FTC May Broaden Regulation & Enforcement of Privacy
The New York Times today has published some of the views of David C. Vladeck, the new head of the Bureau of Consumer Protection at the Federal Trade Commission, regarding the FTC’s role in protecting consumer privacy.
By way of background, in announcing Mr. Vladeck’s appointment April 14, 2009, the FTC noted that “David C. Vladeck, who will serve as Director of the Bureau of Consumer Protection, has been a Professor of Law at Georgetown University Law Center, teaching federal courts, government processes, civil procedure, and First Amendment litigation. He co-directed the Center’s Institute for Public Representation, a clinical law program for civil rights, civil liberties, First Amendment, open government, and regulatory litigation. Vladeck previously spent almost 30 years with Public Citizen Litigation Group, including 10 years as Director.”
The FTC has been, and likely will continue to be, among the most aggressive federal agencies in the U.S. privacy arena. Traditionally, the FTC had prosecuted companies for how they collect and use consumer information, if consumers had been deceived, or if consumers had suffered economic harm. Although you can read The New York Times article in full, Mr. Vladeck has proposed adding a new thrust to the future of FTC privacy enforcement. He is reported to have suggested that if companies collect too much information from a consumer, that, in itself, is a harm to the inherent privacy of individuals AND (if his views turn out to be prophetic) is prosecutable, no matter how conspicuously or completely the nature and extent of information collection is disclosed to the consumer. This concept of damage to the "dignity" of the consumer goes well beyond the traditional U.S. privacy principles that have typically compensated consumers only when economic harm or damage has occurred, or when there are statutory penalties for violations of law or regulation.
If Mr. Vladeck’s views transform into regulatory policy and enforcement activity, this highly subjective and vague standard (How much is too much? Why shouldn’t proper disclosure and choice be sufficient?) could have a huge impact on data collection, could lead to a huge flurry of litigation, and would arguably create a "big chill" for all—including consumers. Stay tuned.
The FTC has already exceeded its authority in going after companies that have suffered data security breaches. This just compounds the problem. See "The FTC, the Unfairness Doctrine and Data Security Litigation: Has the Commission Gone Too Far?" at http://tinyurl.com/456epu
This is an example of the balance that can be lost without measured dialog. It is my view that Michael Scott's article doesn't argue the FTC shouldn't have any authority over data breaches or companies that deceptively or unfairly fail to adhere to their own published privacy policies, but rather that the nature, scope and extent of that authority be carefully articulated to avoid the likelihood that government control could result in equally problematic enforcement absent clearly defined parameters. The currently perceived need to 'do something' in the privacy arena is perhaps more a product of the attention that the industry proposed self-regulation of behavioral marketing has spawned, rather than a shift in the environment or cataclysmic event that typically spurs a 'call to action.' When backed up by a complementary and supportive FTC regulatory framework, one major advantage a self-regulatory scheme can have, as evidenced by the 30 year success story of the Council of Better Business Bureaus' advertising self-regulatory program, is it's ability to adapt, be flexible, balanced and responsive - features difficult to mirror in rigid legislation or regulation that resists, rather than embraces, change. The FTC Guides applicable to testimonials and endorsements is currently undergoing proposed revisions for the first time since 1980 - in 1980, the Apple Macintosh had not yet appeared, IBM hired Bill Gates and Paul Allen to create an operating system for a new PC (and IBM let's them keep the rights to DOS) and Atari became the first company to register copyrights for two computer games - "Asteroids" and "Lunar Lander" . . . . Moore's Law anyone?