By Lauren Dickstein
Have you ever agreed to a company’s privacy policy, had blood work tested by a lab, or purchased something online? If so, your personal information, or “data,” has been subject to regulation by the Federal Trade Commission (“FTC”). Today’s data-driven services and products advertise bettering consumers’ lives by saving time, money, or even improving one’s well-being, but the prospective upside comes with many risks imposed by data collection companies.[1] More than ever, data privacy is of utmost importance since using digital technologies is an essential part of navigating modern life and as a result, it is practically impossible to go about daily life without commercial entities collecting one’s data.[2]
Today, companies gather individuals’ data on a “hyper-granular level” by tracking more than just what someone purchases.[3] Companies can track an individual’s keystroke usage, the amount of time their mouse hovered over a certain item, and all the items they viewed before deciding to buy something.[4] Further, with the digitalization of America’s economy and the increased reliance on technology to carry out personal daily tasks, the scope of information available to data collection companies has grown dramatically.[5] As a result, companies can aggregate data collected on specific individuals across domains and devices to create what are essentially “comprehensive user profiles” which can then be exploited to target people.[6]
Most American consumers understand the risks involved with using data-driven technologies and are concerned about the way their data is being used and collected but may not be as informed about the body of law employed to “protect” and regulate their intimate information[7],such as identification information, political affiliations, health conditions, and more. One study showed 63% of Americans reported understanding little to nothing about the laws and regulations that are supposed to protect their personal information.[8] Moreover, 80% of Americans reported feeling little or no control over how companies use their personal information or collect their data and believe that the risks of companies collecting their data outweigh the benefits.[9]
What is the FTC?
Although data production, collection, and use are at the forefront of Americans’ lives, a comprehensive federal law that governs data privacy does not exist.[10] In fact, the Supreme Court has interpreted the constitutional right to an individual’s privacy to merely protect against intrusions by the government intrusions, not private actors.[11] In response to the constraints imposed by the Constitution, Congress has enacted a variety of federal laws to afford statutory protection to individuals’ personal information.[12]
The FTC plays a vital role in the realm of consumer protection and enforcing actions related to data protection.[13] It is an independent bipartisan agency of the U.S. government[14] with authority to take enforcement action in the area of consumer protection.[15] President Woodrow Wilson created the FTC in 1914 by enacting the FTC Act as part of the administration’s “trust-busting efforts” aimed at breaking up monopolies and trusts to ensure a strong, competitive market.[16] The FTC Act was part of a movement in the late 19th and early 20th centuries by Congress to use commissions instead of courts to regulate business conduct.[17] Regulatory agencies, or commissions, were considered more consistent, efficient, and specialized in their decision-making processes, as opposed to the more cumbersome and inconsistent processes used by courts.[18]
In 1938, Congress passed the Wheeler-Lea Act which increased the FTC’s authority to include consumer protection issues under Section 5 of the FTC Act to enforce the prohibition of “unfair and deceptive acts or practices” in business.[19] This amendment is critical because it expanded the FTC’s jurisdiction to protect individual consumers directly, rather than just through prohibiting unfair methods of competition and enforcing antitrust laws.[20]
This article will focus on the significance of two cases brought by the FTC in effort to fulfill its mission of protecting consumers by eliminating unfair and deceptive business practices. Despite the FTC serving as the most prominent agency governing privacy policy and consumer protection since the 1970s[21], the FTC’s authority is still challenged in courts which have discretion to interpret how the FTC’s authority shall be construed. After examining the two cases and their implications, this article will discuss measures that could encourage companies to comply with data security and privacy measures that the FTC determined would protect consumers.
