FTC Privacy and Security Enforcement Actions: A Comprehensive Guide
Introduction
The Federal Trade Commission (FTC) is the primary federal agency responsible for protecting consumer privacy and data security in the United States private sector. Understanding FTC privacy and security enforcement actions is essential for anyone studying for the CIPP/US certification, as this topic sits at the heart of how the U.S. regulates private sector data practices in the absence of a comprehensive federal privacy law.
Why Is This Important?
The United States does not have a single, omnibus federal privacy law governing the private sector. Instead, the U.S. relies on a sectoral approach supplemented by the FTC's broad enforcement authority. This makes the FTC arguably the most influential privacy and data security regulator in the country. Here is why this matters:
• The FTC has brought hundreds of enforcement actions related to privacy and data security, establishing a body of "common law" of privacy through consent decrees and settlements.
• FTC enforcement actions shape industry best practices and set de facto standards for what constitutes reasonable privacy and security practices.
• Companies across all industries (except those regulated by other specific agencies, such as banks and common carriers) fall under the FTC's jurisdiction.
• The FTC's enforcement philosophy and resulting orders influence state-level enforcement and even international regulatory approaches.
• For CIPP/US exam candidates, this is a heavily tested area that requires understanding of both the legal authority and the practical application of FTC enforcement.
What Is FTC Privacy and Security Enforcement?
FTC privacy and security enforcement refers to the agency's use of its statutory authority—primarily under Section 5 of the FTC Act—to take legal action against companies that engage in unfair or deceptive practices related to the collection, use, disclosure, and protection of consumer data.
Key Legal Authority: Section 5 of the FTC Act
Section 5 of the FTC Act (15 U.S.C. § 45) prohibits:
1. Deceptive acts or practices: A representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances, and the representation, omission, or practice is material (i.e., likely to affect the consumer's conduct or decision).
2. Unfair acts or practices: An act or practice that causes or is likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers themselves, and not outweighed by countervailing benefits to consumers or competition.
The Three-Part Test for Deception:
• There must be a representation, omission, or practice likely to mislead the consumer.
• The consumer's interpretation must be reasonable under the circumstances.
• The misleading representation, omission, or practice must be material.
The Three-Part Test for Unfairness:
• The practice causes or is likely to cause substantial injury to consumers.
• The injury is not reasonably avoidable by consumers.
• The injury is not outweighed by countervailing benefits to consumers or competition.
FTC Jurisdiction and Limitations
It is critical to understand the scope and limits of FTC authority:
• The FTC has jurisdiction over most commercial entities engaged in interstate commerce.
• Exceptions: The FTC does NOT have jurisdiction over banks (regulated by banking regulators), common carriers (regulated by the FCC), nonprofits (in most cases), insurance companies (regulated by states), and federal credit unions.
• The FTC cannot impose civil penalties for first-time violations of Section 5 (unless the violation is of a specific FTC rule). It typically seeks consent orders (consent decrees).
• If a company violates a consent order, the FTC can then impose civil penalties of up to $50,120 per violation (adjusted for inflation).
How Does FTC Privacy and Security Enforcement Work?
1. Identifying Potential Violations
The FTC identifies potential violations through several channels:
• Consumer complaints filed with the FTC
• News reports and media coverage of data breaches or questionable practices
• Referrals from other agencies, such as state attorneys general
• The FTC's own monitoring and investigative activities
• Congressional referrals or requests
2. Investigation
The FTC conducts investigations using its authority to issue Civil Investigative Demands (CIDs), which are similar to subpoenas and can compel production of documents, written responses to questions, and oral testimony.
3. Resolution Mechanisms
Most FTC privacy and security cases are resolved through one of the following:
• Consent Orders (Consent Decrees): These are negotiated settlements where the company agrees to specific terms without admitting liability. This is the most common outcome. Consent orders typically last 20 years and may include requirements for comprehensive privacy or security programs, regular third-party assessments, reporting requirements, record-keeping obligations, and sometimes monetary penalties or consumer redress.
• Administrative Litigation: The FTC can file an administrative complaint and litigate the case before an administrative law judge within the FTC.
• Federal Court Litigation: The FTC can file suit in federal district court, typically seeking injunctive relief and, where authorized, monetary remedies.
