The FTC’s Privacy Protection Crusade

Online-PrivacyOver the course of the past few years, the Federal Trade Commission has managed to collect millions of dollars in fines for privacy-related violations, both from small Internet startups and behemoths such as Google.  In January alone,  the FTC announced settlements against 15 separate companies for privacy violations.

FTC enforcement actions against unfair or deceptive practices are nothing new; however, most of the practices associated with these recent privacy cases were not deceptive or unfair.  Instead, the violations at issue stemmed from the companies’ failure to invest the time and security resources needed to protect data.  

Under the FTC Act, the agency has the authority to investigage any and all “unfair and deceptive acts and practices in or affecting commerce.”  With respect to privacy matters, this broad authority is further enhanced by numerous sets of rules, including the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLB), and the Telemarketing and Consumer Fraud and Abuse Prevention Act.

Many enforcement actions are predicated on a company’s failure to adhere to their own published privacy policies- simply put, they broke their promise to consumers. Even the slightest violations are subject to enforcement.  For example, the FTC recently reached settlements with BitTorrent and the Denver Broncos, which were accused of falsely claiming they held certifications under the U.S.-EU Safe Harbor framework*.   In actuality, they did have the certifications- they just failed to renew them.    In a recent settlement against Accretive Health (a company that handles medical data and patient-financial information) involved the theft of a company laptop that contained private information, which the FTC alleged was transported in an unsafe manner (it was in an employee’s stolen car).   In a case involving Wyndham Hotels, the FTC has alleged that the company alleged that hackers repeatedly accessed consumer data stored on its hotels due to the company’s wrongly configured software, weak passwords, and insecure servers. Though Wyndham’s Privacy Policy did not promise that the information would remain secure, the FTC still sued it for the lapse.

These cases are nothing to sneeze at.  They’re expensive to litigate, generate significant negative publicity, and settlement terms are often burdensome, or even draconian.   Targeted companies may be required to pay significant fines, and be subjected to continual oversight by the FTC for 20 years. Worse still, if a company has a repeat violation, it will be subject to even higher fines.  For example, Google was required to pay $22.5 million for violating a previous settlement with the FTC.

The FTC has asserted that the failure to secure data is itself an “unfair” practice, and stated that it may require companies to have reasonable data protection policies in place regardless of whether they state the same in their privacy policy.  To avoid FTC scrutiny, companies should never minimize their privacy obligations.  Instead, they should to everything possible to protect and safeguard the data that consumers entrust to them, no matter what their privacy policy says.


*  The safe harbor is a streamlined process for US companies (that receive or process personally identifiable information either directly or indirectly from Europe) to comply with European privacy law. Self-certifying to the U.S.-EU Safe Harbor Framework also ensures that EU organizations know that the organization provides “adequate” privacy protection.

Author: Seth Heyman
Seth D. Heyman is a California attorney with extensive experience in advertising and marketing law, corporate law, contracts, governmental regulations, international business, and Internet law. He has counseled numerous successful companies, both public and private, and was responsible for regulatory compliance, contract management, corporate governance, and HR best practices for multiple organizations in many diverse industries, including marketing, telecommunications, energy, and technology development. He offers insight and guidance on federal and state direct mail, TV, radio, telemarketing, and Internet marketing laws, as well as online promotions, Internet privacy, data protection regulations, and similar matters.
Skip to content