by Daniel J. Solove
Here is a brief synopsis of the webinar:
For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security. What are the standards that the FTC is developing for privacy and data security? What sources does the FTC use for the standards it develops?
A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.
My webinar was written up at the Wall Street Journal. If you’re interested in seeing it, it’s free and available here. Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.
The FTC was established in 1914 with a broad mandate to protect consumer privacy. It is headed by 5 commissioners who each serve for 7 years. The Commission is a bipartisan institution, with no more than 3 commissioners being members of the same political party.
In the mid-1990s, the FTC began enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security. Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.” Deception and unfairness are two independent bases for FTC enforcement.
For privacy and security, the FTC also has enforcement power beyond Section 5. The FTC has enforcement power over the Fair Credit Reporting Act (FCRA) (now shared with the CFPB), Gramm-Leach-Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA) and the US-EU Safe Harbor Arrangement.
In the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled. It has published its complains and consent decrees on its website, and collectively, In the webinar, I argue that these form a kind of “common law” that establishes standards for companies to follow. I discuss what these standards provide and the general trends of their development. I explore some future directions the FTC might take based upon the foundation it has established over the past two decades.
Woodrow Hartzog & Daniel J. Solove, The FTC and the New Common Law of Privacy
114 Columbia Law Review 583 (2014)
Daniel J. Solove & Woodrow Hartzog, The Scope and Potential of FTC Data Protection
83 George Washington Law Review (forthcoming 2015)
Daniel J. Solove & Woodrow Hartzog, Should the FTC Kill the Password? The Case for Better Authentication, 14 Bloomberg BNA Privacy & Security Law Report 1353 (July 27, 2015)
Woodrow Hartzog & Daniel J. Solove, The FTC as Data Security Regulator: FTC v. Wyndham and Its Implications, 13 Bloomberg BNA Privacy and Security Law Reporter 621 (April 14, 2014)
Daniel J. Solove & Woodrow Hartzog, The FTC and Privacy and Data Security Duties in the Cloud, 13 Bloomberg BNA Privacy and Security Law Reporter 577 (April 7, 2014)
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.