4. Landmark Enforcement Actions
Understanding key FTC enforcement actions is essential for the exam:
Deception Cases:
• In the Matter of Eli Lilly (2002): Eli Lilly disclosed email addresses of Prozac users through a programming error. The FTC found the company's privacy promises were deceptive because it failed to implement adequate security measures as promised.
• In the Matter of Gateway Learning (2004): Gateway changed its privacy policy retroactively and applied new, less protective terms to data already collected, which the FTC deemed deceptive.
• In the Matter of Snapchat (2014): Snapchat promised messages would disappear but they could actually be saved. The FTC found this deceptive.
• United States v. Facebook (2019): Facebook was fined $5 billion for violating a 2012 consent order regarding its privacy practices, the largest FTC privacy fine ever imposed.
Unfairness Cases:
• FTC v. Wyndham Worldwide (2015): This landmark case established that the FTC can use its unfairness authority to bring data security enforcement actions. Wyndham challenged FTC jurisdiction, but the Third Circuit Court of Appeals upheld the FTC's authority, finding that failing to maintain reasonable data security could constitute an unfair practice under Section 5.
• In the Matter of BJ's Wholesale Club (2005): The FTC brought an unfairness action against BJ's for failing to protect customer credit and debit card data.
• In the Matter of LabMD (2016): LabMD challenged the FTC's authority, and the Eleventh Circuit eventually vacated the FTC's cease and desist order, finding it too vague. This case is important because it highlighted limits on the FTC's unfairness authority in data security cases.
Children's Privacy (COPPA):
• United States v. TikTok (Musical.ly) (2019): TikTok was fined $5.7 million for collecting personal information from children under 13 without parental consent, violating COPPA.
• United States v. Google/YouTube (2019): Google was fined $170 million for collecting children's data through YouTube without parental consent.
5. Key Themes in FTC Enforcement
The FTC's enforcement actions have established several important principles:
• Broken promises = deception: If a company makes a privacy or security promise and fails to keep it, the FTC will likely find this deceptive.
• Retroactive material changes to privacy policies: Applying new, less protective privacy terms to previously collected data is deceptive.
• Reasonable security is required: Companies must maintain reasonable security measures appropriate to the sensitivity and volume of data they handle.
• Privacy by design: The FTC encourages building privacy protections into products from the outset.
• Data minimization: Collecting only the data reasonably needed for legitimate business purposes.
• No requirement for actual harm in deception cases: The FTC does not need to prove actual consumer harm for deception—only that the practice is likely to mislead.
• Unfairness requires substantial injury: For unfairness claims, the FTC must demonstrate substantial injury (or likelihood thereof) that is not reasonably avoidable and not outweighed by benefits.
6. The FTC's Approach to Data Security
The FTC has never issued a specific, prescriptive rule defining what constitutes "reasonable security." Instead, it takes a process-based approach, expecting companies to implement a security program that is:
• Appropriate to the company's size and complexity
• Appropriate to the nature and scope of the company's activities
• Appropriate to the sensitivity of the data at issue
Common security failures cited in FTC actions include:
• Failure to encrypt sensitive data
• Failure to use reasonable access controls
• Failure to deploy and update antivirus software
• Failure to adequately train employees
• Failure to conduct security assessments
• Using default or easily guessable credentials
• Storing sensitive data longer than necessary
• Failing to implement reasonable oversight of service providers
7. FTC Privacy Framework (2012 Report)
The FTC issued a privacy report in 2012 that outlined its recommended framework for commercial data privacy. Key recommendations include:
• Privacy by design: Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.
• Simplified consumer choice: Companies should simplify consumer choice regarding data practices. For practices that are not consistent with the context of a transaction or a consumer's existing relationship with a business, companies should provide clear and conspicuous choices.
• Greater transparency: Companies should increase the transparency of their data practices, including providing reasonable access to consumer data, providing clear and prominent privacy notices, and engaging in consumer education.
8. Health Breach Notification Rule
The FTC also enforces the Health Breach Notification Rule, which requires vendors of personal health records and related entities (not covered by HIPAA) to notify consumers following a breach of unsecured health information. Recent enforcement actions under this rule, such as those against GoodRx and BetterHelp, have expanded the interpretation of "breach" to include unauthorized disclosures of health data to advertisers.
