Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Since its creation to police the problem of corporate “bigness,” the FTC has become one of the most important regulators of information privacy.
Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to Chris Jay Hoofnagle of the University of California, Berkeley, on the evolution of the FTC's enforcement powers over privacy and data security matters, as described in his new book, Federal Trade Commission Privacy Law and Policy. Hoofnagle, who is a member of the advisory board of Bloomberg BNA's Privacy & Data Security Law Report, also provides insights for lawyers on more effectively working with the FTC on privacy and data security matters.Bloomberg BNA:
Was there any real foresight about what the Federal Trade Commission might eventually expand to when it was created?Chris Jay Hoofnagle:
People in the U.S. wanted change at the turn of the century. Nineteenth century America was the last phase of a laissez-faire economy. The pathologies that arose from concentration and from new dynamics in the economy caused Congress to begin a radical set of experiments in regulating competition. Congress created the Interstate Commerce Commission, the Food and Drug Administration and the FTC. These experiments came about because of frustration and fear accompanying industrialization, but also because antitrust had become a popular movement—on par with health care or criminal justice reform today.
Not only was the FTC one of the first regulatory agencies in the U.S., it was also granted nearly comprehensive jurisdiction and a broad, undefined mandate to police competition. Although the FTC didn't formally get a consumer protection mandate until 1938, its first case concerned false advertising and technology. For the most part, Congress was complicit in this expansion, often by encouraging industry-specific investigations.
At about the same time that the FTC was created, newspaper and magazine publishers were successful in getting the Printers’ Ink model statute adopted. Like the FTC Act, the Printers’ Ink statues freed prosecutors from common law elements of proof in fraud cases, such as establishing economic harm, materiality, and reliance on a representation. It became clear that these elements were both increasingly difficult to establish, but also that dishonesty in sales had intangible, adverse effects on competition.
The FTC quickly sunk its hooks into many different industries. As time went on, Congress sometimes chastised the agency, but the overall trend was to empower the FTC to take on more responsibility for competition and consumer protection.Bloomberg BNA:
How did the FTC get into the business of privacy regulation?Hoofnagle:
Commercial espionage was the focus of some of the FTC’s first privacy cases in the 1910s. There is even an awkwardly-written consent decree ordering a company to not crash its trucks into competitors “at times when the automobiles of such competitor may be following the respondent.”
The first information privacy case came in 1951, when the FTC brought a matter against a company that helped creditors locate debtors by sending debtors postcards promising a free gift in exchange for their personal information. The FTC found this practice both unfair and deceptive. Privacy arose again in the 1970s, when the FTC found it unfair for tax return companies to sell information about taxpayers to third parties. Interestingly, federal law now allows this practice.
As time went on, Congress sometimes chastised the agency, but the overall trend was to empower the FTC to take on more responsibility for competition and consumer protection.
The FTC was ahead of the curve on turning to the Internet. It brought its first Internet fraud case in 1994, long before most people were online, and started saber rattling for privacy shortly after. In this, the FTC’s actions show the advantages of a broad, undefined mandate. The FTC was able to follow frauds from print, to radio, to television and then to the Internet on its own initiative.
The FTC began cajoling for privacy by focusing on children online. It released a public letter warning websites about deceptive games and other techniques used to elicit information from children. And then it started bringing cases. But on a larger level, European pressures from a 1995 directive required some U.S. institution to start regulating privacy. It was difficult to conceive of the U.S. as an adequate jurisdiction for Europeans’ data given that in the 1990s, we left even children’s privacy entirely to the market.Bloomberg BNA:
As the privacy mission has expanded—and morphed to also include data security—can you help us to categorize the areas of privacy that the FTC regulates?Hoofnagle:
The Fair Credit Reporting Act of 1970 (FCRA) made the FTC a natural venue for more privacy activities. Perhaps because of its age, the FCRA’s features and dynamics aren't appreciated. The FCRA is the first “big data” law in the U.S. It largely omits limits on collection in favor of procedural protections and limitations on how data can be used. Security was a major part of the FCRA, as Congress found that anyone who knew the “lingo” of consumer reporting could figure out how to get others’ reports without justification.
