appeals for the 9th Circuit en banc reversed an earlier panel decision that severely limited the FTC’s jurisdiction to protect privacy and data security.  I strongly criticized the panel decision in an previous blog post.

The FTC has taken the lead role in protecting privacy and data security through the FTC Act Section 5, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts” affecting commerce.  Section 5(a)(2) contains a list of industries that are carved out from FTC jurisdiction. This list includes banks, airlines, and common carriers.  A “common carrier” is defined in the Communications Act of 1934, 47 U.S.C. § 153: “The term ‘common carrier’ or ‘carrier’ means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy.”  Common carriers are regulated by the Federal Communications Commission (FCC).

In FTC v. AT&T Mobility the FTC brought a Section 5 enforcement action against AT&T for a part of AT&T’s business that was not regulated by the FCC.  However, the 9th Circuit panel concluded that the common carrier exception to FTC jurisdiction was status-based — it applied to common carriers no matter what activities they were engaged in.  This means that if a company engages in a non-minor amount of common carrier activities, then everything that it does, including many activities beyond its functions as a common carrier, fall outside the FTC’s power to regulate under Section 5.  Because these are non-common-carrier activities, the FCC often can’t regulate them either.  This opens up an odd no man’s land where a company can engage in certain activities and escape regulatory enforcement while other companies engaging in the same activities cannot.

Here’s what I wrote about why the earlier 9th Circuit panel decision was problematic:

Continue Reading

Chart of FTC Commissioners and Chairpersons 1915-2018

Daniel Solove
Founder of TeachPrivacy

The FTC released the above chart showing the history of Commissioners, Chairwomen and Chairman of the FTC from 1915 through the present day. According to the chart, The Federal Trade Commission is composed of five Commissioners, and their terms extend for seven years. The Commissioners are appointed by the President with the advice and consent of the Senate. At any given time, not more than three Commissioners may be members of the same political party. The President designates one Commissioner as Chairman, and the Chairman is given the responsibility for the administration of the Commission.

Continue Reading

Congress’s Attempt to Repeal the FCC Internet Privacy Rules: The Void Will Be Filled

Daniel Solove
Founder of TeachPrivacy

FCC Privacy Rules Repealed

Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs).  The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements.  Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications.  The rules required reasonable data security protections as well as data breach notification.

FCC LogoThis development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed.  There are many other regulators and sources of privacy law to fill the void.

Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules.  They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.

Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry.  In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies..  But nature abhors a vacuum.  Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU.  They are far more likely to regulate privacy even more stringently than the FCC or FTC.

In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation.  This is what happened with data security regulation and data breach notification.  Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law.  But it failed to act.  Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws.  Instead of having to comply with one law, companies must navigate laws in many states.  The most common strategy for companies operating in all states  is to try to follow the strictest state law,  Thus, the de facto rule is the law of the state with the most strict protections.

Continue Reading

The Future of the FTC on Privacy and Security

Daniel Solove
Founder of TeachPrivacy

Future of the FTC

Co-authored by Professor Woodrow Hartzog

The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?

Continue Reading

A Gaping Hole in Consumer Privacy Protection Law

Daniel Solove
Founder of TeachPrivacy

A Gaping Hole in Consumer Privacy Protection Law

Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.

Continue Reading