Co-authored with Daniel Solove.
The Federal Trade Commission (FTC) recently entered into a consent order with the media service Snapchat for not living up to its promises about how it maintains the privacy and security of user’s data. The FTC order prohibits Snapchat from “misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information” and requires the company “to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.”
In a post titled Will a Government Settlement Improve Snapchat’s Privacy? Don’t Count on It, Farhad Manjoo at the New York Times slams the FTC for not being harder on Snapchat. He views FTC consent orders as imposing weak penalties and proscriptive measures, serving “mainly to add a veneer of legitimacy over whatever moves the companies planned to make anyway.”
Consent orders such as the one involving Snapchat have been the cornerstone of the FTC’s regulation of privacy and data security. Over the past 20 years, the FTC has regulated privacy and data security by filing complaints against companies that allegedly engage in unfair or deceptive trade practices. Almost every complaint the FTC has filed has settled, resulting in a consent order, which is essentially a contract between the company and the agency outlining remedial measures and without a company having to concede liability for a legal violation.
As with many FTC cases, privacy advocates and journalists have expressed frustration and concern over whether these consent orders are effective in correcting and preventing privacy harms.
In the rare instance these FTC settlement result in a financial penalty, these penalties are generally quite low in proportion to the wealth of the companies. The consent orders usually seem to merely require the company to sin no more. Are these orders just a slap on the wrist? For many, they appear to be just a speeding ticket. How can the FTC be effective this way? Why would a company worry about the FTC?
The odd thing, though, is that companies do worry about the FTC. A lot. Why?
In talking about this settlement with others, it became clear to us that there is some mystery surrounding these consent orders. What is included in them? Are they burdensome? Why not fine these companies instead? When fines are issued, why are they so small?
In our recent article in the Columbia Law Review, The FTC and the New Common Law of Privacy, we present a comprehensive discussion of how the FTC enforces privacy and data security. Here is a short summary of the components of an FTC privacy or data security consent order.
1. Prohibitions on Wrongful Activities
The heart of a privacy-related FTC consent order is the prohibition on future wrongful activities. Generally speaking, companies that enter into a settlement agreement with the FTC are barred from engaging in the activities that were the subject of the FTC’s complaint. The FTC appears to strive for proportionality between the alleged wrongdoing and the restricted activity.
2. Fines and Other Monetary Penalties
The FTC doesn’t fine companies because it does not have the authority to do so under the statute that enables the agency to police unfair and deceptive business practices (Section 5 of the FTC Act). While the FTC can fine companies for violating the terms of the consent order, these fines cannot be punitive, but rather must be proportional to the amount of harm. It is worth noting that the FTC does have the authority to levy fines under various statutory regimes such as the Gramm–Leach–Bliley Act (GLB).
3. Consumer Notification and Remediation
In many instances, the FTC has required a company to notify customers of its wrongdoing and even offer some form of redress. For example, in FTC v. Frostwire, LLC, a company had to deploy patches to previous versions of its software to remedy problematic user interfaces and default settings that rendered many of its consumers’ files publicly accessible. Similarly, in In re Sony BMG Music Entertainment, Sony had to uninstall problematic software it had installed on users’ computers. Other companies agreed to offer refunds to consumers for products associated with misrepresentation.
4. Deleting Data or Refraining from Using It
The FTC has regularly attempted to mitigate the potential harm from wrongfully collected personal information by including in settlement orders requirements to delete or refrain from using that information. The requirement to delete wrongfully collected information is almost always included in settlements involving violations of the Children’s Online Privacy Protection Act (COPPA). Yet non-COPPA-related defendants, particularly those accused of collecting personal information through generally deceptive means or “inducement,” have also agreed to delete wrongfully obtained consumer data.
5. Making Changes in Privacy Policies
6. Establishing Comprehensive Programs
In several instances, the FTC has required companies to establish a comprehensive security, privacy, or data-integrity program. For example, in In re HTC America Inc., the company had to establish a “comprehensive security program” that was “fully documented in writing” and had to “contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered device functionality or covered information.”These particular safeguards may include risk assessments, employee training, and responsibility for security, among other things.
The FTC has also mandated that companies establish a “comprehensive privacy program.” For example, in the Google Buzz consent order, Google agreed to establish and implement a “comprehensive privacy program that is reasonably designed to: (1) address privacy risks related to the development and management of new and existing products and services for consumers and (2) protect the privacy and confidentiality of covered information.” The specifics of the program were similar to those in a comprehensive security program, such as requirements to identify risk, train employees, appoint a responsible coordinator of the program, and engage in regular evaluations of the program. Google also agreed to obtain program assessments from “a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.” Facebook agreed to a similar privacy program in its consent order.
7. Assessments by Independent Professionals
Those accused of unfair or deceptive security practices often agree to biennial assessments by an independent professional to ensure compliance with the order. The auditors’ biennial reports must be made available to the FTC for two decades, and companies that fail to do so risk further penalty.
8. Recordkeeping and Compliance Reports
Virtually every company that settled with the FTC agreed to engage in some kind of regular recordkeeping to facilitate the FTC’s enforcement of the order. In many instances, the company also agreed to regular reporting requirements.
9. Notification of Material Changes Affecting Compliance
Companies also are usually under the obligation to alert the FTC of any material changes in their organization that might affect compliance obligations, including “a dissolution, assignment, sale, merger, orother action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; [or] the proposed filing of a bankruptcy petition.” This notification is important given the privacy interests related to data sets and their commercial treatment as something to be collateralized.
* * *
Critics of the FTC might still find these components to not be potent enough. Why is the FTC so feared? One of the main reasons is that the FTC consent orders often last 20 years. During this period, companies must be audited by an independent auditor, and that can be quite costly and time-consuming. And 20 years is an eternity. Think back 20 years – that’s 1994! Hardly any companies were doing business on the Internet back then.
Another reason companies fear these consent orders is that if they are liable for breaching them for up to $16,000 per customer harmed per violation. Thus, these agreements give the FTC considerably more power over a company once the agreement has been signed.
Moreover, these orders can directly change the bad behavior of a company in ways a fine might not accomplish. A comprehensive program is a very effective tool for protecting privacy or data security within a company. Protecting data involves creating a culture and promoting awareness. Someone must own the issue. Good programs go a long way toward improving the way companies protect privacy and data security. Laws are not self-executing, and companies need the appropriate internal mechanisms to comply with them.
The FTC isn’t perfect and there are certainly ways it might strengthen its enforcement. But these facts do not imply that the FTC lacks effectiveness in its enforcement.