A new paper published in the Columbia Law Review argues that after more than a decade of enforcement actions, the Federal Trade Commission has created a body of common law privacy.
“The agency has spent 15 years enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices,” authors Daniel J. Solove and Woodrow Hertzog explained. The agency has filed 170 privacy-related complaints since 1997, which averages to about 10 each year. But the numbers are deceiving, as the complaints have ramped up dramatically in recent years from just nine complaints in 2002 to 24 in 2012.
While the vast majority of these actions have resulted in settlement agreements, “companies look to these agreements to guide their privacy practices,” and “in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute or any common law tort,” the authors wrote in “The FTC and the New Common Law of Privacy.”
The paper disputes the viewpoint that the agency’s privacy decisions are focused simply on enforcing specific privacy settlement agreements. Instead, “a deeper look at the principles that emerge from FTC privacy ‘common law’ demonstrates that the FTC’s privacy jurisprudence is quite thick,” the authors said. “The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules.”
Although other terms of service crafted by companies are enforced pursuant to contract law, the FTC came to “dominate” the enforcement of privacy policies because its power was gradually extended by laws like the Children’s Online Privacy Protection Act and the Gramm-Leach-Bliley Act, as well as the grant of enforcement authority under the E.U.-U.S. Safe Harbor Agreement.
While the FTC’s authority developed in “a fragmented fashion,” creating a “sectoral” regime with different law for different industries and economic sectors, today the agency has “sprawling jurisdiction.” And over the last 15 years, the agency’s enforcement actions have followed predictable patterns from general to more specific standards, much in the manner of common law development.
Lawyers consult and analyze the agency’s settlements as they would a judicial decision, the authors note. The consent agreements are made public and used by privacy attorneys to advise companies on how to avoid a similar FTC action. “FTC settlements are thus like the common law because they are treated in practice like the common law,” according to the article. It further notes that the agency has added to its enforcement decisions, “soft law,” such as guidelines, press releases, workshops, and white papers.
As for the jurisprudence itself, the authors explain that the FTC not only includes broken privacy and security promises in its scope of deceptive practices as its extends the scope to include the collection of personal information through deception practices and the failure to provide adequate notice of privacy-invasive activities. The authors identified five different examples in the unfairness realm: “retroactive policy changes, deceitful data collection, improper use of data, unfair design, and unfair information security practices.”
To read the “The FTC and the New Common Law of Privacy,” click here.
Why it matters: The article not only summarized the FTC’s privacy jurisprudence over the last 15 years, but it also predicted the direction in which the agency will move. Building from the foundation of settlement agreements, guidelines and white papers, the FTC “can push more toward focusing on consumer expectations than on broken promises, move beyond the four corners of privacy policies into design elements and other facets of a company’s relationship with consumers, and develop and establish even more substantive standards,” the authors wrote.