2017 was an eventful year for the FTC’s efforts to hold its place as the most important regulator of privacy and data security in the United States. Although no regulator has broader reach or more influence, other agencies and states have begun to stake out their own claim to regulatory authority, and many of them did so last year. The FCC, the CFPB, the SEC, even the New York State Department of Financial Services have all issued new regulations, and each will likely attempt to increase their influence and authority in 2018.
Nevertheless, the FTC’s efforts last year demonstrate the Commission’s commitment to making US companies “stick with security.” FTC’s stated position is that it is “is the nation’s primary privacy and data security enforcer and one of the most active privacy and data security enforcers in the world.” In its Annual Report on Privacy and Data Security, FTC makes clear how seriously it takes that mission.
The report is required reading for anyone who wants to understand data security enforcement in the United States. Although the circumstances, allegations, and outcome in each of the consent decrees are different, they all revolve around two primary themes: consumer expectations and company followthrough.
Put another way, many of the Commission’s decisions to intervene or pursue an action hinged upon a company’s failure to meet the rising expectation of privacy among American consumers. In its action against Vizio, the TV manufacturer, FTC’s concern was that the company was collecting viewing data on millions of consumer televisions without the owner’s knowledge or consent. Other actions turn upon a company’s unfulfilled promises to safeguard consumer data, or to comply with a pre-existing consent order.
Of course, no law in the United States specifically addresses control or use of data in the ways outlined above. There is no Federal Data Security Act, and in many ways, privacy is still a creature of state law.
How, then, does the FTC regulate? It relies on Section 5 of the FTC Act, which forbids unfair or deceptive trade practices. In other words, the FTC believes that misconduct related to data security and consumer privacy constitutes a false or deceptive trade practice, and the courts agree.
If you can’t tell, we follow what the FTC does pretty closely. Not only do FTC’s enforcement actions provide meaningful guidance about data security standards in the US, the Commission is the enforcer for the Privacy Shield framework which, for now, allows US companies some sense of security that they aren’t violating the GDPR (you knew I had to bring it back to Brussels eventually).
So how can you ensure that your business doesn’t run afoul of the dreaded Section 5? I could give you the classic lawyer answer and say “Well, it depends,” and it would be perfectly true. There is no one-size fits all approach to complying with consumer expectations, or the FTC’s.
But there are steps to take that will ensure you aren’t low hanging fruit:
- Don’t treat data security as an afterthought,
- Respect consumer privacy and consider when consent is necessary (or at least advisable),
- Recognize how and why you keep consumer data, and,
- Perhaps most importantly, follow through on promises about safeguarding data. A promise unkept is the classic example of a deceptive trade practice, so don’t say you’re encrypting if you aren’t encrypting.
What else can you do? Draft a comprehensive, thoughtful policy on data policy and conduct a serious data inventory. You’ll not only be able to make more informed choices, but you’ll also be able to think about how to leverage the data you have in a data partnership that works for you. Developing that kind of knowledge is how you become DataSmart.