The Basis for FTC Enforcement Authority
Broadly speaking, the FTC has rule-making, investigative, and enforcement authority.[22] Section 5(a) of the FTC Act declares “unfair and deceptive acts or practices in or affecting commerce” unlawful.[23] An act or practice is “unfair” when it (i) causes or is likely to cause substantial injury to consumers, (ii) cannot be reasonably avoided by consumers, and (iii) is not outweighed by countervailing benefits to consumers or to competition.[24] An act or practice is “deceptive” when (i) a representation, omission, or practice misleads or is likely to mislead the consumer, (ii) a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances, and (iii) the misleading representation, omission, or practice is material.[25] Further, the FTC can take enforcement action through either an administrative or judicial process under Section 5(b) if the FTC has “reason to believe” the law has been violated after an investigation.[26]
Concerning judicial enforcement under Section 13(b), the FTC can also, without first making a final determination the challenged practice or act is unlawful, seek preliminary and permanent injunctions directly in court to remedy “any provision of law” enforced by the FTC.[27] Here, if the FTC has “reason to believe” a party has or is about to violate the law which it enforces, the FTC can ask a district court to enjoin the allegedly unlawful conduct pending the completion of an FTC administrative proceeding to determine the conduct’s legality.[28]
Two Significant Cases for the FTC
A. Background
In 2014, After 50 data security settlements were reached through FTC action, the FTC made statements that the “touchstone” of its data security approach is “reasonableness,” meaning companies’ data security measures must be “reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”[29] Later, in 2021, the FTC amended its Standards for Safeguarding Customers Information (the “Safeguards Rule”) to further explain what is meant by “reasonableness” to reflect modern data security principles and provide better guidance to companies.[30] The Safeguards Rule requires financial institutions subject to FTC jurisdiction to “develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”[31] Further, Section 314.4 of the Safeguards Rule sets forth nine elements a company’s information security program must include to meet the FTC’s security objective.[32]
A retrospective multi-case study conducted from 1999 to 2008 to measure the evolving meaning of “reasonable security” across 10 years of FTC enforcement actions revealed the FTC’s focus on data security shifted from consent and notification toward information handling requirements regarding access, encryption, and retention.[33] Although the FTC has articulated standards for “reasonableness,” the FTC’s authority is subject to being struck down by courts if they feel the FTC has exceeded its power or demanded something of a company too ambiguous to enforce.[34] This could have a detrimental impact on the FTC’s ability to effectuate the meaningful remedies it seeks to achieve.
B. LabMD v. FTC
In August 2013, the FTC filed an administrative complaint against LabMD under Section 5 of the FTC Act, alleging LabMD engaged in an “unfair act or practice” by having an inadequate data security program which resulted in unauthorized access to patients’ information.[35] After an administrative proceeding, the FTC issued a final cease and desist order requiring LabMD to not only inform affected customers, but to also create a “comprehensive information security program.”[36] At this point, LabMD was presented with two choices: sign the consent decree or appeal the charges in court.[37] LabMD chose to petition the Eleventh Circuit to vacate the FTC’s order on the grounds the order was unenforceable.[38]
LabMD was a medical laboratory that dealt with very sensitive patient information from conducting diagnostic cancer testing.[39] It provided physicians with diagnoses by using a combination of patients’ medical specimen samples and relevant patient information.[40] Due to a LabMD employee downloading music on her computer through a peer-to-peer (“P2P”) file-sharing network, in 2009, the FTC discovered LabMD’s personally identifiable patient information was publicly available on the P2P network.[41] In an inquiry to determine whether the customers’ sensitive information was disclosed as a result of a failure to have reasonable security measures thus violating Section 5, the FTC obtained a spreadsheet (the “1,718 File”) that contained information of 9,300 LabMD customers including their Social Security numbers and health insurance information.[42] Tiversa, a data security company, acquired the 1,718 File in 2008 and shared it with the FTC after LabMD declined to purchase Tiversa’s security remediation services.[43]
The Eleventh Circuit determined that while LabMD’s failure to have reasonable data security measures did constitute an unfair practice, the FTC’s cease and desist order was vacated because it was not “sufficiently specific to be enforceable.”[44] Instead of the FTC instructing LabMD to stop a certain act or practice, the FTC’s order that LabMD replace its data security measures to meet “an indeterminable standard of reasonableness” was deemed unenforceable.[45]
This decision is incredibly significant because at the time LabMD was presented with a possible settlement, the FTC had brought over 60 cases related to data security and information privacy and every single company involved settled and signed consent decrees, which usually required 20 years of security audits and monitoring.[46] LabMD owner Michael Daugherty was reluctant to sign the consent decree because although it would have been the “path of least resistance” which would let him focus on the future of his business, and settlements generally did not demand an admission of wrongdoing, the FTC publishes its consent decrees and announces them in press releases, thus forming a body of precedent that indicates what conduct is considered unfair or deceptive.[47] Daugherty feared signing the consent decree would “kill his business” by suggesting to doctors that LabMD had been “lax” in protecting its patients’ data.[48]
