The Real Reason The FTC Does Not Like The White House’s Consumer Privacy Bill

In January, President Obama announced that he would release a draft Consumer Privacy Bill intended to give consumers more control over how data about them is collected and used. The draft Bill was released on February 27, 2015, and already there is no shortage of critics, including the President’s own Federal Trade Commission. (http://wapo.st/192KVXA) The FTC applauded the effort, but stated they were concerned the draft Bill did not “provide consumers with the strong and enforceable protections needed to safeguard their privacy.”

My question is whether the real reason the FTC does not like the draft Bill is that it does not give them enough authority to investigate and penalize companies for perceived privacy and security violations. Some have perceived the FTC’s current self-appointed authority in this area as nothing more than unfettered discretion to make up the rules of privacy and security as they go.

Currently, the FTC is the country’s data privacy and security watchdog. They use the unfair and deceptive trade practices clause of Section 5 of the Federal Trade Commission Act (FTCA), as their authority to investigate and punish companies for data privacy or security practices they deem to be unfair or deceptive. However, the FTCA was enacted in 1914, well before the birth of data privacy and security. The FTC, nevertheless has used this century old statute as the basis of their authority to determine whether a company’s data privacy practices or data security constitute either an unfair or deceptive trade practice. The application of the unfair and deceptive trade practices law to data privacy and security is a unilateral decision by the FTC. There are no statutes or regulations specifically giving the FTC authority to decide when all company’s privacy or security practices are unfair or deceptive. (http://bit.ly/18XzeRt) Moreover, there are no regulations or guidelines telling companies the level of privacy or security that will pass muster. In this manner, the FTC has had unfettered discretion to decide when a company’s privacy or security practices violate Section 5 of the FTCA. Challenges to the FTC’s authority to regulate in this area, and the FTC’s failure to provide fair notice as to the privacy or security practices that are sufficient, have been unsuccessful.

Along comes the President’s Consumer Privacy Bill proposing some guidance as to the privacy and security of data. Although the White House draft is quite flawed for a number of reasons (perhaps that will be the subject of another blog post), it does provide some framework to guide a company’s privacy and security practices. The Bill still leaves enforcement authority in the hands of the FTC. However, if the FTC brings an enforcement action against a company, the company could use the Bill to demonstrate compliance. The FTC would no longer have the ability to unilaterally determine whether or not a company has sufficient privacy and security practices. The Bill would serve to level the playing field. Both sides would have a law to tell them the privacy and security requirements. Whether a company met those requirements could then be argued according to a set of known laws. No longer would the FTC have the home court advantage of deciding on a company-by-company basis whether their privacy and security practices are sufficient. So while the FTC protests that the White House’s proposed Consumer Privacy Bill is not strong enough, I suspect their real disappointment might be their loss of complete authority to punish companies for what they perceive to be unfair or deceptive privacy or security practices

Written by: Richard Sheinis, Esq.