Starting with the FCRA, the FTC pursued a broad range of privacy activities, including financial privacy and debt collection (which flowed naturally from consumer reporting), children’s privacy, pursuit of anti-marketing laws (such as spam and telemarketing), policing of malware, prohibitions on spyware and other communications-surveillance products and a surprisingly broad array of online privacy cases. The FTC’s activities are notable because they often target the largest actors in the market. Privacy cases flow from the agency’s advertising matters. Privacy lawyers keep on talking about notice and choice, but the signals from advertising law point to the importance of consumer expectations rather than the details of the fine print.
The FTC’s turn to security is an interesting one. The first security initiatives were shepherded by Republican leadership. Security was a relatively uncontroversial topic for Bush-administration appointees to pursue. After all, one can't have privacy without security, and the more economically-inclined leadership of the time recognized that information security carried with it deep incentive conflicts. Simply put, one could have bad security and others might not notice. More often than not, one’s bad security could be passed off as externalities to others in the marketplace without detection. Former FTC Chairman Timothy J. Muris and former Bureau of Consumer Protection Direct Howard Beales recognized this, and interestingly, they used the more controversial unfairness authority to bring the first security cases. As the unfairness authority has come under more scrutiny, the FTC has used the language of deception in security cases. For instance, any banal statement about having “reasonable security” can trigger a deception action, but some cases are really just unfairness matters dressed up in the language of deception.Bloomberg BNA:
What do you see as the FTC’s weaknesses in terms of being able to be an effective privacy regulator and what can the commission do to address those issues?Hoofnagle:
There are two central weaknesses in the FTC’s privacy efforts. First, the FTC’s Bureau of Economics (BE) still operates in a pre-information-industry mindset. It has a fixation on price and on the information available to the consumer when she decides to enroll in a service. That approach is great for physical-world frauds, but when we think about privacy, we have to consider more than just the information available at enrollment. Personal information transactions are continuous ones, where lock-in, shifting policies and secrecy make it impossible to foresee the consequences of trading information.
It doesn’t work to talk tough with the FTC, that only causes staff to become more determined. As a lawyer, a conciliatory approach is more productive.
In the 1980s, the FTC brought in marketing professors who helped the agency better understand how consumers interpret ads. The FTC considers consumer expectations as the critical test in false advertising, and we hold deception in marketing as a per se wrong, even where consumers don't rely on the deception. The FTC needs a similar effort today to help the BE develop new theories that recognize the subtle but real injuries that can flow from information transactions.
Second, the FTC is conceived of as a consumer protection agency, but its formal mandate is to protect competition. By protecting competition, consumers enjoy greater choice. But what happens when the entire economy is organized around “surveillance capitalism,” the term Professor Shoshana Zuboff uses to describe companies such as Google and Facebook? The FTC can trim the most problematic activities from the edges of surveillance capitalism, but it can't strike at its heart. Even if most people find these practices objectionable, the FTC can't just ban business models.
Here again, the importance of the BE is paramount. It could explore ways to foster a market for privacy. The most important challenge comes in addressing industry players who don't have incentives to fairly use data. For instance, data brokers engage in practices, such as reverse data appends, that render consumers’ attempts of selective revelation ineffective. The BE could use its empirical might to study how these information flows in the data broker market undermine alternatives that could result in better incentives and business practices more in line with consumer preferences.Bloomberg BNA:
Do you have any tips for attorneys based on your years of experience interacting with the FTC on how they might be more effective advocates for their clients?Hoofnagle:
Relationships with staff are important, and may be more important than rubbing elbows with commissioners. The FTC staff have significant autonomy and play the lead role in choosing investigatory targets. Many staff stay for decades, while some commissioners don't even finish their term.
Following from that, it is important to know that one can persuade staff to stop an investigation. In the privacy area, staff are looking for precedent-setting cases, because the agency can only bring about 20 privacy and security cases a year. Investigations can go away where one can show that the snafu is ordinary, where the client acted quickly to remedy it, and where affected consumers have been made whole.
Understanding the FTC’s different divisions helps one see around corners. One main thesis of the book is that privacy approaches flow from precedent in false advertising cases. The different divisions learn from each other and borrow ideas that can be used in other cases. Thus, it is worthwhile to have a sense of the agency’s entire set of activities.
Finally, some lawyers like a pugilistic posture, but this almost always hurts the client. The FTC is a century-old institution and it has done battle with the biggest industries in the world economy. It doesn’t work to talk tough with the FTC, that only causes staff to become more determined. As a lawyer, a conciliatory approach is more productive.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)