This decision could gravely impact the FTC’s data security enforcement power because many of the FTC’s existing privacy consent orders have similar requirements demanding companies implement comprehensive information security programs, like that asked of LabMD.[49] If the Eleventh Circuit decision stands, the FTC’s remedial powers could dwindle as companies under existing settlements required to institute “comprehensive information security programs” consider whether those decrees are enforceable.[50]
C. AMG Capital Management v. FTC
The FTC may also have trouble obtaining monetary relief for consumers who have been harmed by companies’ deceptive or unfair business practices. The Supreme Court ruled in April 2021 that the FTC can no longer seek equitable monetary relief to award refunds to consumers in federal court under Section 13(b) of the FTC Act.[51] This decision essentially reversed four decades of case law the FTC used to provide billions of dollars to harmed consumers in the form of refunds.[52] While Section 13(b) is an essential tool used by the FTC to pursue its enforcement mission, the FTC believes recent judicial decisions weakened its ability to protect consumers.[53] As discussed earlier, Section 13(b) explicitly allows the FTC to seek injunctive relief and does not explicitly address whether the FTC can also seek equitable monetary relief.[54]
The AMG litigation began in 2012, when the FTC filed suit in federal court, as opposed to using its own administrative proceedings, claiming defendant Scott Tucker and his companies were engaging in “unfair or deceptive acts or practices” in violation of Section 5(a) of the FTC Act.[55] Tucker controlled various companies that provided short-term payday loans with fine print explaining loans would automatically renew unless customers took affirmative steps to opt out.[56] From 2008 to 2012, Tucker’s companies made over 5 million payday loans resulting in over $1.3 billion in deceptive charges to unwitting consumers.[57] Relying on Section 13(b), the FTC asked the court to both issue a permanent injunction to stop Tucker from committing future violations and order monetary relief in restitution and disgorgement.[58] The district court granted the FTC’s request for an injunction and ordered Tucker to pay $1.27 billion in restitution and disgorgement.[59] The court ordered the FTC to use the $1.27 billion first to provide “direct redress to consumers,” then to provide “other equitable relief reasonably related” to Tucker’s alleged business conduct, and then for any leftover funds to be deposited into the United States Treasury as disgorgement.[60] Tucker appealed, arguing that Section 13(b) does not authorize the FTC to seek monetary relief, but the Ninth Circuit rejected Tucker’s claim.[61]
The Supreme Court granted certiorari to decide “whether Section 13(b) of the [FTC Act], by allowing ‘injunction[s],’ also authorizes the [FTC] to demand monetary relief such as restitution—and if so, the scope of the limits or requirement for such relief.”[62] Tucker argued the text and structure of Section 13(b) was designed to address harm occurring in the present through injunctive relief, while the FTC argued that because Congress did not expressly limit monetary relief, Section 13 “implies” the ability to seek such monetary relief.[63] The Supreme Court took a textualist approach and unanimously held the language of Section 13(b) refers only to injunctions and that the section is focused on prospective rather than retrospective relief, thus denying the FTC authority to obtain equitable monetary relief.[64]
Shortly after the AMG decision, the FTC prepared a statement titled “The Urgent Need to Fix Section 13(b) of the FTC Act” before Congress.[65] The FTC’s statement shows great concern that without the potential for monetary relief under Section 13(b), which has been the FTC’s main and most effective way to return money taken from consumers[66], the FTC will be stripped of its power to protect consumers. Even before the Supreme Court decision, the FTC was strongly urging Congress to address its gap in authority by introducing amendments to Section 13(b), such as H.R. 2668, the Consumer Protection and Relief Act, which would grant the FTC explicit authority to obtain monetary relief for violation of any law enforced by the FTC.[67]
Where Should the FTC Go from Here?
While the FTC is attempting to formally expand the scope of its authority through Congress, I believe that instead, the FTC should focus on taking advantage of the authority it already has. In fact, the FTC has been recently criticized over its failure to fully exercise its existing power to protect consumers and prevent abuses of consumers’ personal data.[68]
The unused source of authority that could best help the FTC deter harmful business conduct is the Penalty Offense Authority, located in Section 5(m)(1)(B) of the FTC Act.[69] This authority empowers the FTC to seek civil penalties in federal court if it can prove that (i) the company had actual knowledge that the conduct was unfair or deceptive in violation of Section 5 of the FTC Act and (ii) the FTC had already issued a “Notice of Penalty Offenses” decision that listed the certain type of conduct that the FTC had determined (in one or more administrative final cease and desist orders) to be unfair or deceptive.[70] If a company receives a Notice and still engages in a listed prohibited practice, the FTC can seek civil penalties of up to $46,517 per violation.[71] The idea is that by sending Notices, the FTC can put companies on notice to ensure they know the law and are deterred from breaking it.[72] Although in 1982 former FTC Commissioner Patricia Bailey described this authority as an “extremely effective way to enforce the law,” the FTC has not used it once in the last decade.[73]
The Penalty Offense Authority is particularly useful because it can help the FTC correct unlawful practices across an entire industry by serving notice of its determinations market wide.[74] For example, the FTC used this authority in 2009 to stop deceptive textile and clothing sales which claimed to be made from bamboo fiber but were actually made from rayon.[75] The FTC could use this authority, which the Supreme Court expressly recognized as legitimate in AMG[76], to put companies on notice that exploiting consumers’ personal data could expose them to civil penalties.
