Why We Don't Need the FTC on Big Data Lifeguard Duty
Federal Trade Commission Chairman Edith Ramirez is blowing the whistle on companies swimming in the big-data sea.
In an Aug. 19, 2013 address to the Technology Policy Institute Aspen Forum, FTC Chairman Edith Ramirez suggested that the FTC should employ its authority to regulate the evolution of Big Data in the interest of consumer privacy "to ensure that these advances [in data collection and use] are accomplished by sufficiently rigorous privacy safeguards."
Ramirez likened her role to that of lifeguard: "Like a vigilant lifeguard, the FTC's job is not to spoil anyone's fun but to make sure that no one gets hurt. With big data, the FTC's job is to get out of the way of innovation while making sure that consumer privacy is respected." The rest of her speech, however, suggested not recommendations of best practices or industry guidance, but what could be interpreted as mandates for industry. She also opined that consumers are in fact harmed when companies gather more data than they need and do not give consumer's meaningful choice prior to collection and at the point of collection. Proving actual harm is a requirement of the FTC's unfairness authority.
Section 5 of the FTC Act gives the FTC authority over both deceptive and unfair acts or practices
in commerce. Use of the unfairness authority has long been a controversial issue. So much so that in the 1970s Congress reined in unfairness authority by requiring the FTC to establish, in each case:
- an act or practice likely to cause substantial harm or injury to consumers
- that injury is not reasonably avoidable
- that injury is not outweighed by countervailing benefits to consumer or competition.
The invocation of the unfairness authority to consumer data privacy unrelated to credit or employment decisions -- after years of the FTC stating it lacked a basis to apply it in that context --should be cause for concern. "Unfairness" is not a clear standard sufficient to give companies notice of what they can and cannot do with respect to consumer privacy and its application to big data would allow the FTC to essentially create law without the clear authority or direction of Congress and outside of the FTC rule making process, which requires a finding of "substantial evidence" that a regulated unfair or deceptive practice is "prevalent in the market," and a more exacting notice and public comment process than applies to other federal agencies.
Bringing unfairness actions on a case-by-case basis in the absence of definitive laws or rules is disruptive to industry and implicates issues of notice and due process, or rather the lack thereof. Deception, the other FTC Act Section 5 authority, is pretty clear cut and companies are more hard pressed to argue they lack notice of the rules of the road – don't make privacy representations that are not true or are misleading.
Unfortunately, in the absence of data privacy and security laws passed by Congress, or proper rulemaking by the FTC, we are left with FTC recommendations, guides, reports and policy statements, which are not law -- and consent orders from FTC settlements with individual defendants that chose to resolve rather than fight FTC investigations. Technically, there should not be a common law built on FTC consent orders, in the same way judicial precedent builds the common law. That is not the way executive branch and administrative law are supposed to operate.
But, the FTC tried to effect such a result when it sought to impose heightened claims-substantiation
standards on the food and dietary-supplements industry in 2010, which was rejected by an
administrative law judge when challenged by POM Wonderful.
Of course, we all look to consent orders for direction on what is and is not appropriate, notwithstanding that the FTC is really just exercising "fencing in" of a specific alleged bad actor through a settlement. In such cases, the agency requires well more than the law calls for through the resolution of some other violation of law, usually a misrepresentation that established a deception violation. A suggestion that the FTC may take such an approach to establishing industry standards rather than merely recommended best practices with regard to consumer privacy is disturbing.
This is one of the key complaints of Wyndham Hotels in its challenge of the FTC's authority to regulate a breach of data security. Whether or not Wyndham is successful, its challenge to FTC unfairness authority, and to essentially regulation by enforcement actions and consent orders rather than legislation or administrative rule making, is very important. It may serve to check the creeping expanse of authority of the current FTC in the area of consumer protection where there is no Congressional mandate and no process for vetting what makes good public policy in the open light through a full rulemaking process.
Most companies do not put the FTC to the test of establishing that a putative "unfair" practice is likely to cause substantial and unavoidable harm or injury to consumers not outweighed by countervailing benefits to consumer or competition. When it comes to online behavioral advertising and consumer privacy, meeting this high standard of harm seems a difficult feat if tested. Certainly more difficult than, for instance, in cases where consumer credit card and other sensitive financial data was hacked due to security standards far below industry custom and practice.
The FTC should maintain its course of recommending privacy best practices, encouraging industry self-regulation, bringing deception cases and enforcing laws where Congress has given it specific authority like the Children's Online Privacy Protection Act and the Fair Credit Reporting Act. If a national legal standard for data privacy and security is to be set, it is the role of Congress and not the executive branch to develop that policy. However, Chairwoman Ramirez seems to be signaling a willingness to step in and fill the void left by Congressional inaction and to do so by bringing "unfairness" claims against individual companies. Accordingly, companies should be looking at the FTC's privacy best practice expressions, such as in its 2012 Privacy Report (cited approvingly by Ms. Ramirez in her speech) or else be prepared to challenge them as less than required in a potential unfairness enforcement action.
Alan L. Friel is a partner at Edwards Wildman. The opinions expressed here are that of the author and not necessarily that of Edwards Wildman or its clients.