The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score.
To many, the FTC remains opaque and somewhat enigmatic. The reason, ironically, might not be because there is too little information about the FTC but because there is so much. The FTC has been around for 100 years!
In a landmark new book, Professor Chris Hoofnagle of Berkeley Law School synthesizes an enormous volume of information about the FTC and sheds tremendous light on the FTC’s privacy activities. His book is called Federal Trade Commission Privacy Law and Policy (Cambridge University Press, Feb. 2016).
This is a book that all privacy and cybersecurity lawyers should have on their shelves. The book is the most comprehensive scholarly discussion of the FTC’s activities in these areas, and it also delves deep in the FTC’s history and activities in other areas to provide much-needed context to understand how it functions and reasons in privacy and security cases.
There is simply no better resource on the FTC and privacy. This is a great book and a must-read. It is filled with countless fascinating things that will surprise you about the FTC, which has quite a rich and storied history. And it is an accessible and lively read too – Chris really makes the issues come alive.
I interviewed Chris Hoofnagle to discuss a few issues from his book.
SOLOVE: What are 5 of the most important things that privacy and security professionals should know about the FTC that they might not know?
HOOFNAGLE: Here is my list of 5:
1. Relationships with staff may be more important than links to commissioners. Our instinct is to “go to the top” to influence the FTC. But the FTC’s staff attorneys are the real day-to-day decision makers and are vested with significant autonomy. The staff decide what practices to investigate and the cases to bring. Commissioners, on the other hand, mostly exercise power through veto. By the time a matter reaches the Commissioners, no single Commissioner can make it go away. Commissioners also come and go, while many staff stay for decades.
2. It is possible to persuade the FTC to drop an investigation. The internal political dynamics of the FTC are important to understanding how one might convince the agency to drop an investigation against a client. Each division of the FTC approaches case selection differently. In the privacy arena, the FTC lawyers are looking for important policy-setting cases. The agency has a limited capacity to bring cases, and it wants to bring ones that have the greatest impact. The more you can show that the client understands the problem and is making affected consumers whole, the more likely it is that staff will focus its spotlight elsewhere.
3. A pugilistic posture does not help. The respondents who go to battle with the FTC—even the billionaire ones—end up losing in the end. The FTC is a century-old institution; decades ago it had the wherewithal to battle William Randolph Hearst and other respondents who fought the agency by triggering Congressional oversight and the like. As a lawyer, a conciliatory approach is more productive.
4. To see around the corners, it pays to be familiar with the FTC’s other divisions. The FTC’s privacy efforts are often based on approaches from other types of cases, so it pays to know about the FTC’s other activities. This is especially true for the FTC’s advertising cases.
5. The FTC has enormous investigatory powers. Investigations are costly and a major inconvenience, yet the FTC does not even exercise its full powers in a typical investigation. It even has the power to perform in-person inspections. Electronic records have only enriched the FTC’s investigative coffers and in recent years, the agency has been able to rely on evidence such as the kinds of keywords a respondent purchased to bolster deception cases. One reason why so many respondents settle is that the FTC finds many other deceptive practices once it starts investigating a company.
The FTC’s investigatory power has grown throughout its history. Even when led by Republicans, Congress has extended the FTC more and more investigatory power.
SOLOVE: What is the FTC’s biggest failure?
HOOFNAGLE: The FTC has not found a way to police data brokers. Data brokers both create new privacy problems and intensify existing ones by offering mechanisms to secretly identify consumers and to link their otherwise pseudonymous behavior. The market provides little incentive for data brokers to recognize individuals’ privacy interests.
The FTC has failed to police data brokers because internally, it struggles to articulate how data brokers’ systemic undermining of privacy rights creates marketplace harms. My book offers several approaches to dealing with this problem, drawing upon how the FTC overcame similar challenges in false advertising cases.
SOLOVE: What is the most important FTC case for privacy/security?
HOOFNAGLE: In privacy, the Sears case is important because the FTC rejected the formalism of contract and pure notice and choice approaches and focused on consumer expectations and surprise. Sears disclosed that it would monitor online browsing, but it buried the extent of the monitoring in a long End User License Agreement. The FTC concluded that there really is not consent when the fine print has details that would surprise the consumer. This conclusion is based on the FTC’s false advertising cases.
In security, the BJ’s and DSW are important because they were the first to find that a set of disparate security practices could “taken together” be unfair. In these cases, hackers stole payment card information from the retailers’ networks. The cases established security duties and helped to internalize the problem of systemic card network insecurity.
What these cases have in common is that consumers probably could not bring them. The FTC can remedy wrongs that the civil litigation system cannot because of standing issues or antipathy to class actions. Sears would fail because the courts have eroded contract norms online and courts would have imposed a duty to read the fine print on the consumer. The security cases would probably have fallen into the trap that one is generally not liable for the criminal acts of third parties. The FTC Act allows the FTC to remedy problems that the consumer cannot.
SOLOVE: To get a sense of the FTC’s impact, imagine a world in which the FTC never existed. What would such a world be like?
HOOFNAGLE: There would be more smoking, more predatory credit contracts, and of course, more telemarketing, to give a few examples. The FTC played a surprising strong role in fighting the tobacco industry. Shortly after the seminal Surgeon General report, the FTC proposed a warning label for cigarettes that linked tobacco to cancer and death. Congress stopped the FTC from mandating the label, but the episode showed how the FTC was one of the only institutions in America that would stand up to tobacco. The FTC’s continued its crusade against tobacco for decades, even intervening to stop the use of cartoon characters to promote smoking among the young.
In the 1960s, the FTC built the case for the “holder in due course rule” which preserves buyers’ rights against purchasers of credit contracts. The holder rule came about because the sale of credit contracts robbed consumers of the most effective way to deal with disputes over product quality and function—to stop paying the bill. Today we take this right for granted.
We would also have a lot more telemarketing without the FTC. The Do-Not-Call Registry dramatically reduced the number of phone calls interrupting people at dinner.
Consumer protection is incremental, and if it is successful, one forgets why it even exists. The FTC has been at it for more than 100 years. Its impact has been enormous.
Photo: President Roosevelt laying the cornerstone of the FTC Building
SOLOVE: Do you have recommendations for how the FTC can improve its privacy and security enforcement?
HOOFNAGLE: In privacy, the FTC still too heavily focuses on privacy as being about notice and choice, and this curtails its case selection. The FTC has ignored many essential issues that occur after the consumer has received notice and provided personal data – issues such as lock-in, network effects, and transaction costs imposed on consumers. Simply put, the FTC is applying a set of economic principles more attuned to physical products than to personal information transactions. Going forward, more and more privacy issues are going to fit more comfortably in an unfairness rubric, and this means that the FTC has to be bold enough to declare more post-transaction changes as injurious.
In security, the FTC should not do any more cardholder data cases. The FTC has already jump started the obligation to keep card numbers secure. Instead the FTC should focus on security matters that consumers themselves cannot solve. Prime examples come from security breaches that do not involve SSNs or card information, but nevertheless are harmful and difficult to detect. For example, the leakage of internet searches or browsing history could be very damaging and yet not hit any of the security breach notification triggers.
SOLOVE: Thank you, Chris, for your insightful and thought-provoking answers. This interview is just an appetizer – the book is a full lavish meal. Get thee to a bookstore and buy this book – it is required reading in the field.
The book is: Federal Trade Commission Privacy Law and Policy (Cambridge University Press, Feb. 2016).
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 950,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.