Further, the FTC should utilize its authority under Section 19 which allows the FTC to seek consumer redress from respondents in federal court for consumer injury caused by the conduct at issue in an administrative proceeding.[77] The FTC can bring such a civil action if it can show “a reasonable [person] would have known under the circumstances [the conduct] was dishonest or fraudulent.”[78] As stated in AMG, district courts may be authorized to grant “such relief as the court finds necessary to redress injury to consumers” where the FTC has issued a final cease and desist order applicable to a person, and that person engages in the unfair or deceptive conduct.[79] The Supreme Court explained that in AMG, it was problematic that the FTC sought monetary relief directly in federal court under Section 13(b) instead of first using its traditional administrative proceedings.[80] It appears the FTC could easily adjust the way it procedurally goes about obtaining consumer redress by first utilizing its own administrative process, which would not necessitate new or amended legislation.
The FTC should also engage other means of obtaining monetary relief such as seeking penalties under the COVID-19 Consumer Protection Act. This Act makes it unlawful under Section 5 of the FTC Act to engage in deceptive practices affecting business associated with COVID-19 or a government benefit related to COVID-19 and allows the FTC to request monetary relief for first-time violations.[81] The FTC should use this and other specialized sources of authority to continue its mission to protect consumers, especially during a time they are most vulnerable to commercial exploitation.
Conclusion
While the FTC should focus on using its existing authority, we are yet to see where the FTC goes from here. Enforcing consumer protection can be very tricky to understand due to the lack of a federal privacy law and the ambiguity of the FTC’s statutory authority. Even with the FTC serving as the “de facto” federal data protection authority[82], Americans’ privacy remains vulnerable as a result of the increased prevalence of technology and advanced sophistication of data collection companies. Given the outcomes of LabMD and AMG, as well as the FTC’s recent failure to employ its other existing sources of statutory authority to deter unfair and deceptive business practices, it is understandable that nearly 80% of American consumers feel concern over how companies collect, track, and use their data.[83] Ultimately, in today’s highly surveilled economy, it is more important than ever to consider the safeguards in place as we go about daily life.
[1]* Juris Doctor Candidate, Class of 2024, University of Southern California Gould School of Law, Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, PEW RSCH. CENTER (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/.
[2] Id.
[3] Khan Outlines FTC’s Plans to Enforce Privacy, Data Security, Buckley LLP (Apr. 15, 2022), https://buckleyfirm.com/blog/2022-04-15/khan-outlines-ftc’s-plans-enforce-privacy-data-security.
[4] Id
[5] Id.
[6] Id.
[7] Auxier et al., supra note 1.
[8] Id.
[9] Id.
[10] Data Privacy Laws: What You Need to Know in 2022, Osano (July 4, 2022), https://www.osano.com/articles/data-privacy-laws.
[11] Stephen P. Mulligan et al., Data Protection and Privacy Law: An Introduction, Cong. Rsch. Serv.(Oct. 12, 2022), https://crsreports.congress.gov.
[12] Id.
[13] Id.
[14] Adam Hayes, What Is the Federal Trade Commission (FTC)?, Investopedia (Apr. 21, 2022), https://www.investopedia.com/terms/f/ftc.asp.
[15] Id.
[16] Id.
[17] Herbert Hovenkamp, Federal Trade Commission Act (1914), Encyclopedia (May 18, 2018), https://www.encyclopedia.com/history/united-states-and-canada/us-history/federal-trade-commission-act.
[18] Id.
[19] Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 144 Colum. L. Rev. 583 (2011).
[20] Id.
[21] Protecting Consumer Privacy and Security, Federal Trade Commission, https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security (last visited Oct 6, 2022).
[22] What the FTC Could Be Doing (But Isn’t) To Protect Privacy, Electronic Information Privacy Center (June 2021), https://epic.org/documents/epic-ftc-unused-authorities-report-june2021-2/.
[23] 15 U.S.C. § 45(a)(1).
[24] Id.
[25] FTC Policy Statement on Deception, Federal Trade Commission (Oct. 14, 1983), https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf.
