- April 10, 2014
- Posted by: Seth Heyman
- Category: Internet Law
Over the course of the past few years, the Federal Trade Commission has managed to collect millions of dollars in fines for privacy-related violations, both from small Internet startups and behemoths such as Google. In January alone, the FTC announced settlements against 15 separate companies for privacy violations.
FTC enforcement actions against unfair or deceptive practices are nothing new; however, most of the practices associated with these recent privacy cases were not deceptive or unfair. Instead, the violations at issue stemmed from the companies’ failure to invest the time and security resources needed to protect data.
Under the FTC Act, the agency has the authority to investigage any and all “unfair and deceptive acts and practices in or affecting commerce.” With respect to privacy matters, this broad authority is further enhanced by numerous sets of rules, including the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLB), and the Telemarketing and Consumer Fraud and Abuse Prevention Act.
These cases are nothing to sneeze at. They’re expensive to litigate, generate significant negative publicity, and settlement terms are often burdensome, or even draconian. Targeted companies may be required to pay significant fines, and be subjected to continual oversight by the FTC for 20 years. Worse still, if a company has a repeat violation, it will be subject to even higher fines. For example, Google was required to pay $22.5 million for violating a previous settlement with the FTC.
* The safe harbor is a streamlined process for US companies (that receive or process personally identifiable information either directly or indirectly from Europe) to comply with European privacy law. Self-certifying to the U.S.-EU Safe Harbor Framework also ensures that EU organizations know that the organization provides “adequate” privacy protection.