The FTC is the leading privacy and security regulator in the U.S. says Daniel J. Solove, a professor at George Washington University Law School who runs a privacy and security training company called TeachPrivacy and organizes the The Privacy + Security Forum conference. Although there is hardly any case law, Solove noted in presenting this webinar, the FTC looms large in practice.
“We’ve seen a huge rise in privacy policies,” Solove says.
In the late 1990s and early 2000s, a debate was raging about how personal information would be protected online. It was argued that self-regulation would work. As a result, companies began to self-regulate their privacy practices by creating their own policies.
In 1999 a law review article compared privacy policies to contracts and therefore, it stated, privacy policies should be under contract law. But there were hardly any contract lawsuits – only a handful were actually brought to court.
The FTC had already begun enforcing privacy and security starting in the mid-90s. Section 5 of The FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” Section 5 of the law covers a broad range of potential privacy violations and in this way the FTC gave legitimacy to a self-regulatory regime by providing oversight and enforcement.
The FTC also has enforcement power beyond Section 5. Today, the FTC shares its enforcement power with other agencies, and assists those agencies in enforcing laws including the Fair Credit Reporting Act (FCRA), Gramm-Leach Bliley Act (GLBA), Children’s Online Privacy Protection Act (COPPA) and US-EU Safe Harbor Arrangement.
So, what can we make of all this? Solove says we’re witnessing common law develop. Now we have numerous examples of how the FTC defines “deceptive and unfair” practices as well as other case lessons that companies can learn from.