21 August 2013

FTC and US Privacy Regulation

The US Federal Trade Commission (FTC) provides a benchmark for action by Australia's privacy commissioners and the Australian Competition & Consumer Commission (ACCC). It also provides a lens for understanding the US privacy regime.

'The FTC and the New Common Law of Privacy' by Daniel J. Solove and Woodrow Hartzog is an innovative and important article that  comments -
One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort.
In this article, we contend that the FTC’s privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC’s privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, that extends far beyond privacy policies, and that involves a full suite of substantive rules that exist independently from a company’s privacy representations. ...
The landscape of United States privacy law has been gap-riddled and often confounding. Self-regulation has reigned supreme over many industries. And yet, the FTC has risen to act as a kind of data protection authority in the United States. Despite having limited jurisdiction and limited resources, the FTC has created a body of common law doctrines through complaints, consent decrees, and various reports and other materials. The FTC’s jurisprudence has developed in some classic common law patterns, evolving from general to more specific standards, gradually incorporating more qualitative judgments, imposing certain default standards, and broadening liability by recognizing contributory liability.
In the future, the FTC can be even bolder. The FTC has built a foundation from which it can push more toward focusing on consumer expectations than on broken promises, move beyond the four corners of privacy policies into design elements and other facets of a company’s relationship with consumers, and develop and establish even more substantive standards.
Through a gradual process akin to the common law, the FTC has developed a federal body of privacy law, the closest thing the United States has to omnibus privacy regulation. Unlike the top-down approach of the European Union and many countries around the world, the FTC’s approach has been bottom-up – a series of small steps. Because of these modest movements, and the fact that the FTC’s privacy doctrines haven’t been developed in judicial decisions, they have been largely ignored by the legal academy and are also often underappreciated in the United States and abroad.
Taking stock of what the FTC has been doing, the doctrines it is developing, and the potential future directions it can take, reveals that the FTC at least deserves greater study and appreciation. The FTC is far more than a rubber stamp on self-regulation, and far more than a mere enforcer against broken promises. This article is hopefully the start of a more sustained examination of the FTC and the body of law it has developed and the future directions that law can take.
The authors note that
Because so many companies fall outside of specific sectoral privacy laws, the FTC is in many cases the primary source of regulation. FTC regulation is thus the largest and arguably the most important component of the U.S. privacy regulatory system. Despite this fact, there is surprisingly little scholarship about the FTC’s privacy regulation. The dearth of scholarship about the FTC stands in stark contrast to the enormous amount of scholarship about information privacy law. Why is the scholarship so disproportionate to the influence and importance of the FTC?
The most likely reason is that the FTC actions have nearly all ended in settlements rather than case law. This, too, is a curiosity in privacy law. Perhaps the single most important and widely-applying body of precedent that regulates privacy in the U.S. is not in the form of any traditional kind of privacy law, such as cases or statutes.
Another curiosity is privacy exceptionalism -- privacy policies began as stand-alone documents and are only just recently beginning to be incorporated into a website’s terms of use. Why is privacy separate from the rest of the terms? This curiosity becomes even more odd when coupled with an additional curiosity – the fact that contract law has barely played a role in governing civil disputes regarding privacy policy violations. Although privacy policies look like contracts, there are hardly even a handful of cases attempting to enforce privacy policies as contracts. In contrast, terms of use are clearly the province of contract law. Of course, both the FTC and contract law can regulate simultaneously, but why has privacy become so exclusively the province of the FTC? Moreover, the doctrines developed by the FTC sometimes are parallel with contract law but are not always. This body of doctrines is thus somewhat unique, a body of “law” unto itself. It is a new species that has yet to be classified in the legal taxonomy.
The result of all these oddities is that such a large domain of the U.S. privacy regulatory framework primarily consists of a relatively obscure body of doctrines that scholars have not analyzed in depth. Thus, it is often hard to characterize precisely what this large domain of regulation is, what precisely it says when viewed altogether, and where it is heading.