On February 26, 2015, Jessica L. Rich, Director of the Bureau of Consumer Protection at the Federal Trade Commission, spoke at the BakerHostetler Symposium on Section 5 of the FTC Act on how the FTC approaches privacy and data security. Director Rich’s comments on this subject were particularly timely, with the Third Circuit poised to hear argument in March regarding the FTC’s authority to challenge the reasonableness of an organization’s cybersecurity practices under the unfairness prong of Section 5.
Director Rich’s presentation echoed many familiar themes that the FTC has emphasized in its privacy and data security enforcement and education efforts over the last several years. Director Rich began her remarks by stating that Section 5 of the FTC Act grants flexibility to the FTC in addressing the rapidly changing economy. Pursuant to Section 5 of the FTC Act, the Commission seeks “prevent persons, partnerships, or corporations [under the FTC’s purview] . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” Federal Trade Commission Act § 5, 15 U.S.C. § 45. At the time the statute was enacted, the technological and digital explosion was not on Congress’s radar, but Section 5 has become the source of authority cited by the FTC in its enforcement efforts in the data privacy sphere.
Director Rich identified certain new concerns. She noted that data is now being stored for longer periods of time and may not be secure, and businesses and individuals are now using this data in myriad ways that are not necessarily known to consumers. Data brokers and other entities that are not consumer-facing are collecting and aggregating data behind the scenes in ways that consumers cannot necessarily control. Director Rich continued, saying that, even when privacy policies are established, as the FTC expects, the language is often lengthy and hard for consumers to understand. Given these concerns, the FTC uses Section 5 to address situations where a business or entity using or collecting data is doing so in a manner that the Commission maintains is “unfair or deceptive.”
According to Director Rich, when the FTC seeks to utilize its Section 5 powers, it goes back to the basics of its Section 5 authority, and is looking to check that companies are following six general guidelines:’
- Tell the truth about data privacy practices.
- Keep promises made to consumers.
- Do not imply more protections are in place than truly are. (For example, a company should not state that it does not collect health data, then define “health data” extremely narrowly.)
- Do not bury disclaimers in long privacy policies or other statements.
- Do not collect more information than is actually needed.
- Store data in a secure manner, especially if it is sensitive data.
Director Rich pointed to actions against TRENDnet, Inc.; Craig Brittain; and LeapLab, among others, as examples of enforcement efforts where the FTC is applying these criteria in the privacy and data security area.
Moving beyond the general application of Section 5 enforcement power, Director Rich addressed more specific issues, including data breaches and privacy policies. With respect to data breaches, Director Rich first recognized a universal truth: there is no such thing as perfect data security. The key touchstone for the FTC is, instead, the reasonableness of the security efforts. The existence of a data breach does not, alone, prove the existence of Section 5 violations. While the FTC considers the breach as a factor, particularly where multiple breaches have occurred, the core considerations are the surrounding circumstances. The FTC cares more about the reasonableness of the security practices at the time of the breach and will center investigations on factors such as whether the company was training employees, limiting access to the data at issue, and responding to developing concerns as they arose in the normal course of business.
On the privacy front, Director Rich stated that companies should endeavor to provide disclosures that are full and complete as well as user-friendly. Director Rich noted that the FTC has issued guidance on how to strike the right balance through staff reports, including those on mobile issues (Mobile Privacy Disclosures: Building Trust Through Transparency) and on the Internet of Things (Internet of Things — Privacy & Security in a Connected World). Director Rich particularly advocated the use of just-in-time disclosures in which businesses and entities disclose their data security practices at the point that the consumer enters the data.