In a strongly-worded motion filed in federal district court in Arizona, Wyndham Hotels & Resorts LLC recently asked the court to dismiss all charges filed by the Federal Trade Commission alleging Wyndham engaged in unfair and deceptive privacy practices. As we reported in June, according to the FTC, these practices allegedly led to a variety of data breaches. The FTC brought the case in late June, after a two-year investigation into multiple intrusions into computer systems operated by Wyndham's franchised hotels that led to theft of payment card information of over 600,000 consumers. The FTC had argued in its complaint that Wyndham's failure to protect information was unfair, and that it deceptively represented the level of security it used in its privacy policies. Wyndham argued in its motion that both claims must fail. Wyndham attacked the FTC's unfairness claim for several reasons. First, it argued that the unfairness claim "stretches far beyond the traditional bounds of the Commission's authority." Notwithstanding a long history of bringing—and settling—privacy cases, Wyndham argued that the FTC's authority under Section 5 of the FTC Act does not stretch to data privacy matters. On this point, Wyndham further argued that although certain laws give the FTC authority to regulate data security standards—including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children's Online Privacy Protection Act—the more general FTC Act does not provide the FTC power to regulate data security. Second, Wyndham asserted that even if the FTC can regulate data security through Section 5 of the FTC Act, it would have to establish data-security standards through its rulemaking power, not through an enforcement action, under the constitutional protection of due process. As to the deception claim, Wyndham's motion to dismiss argues that the FTC "fails to recognize the fundamental distinction between data collected by [Wyndham] itself (to which the privacy policy applies) and data collected by the independently owned Wyndham branded hotels (to which the privacy policy expressly does not apply)." Wyndham states that its privacy representations specifically exclude the Wyndham-branded hotels and affirmatively state that Wyndham "do[es] not control the use of this Information or access to the Information by the Franchisee [hotel] and its associates." According to Wyndham, because the FTC did not allege that any of the data breaches ever compromised data collected by Wyndham itself, and the Wyndham's privacy representations did not cover information gathered by its franchisees, the FTC cannot therefore demonstrate that Wyndham's privacy representations were "likely to mislead consumers." This case represents one of the first times that a company has pushed back on a FTC data privacy complaint.

TIP: This case will test the limits of the FTC's authority to bring privacy-related actions under Section 5 of the FTC Act. A victory for Wyndham on its motion to dismiss would strike a large blow to the FTC's increasing momentum in privacy actions, which are based on companies' alleged deceptive and unfair acts. We will continue to monitor this case and report on developments. In the meantime, it would be wise for companies to continue to ensure that their information collection and use practices are not subject to allegations of deception or unfairness.