Electronic Privacy Information Center

Federal Trade Commission

Overview of Statutory Authority to Remedy Privacy Infringements

a) Power to prohibit unfair and deceptive practices.

Under 15 U.S.C. § 45(a)(2) (section 5 of the Federal Trade Commission Act) the Federal Trade Commission ("FTC") is empowered to "prevent persons, partnerships, or corporations" from using "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." Although this law does not grant the FTC specific authority to protect privacy, over the last number of years it has been construed to prohibit certain privacy invasions based on deception. So, for example, if a company makes a written promise on its website or in any other company literature to abide by certain practices and then later breaches, or fails to meet, that promise it may be prosecuted by the FTC for committing an unfair and deceptive practice contrary to section 5 of the FTC Act.

Although this authority is useful where there is a clear violation of a previous commitment, it is not a sufficient substitute for a comprehensive and enforceable privacy law. It does not require data collectors to abide by standard Fair Information Practices such as notice, consent, use limitation, access and security. An "unfair and deceptive practice", as defined by the Commission, includes only a violation of a former written agreement (such as a privacy policy). There is no obligation on companies to actually post such a policy. In its own words:

"[T]he Commission lacks authority to require firms to adopt information practice policies or to abide by the fair information practices principles on their web sites…." [1]

This leads to the curious situation whereby a company without a privacy policy is arguably less likely to be punished for privacy invasive practices than a company with a privacy policy. Although the agency itself may encourage companies to follow good principles, it lacks the statutory authority to require them to do so.

In addition, individuals have no right to private action under the FTC Act nor can they compel the agency to act on their behalf. Consumers are entitled to notify the FTC of market failures by submitting complaints against specific companies, however, the FTC is not under any obligation to review or respond to individual privacy complaints. [2] Where the agency does take a case, it acts entirely according to its own discretion. There is no opportunity for individuals to be involved and even judicial review is expressly precluded by the Act. [3]

In June 2000, following three years of detailed marketplace study the FTC concluded in its annual report to Congress that new privacy legislation was necessary to protect consumers against privacy invasions in the online marketplace. The report called on Congress to enact legislation that would "establish basic standards of practice for the collection of information online, and provide an implementing agency with the authority to promulgate more detailed standards." This position was reversed, however, in October 2001 by new FTC Chairman Timothy Muris. In announcing a new privacy agenda for the agency the Chairman stated that it was "too soon" to recommend broad-based online privacy legislation and that there needed to be developed "better information about how such legislation would work and the costs and benefits it would generate."

b) Other Powers

The FTC is also responsible for overseeing and enforcing the privacy provisions of the following laws:

i) The Fair Credit Reporting Act (15 U.S.C. §1681-1681 (u), as amended) which regulates the use and disclosure of "consumer reports" by consumer reporting agencies;

ii) the Telemarketing and Consumer Fraud and Abuse Prevention Act ( 15 U.S.C. § 6101-6108) which protects consumers from invasive and fraudulent telemarketing practices;

iii) the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501-6506) which restricts the online collection of personal information from children under the age of 13;

iv) the Gramm-Leach-Bliley Act ( 15 U.S.C § 6801-6827) which provides limited "notice" and "opt-out" rights to consumers over their financial records; and

v) the Identity Theft Assumption and Deterrence Act (18 U.S.C. § 1028) which strengthens the criminal laws governing identity theft and charges the FTC which establishing a centralized complaint and consumer education service for victims of identity theft.

c) How the FTC Takes an Action

If the FTC believes that a company is engaging in an unfair or deceptive practice, it initially attempts to negotiate a settlement with the company. A successful settlement results in a consent decree, under which the company voluntarily agrees to refrain from the disputed practice and to take steps to remedy the situation, without admitting any violation of law. The order is then placed on record for a public comment period of 60 days. After this period the Commission decides whether to make the consent agreement final.[4] If the consent order becomes final, it has the force of law and violations are subject to a civil penalty.[5]

If no settlement can be reached, the FTC may bring an enforcement action (issue a complaint) against a party if it believes that the party was engaging in an unlawful practice and that a proceeding "would be in the interest of the public."[6] This complaint must set out the specific charges and notify the party that a formal hearing on the matter will take place before an administrative law judge within 30 days.[7] The Commission may also seek a temporary restraining order or preliminary injunction against a company pending the issuance or dismissal of a complaint to prevent them from engaging in a deceptive act or practice.[8] At the hearing, witnesses submit evidence, give testimony and are examined and cross-examined. If a violation of law is found, the FTC will issue a "cease and desist" order instructing the impugned party to refrain from continuing to engage in the unlawful practice. This decision may be appealed to the full Commission, which, subject to certain restrictions, may modify or set aside the order, in whole or in part, where it is of the opinion that either new conditions of fact or law, or the public interest, so requires.

Final decisions of the Commission may be appealed, within 60 days of the date of issuance of the order, to the US Court of Appeals for any circuit in which the accused practice was used or the accused party does business.[9] The appeals court then has full jurisdiction to enter a decree affirming, modifying or setting aside the order of the Commission. The judgment of the court is final and subject only to review of the Supreme Court upon certiorari. There is a civil penalty of up to $11,000, for each separate violation of the final "cease and desist" order.[10] Under section 45(m)(1)(B), the Commission may enforce this penalty against any party who violates the final cease and desist order if it can show that they have "actual knowledge or knowledge fairly implied…..that such act is unfair or deceptive."[11] Similarly, the Commission may take measures against persons for engaging in dishonest and fraudulent acts. Section 57b empowers it to bring a civil action against any person, organization or corporation that knowingly engages in an unfair and deceptive practice or a practice "which a reasonable man would have known under the circumstances was dishonest or fraudulent." In such a case, the court may grant such relief as it finds necessary "to redress injury to consumers or other persons, partnerships, and corporations resulting from the rule violation or the unfair or deceptive act or practice."

 

Footnotes

[1] Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000), p34.

[2] Code of Federal Regulations Title 16, Chap 1, Part 1, Sec 2.2 empowers "Any individual, partnership, corporation, association, or organization [to] request the Commission to institute an investigation in respect to any matter over which the Commission has jurisdiction." The Commission, however, retains full discretion to decide whether or not to take the action.

[3] 15 U.S.C.§ 57b-3(c)

[4] See further, 'A Brief Overview of the FTC's Investigative and Law Enforcement Authority'.

[5] Commission Rule 1.98, set out in 16CFR1.98, as last adjusted in 1996 sets the civil monetary penalty amount at $11,000 .

[6]15 U.S.C. § 45 (b)

[7] Settlements between the FTC and respondent companies are often made at this stage also.

[8] 15 U.S.C. § 53(b)

[9] 15 U.S.C. § 45(c)

[10] Supra.

[11] The Commission explains that in order to prove actual knowledge it would typically show that "it had provided the violator with a copy of the Commission determination in question, or a "synopsis" of that determination." See FTC, 'A Brief Overview of the FTC's Investigative and Law Enforcement Authority', supra n.4.