[26] A Brief Overview of the Federal Trade Commission’s Investigative and Law Enforcement Authority, Federal Trade Commission, http://www.ftc.gov/about-ftc/what-we-do/enforcement-authority (last visited Nov. 20, 2022).
[27] 15 U.S.C. § 53(b).
[28] Id.
[29] Id.
[30] FTC Safeguards Rule: What Your Business Needs to Know, Federal Trade Commission, https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know (last visited Nov. 17, 2022).
[31] Id.
[32] Id.
[33] Travis D. Breaux & David L. Baumer, Legally “Reasonable” Security Requirements: A 10-Year FTC Retrospective, 30 Computers & Security 179-193 (2011).
[34] Peter S. Frechette, FTC v. LabMD: FTC Jurisdiction Over Information Privacy Is “Plausible,” But How Far Can It Go? 62 Am. Univ. L. Rev. 101 (2013).
[35] LabMD, Inc. v. FTC, 891 F.3d 1286 (11th Cir. 2018).
[36] Id.
[37] Tyler Becker, Unreasonable and (Effectively) Unreviewable: A Call for Congress to Clarify the FTC’s Data Security Enforcement Authority, Columbia Law Review Forum (Mar. 31, 2020), https://ssrn.com/abstract=3549601.
[38] Lydia Parnes & Edward Holman, Eleventh Circuit Reverses FTC’s Data Security Order Against LabMD, Wilson Sonsini LLP, https://calawyers.org/antitrust-unfair-competition-law/eleventh-circuit-reverses-ftcs-data-security-order-against-labmd/ (last visited Nov. 20, 2022).
[39] Becker, supra note 38.
[40] Id.
[41] Frechette, supra note 35.
[42] LabMD, Inc. v. FTC, supra note 36.
[43] Id.
[44] Parnes & Holman, supra note 39.
[45] Id.
[46] Dune Lawrence, A Leak Wounded This Company. Fighting the Feds Finished It Off, Bloomberg Businessweek (Apr. 25, 2016), https://www.bloomberg.com/features/2016-labmd-ftc-tiversa/.
[47] Id.
[48] Id.
[49] Parnes & Holman, supra note 39.
[50] Id.
[51] AMG Capital Mgmt., LLC v. FTC, 141 S. Ct. 1341 (2021).
[52] The Urgent Need to Fix Section 13(b) of the FTC Act, Federal Trade Commission (Apr. 27, 2021), https://www.ftc.gov/system/files/documents/public_statements/1589400/p180500house13btestimony04272021.pdf.
[53] Id.
[54] Id.
[55] AMG Capital Mgmt., LLC v. FTC, supra note 52.
[56] Id.
[57] Id.
[58] Id.
[59] Id.
[60] Id.
[61] Id.
[62] AMG v. FTC: US Supreme Court Severely Limits FTC’s Ability to Seek Monetary Relief, Cooley Alert (Apr. 29, 2021) https://www.cooley.com/news/insight/2021/2021-04-29-amg-v-ftc.
[63] Id.
[64] Id.
[65] The Urgent Need to Fix Section 13(b) of the FTC Act, supra note 53.
[66] Id.
[67] AMG v. FTC: US Supreme Court Severely Limits FTC’s Ability to Seek Monetary Relief, supra note 63.
[68] What the FTC Could Be Doing (But Isn’t) To Protect Privacy, supra note 22.
[69] 15 U.S.C. §45(m)(1)(B).
[70] Notices of Penalty Offenses, Federal Trade Commission, https://www.ftc.gov/enforcement/penalty-offenses (last visited Nov. 20, 2022).
[71] Id.
[72] Id.
[73] What the FTC Could Be Doing (But Isn’t) To Protect Privacy, supra note 22.
[74] Id.
[75] Id.
[76] AMG Capital Mgmt., LLC v. FTC, supra note 52.
[77] A Brief Overview of the Federal Trade Commission’s Investigative and Law Enforcement Authority, supra note 27.
[78] 15 U.S.C. § 57(b).
[79] AMG Capital Mgmt., LLC v. FTC, supra note 52.
[80] Id.
[81] COVID-19 Consumer Protection Act of the 2021 Consolidated Appropriations Act, Federal Trade Commission, https://www.ftc.gov/legal-library/browse/statutes/covid-19-consumer-protection-act-2021-consolidated-appropriations-act (last visited Nov. 20, 2022).
[82] Solove & Hartzog, supra note 19.
[83] Auxier et al., supra note 1.