9. Recent Developments
• The FTC has increasingly focused on algorithmic accountability, requiring companies to delete not only improperly collected data but also algorithms and models derived from that data (e.g., Everalbum, Weight Watchers/Kurbo).
• The FTC has expanded enforcement related to dark patterns—manipulative design practices that trick consumers into making choices they would not otherwise make.
• Increased scrutiny of data brokers and the sale of location data.
• The FTC has proposed strengthening COPPA protections and has signaled interest in commercial surveillance rulemaking.
Exam Tips: Answering Questions on FTC Privacy and Security Enforcement Actions
Tip 1: Master the Deception vs. Unfairness Distinction
This is one of the most frequently tested concepts. Be sure you can clearly articulate the elements of each theory. Remember: deception involves misleading representations or omissions; unfairness involves substantial injury. Many questions will present a scenario and ask which theory applies. If a company broke a privacy promise, think deception. If a company had poor security with no specific promise, think unfairness.
Tip 2: Know the Three-Part Tests
Be able to recite and apply both the three-part test for deception and the three-part test for unfairness. Exam questions often test whether you can correctly identify which element is or is not satisfied in a given scenario.
Tip 3: Understand Jurisdictional Limits
Remember the entities the FTC does NOT have jurisdiction over: banks, common carriers, nonprofits (generally), insurance companies, and federal credit unions. If an exam question involves a bank or telecommunications common carrier, the FTC likely does not have jurisdiction.
Tip 4: Know the Remedies
The FTC generally cannot impose monetary penalties for first-time Section 5 violations (without a specific rule violation). It typically enters consent orders. Penalties come for violating consent orders or specific FTC rules (like COPPA). The Facebook $5 billion fine was for violating a prior consent order.
Tip 5: Recognize Landmark Cases
Be familiar with key cases like Wyndham (unfairness authority for data security), LabMD (limits on FTC unfairness authority), Facebook (consent order violations), Snapchat (deceptive disappearing messages), and Gateway Learning (retroactive privacy policy changes). The exam may reference these by name or describe their facts.
Tip 6: Understand "Reasonable Security"
The FTC does not prescribe specific security measures. It uses a reasonableness standard that considers the size and complexity of the business, the nature of its activities, and the sensitivity of the data involved. If a question asks about specific security requirements, remember the FTC approach is flexible and process-based, not prescriptive.
Tip 7: Remember the Privacy Framework Principles
Privacy by design, simplified consumer choice, and greater transparency are the three pillars of the FTC's 2012 privacy framework. These appear frequently in exam questions.
Tip 8: Pay Attention to COPPA Enforcement
COPPA violations are enforced by the FTC and carry civil penalties. Know the basic COPPA requirements (parental consent for children under 13, verifiable parental consent mechanisms, etc.) and the fact that the FTC can impose monetary penalties for COPPA violations directly, unlike general Section 5 first-time violations.
Tip 9: Watch for Algorithmic Destruction Remedies
A newer exam topic involves the FTC requiring companies to delete algorithms built from improperly collected data. This represents an expansion of traditional remedies and is increasingly appearing on exams.
Tip 10: Read Questions Carefully
Many FTC-related exam questions are scenario-based. Read the facts carefully to determine: (1) Does the FTC have jurisdiction? (2) Is the theory deception or unfairness? (3) What remedy is appropriate? (4) Are there specific FTC rules (like COPPA or the Health Breach Notification Rule) that apply?
Tip 11: Understand the Role of State AGs
While focusing on the FTC, remember that state attorneys general also have enforcement authority under state consumer protection laws (often called "mini-FTC Acts" or UDAP statutes) and may enforce federal laws like COPPA. The FTC and state AGs sometimes coordinate enforcement efforts.
Summary
The FTC serves as the de facto national privacy and data security regulator in the United States. Through its Section 5 authority over deceptive and unfair practices, the FTC has built a substantial body of enforcement precedent that defines expectations for commercial data privacy and security. For the CIPP/US exam, mastering the distinction between deception and unfairness, understanding the FTC's jurisdiction and remedies, and knowing key enforcement actions are all critical to success. Focus on applying these principles to fact patterns, as the exam heavily tests practical application rather than mere memorization.
