Author: Daniel Solove

P
0

The FTC and the New Common Law of Privacy

I’m pleased to announce that my article with Professor Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), is now out in print.  You can download the final published version at SSRN.  Here’s the abstract:

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States — more so than nearly any privacy statute or any common law tort.

In this Article, we contend that the FTC’s privacy jurisprudence is functionally equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC’s privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, extends far beyond privacy policies, and involves a full suite of substantive rules that exist independently from a company’s privacy representations.

P
0

FTC v. Wyndham

The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and it has finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Some Quick Background

For the past 15 years, the FTC has been one of the leading regulators of data security. It has brought actions against companies that fail to provide common security safeguards on personal data. The FTC has claimed that inadequate data security violates the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In many cases, the FTC has alleged that inadequate data security is deceptive because it contradicts promises made in privacy policies that companies will protect people’s data with “good,” “adequate,” or “reasonable” security measures. And in a number of cases, the FTC has charged that inadequate data security is unfair because it creates actual or likely unavoidable harm to consumers which isn’t outweighed by other benefits.

For more background about the FTC’s privacy and data security enforcement, please see my article with Professor Woodrow Hartzog: The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014). The article has just come out in print, and the final published version can be downloaded for free here.

Thus far, when faced with an FTC data security complaint, companies have settled. But finally one company, Wyndham Worldwide Corporation, challenged the FTC. A duel has been waging in court. The battle has been one of gigantic proportions because so much is at stake: Wyndham has raised fundamental challenges the FTC’s power to regulate data security under the FTC Act.

The Court’s Opinion and Some Thoughts

1. The FTC’s Unfairness Authority

Wyndham argued that because Congress enacted several data security laws to regulate specific industries (FCRA, GLBA, HIPAA, COPPA) that Congress did not intend for the FTC to be able to regulate data security more generally under FTC Act unfairness. The court rejected this argument, holding that “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority.”

This holding seems quite reasonable, as the FTC Act was a very broad grant of authority to the FTC to regulate for consumer protection for most industries.

Read More

1

Introducing Christine Corcos

Corcos 01I’m very pleased to announce that Professor Christine Corcos will be keeping us updated regularly about Law & Humanities as well as Media Law.

Christine is the Richard C. Cadwallader Associate Professor of Law at the Louisiana State University Law Center and a member of the Women’s and Gender Studies Faculty at Louisiana State University A&M. She is the co-author of La Politique du Logement aux Etats-Unis (1999), the author of An International Guide to Law and Literature Studies (Hein, 2000) and editor of Law and Magic: A Collection of Essays (Carolina Academic Press 2010). She has written numerous law review articles and essays including George Carlin, Constitutional Law Scholar, and Visits to a Small Planet: Rights Talk in Some Science Fiction Film and Television Series From the 1950s to the 1990s, for the Stetson Law Review, Some Thoughts on Chuck Lorre, “Bad Words,” and the “Raging Paranoia of Our Network Censors,” in the Regent Law Review, From Agnatic Succession to Absolute Primogeniture: The Shift to Equal Rights of Succession to Thrones and Titles in the Modern European Constitutional Monarchy, for the Michigan State Law Review, an essay on the tv show Damages for the collection Lawyers in Your Living Room (ABA, 2009), Prosecutors and Psychics on the Air: Does a “Psychic Detective Effect” Exist for the collection Law and Justice on the Small Screen (Hart Publishing, 2012), and Magical Images in Law for the collection Explorations in Courtroom Discourse (Ashgate, 2011). She is currently doing some writing in the area of law and religion, particularly on the First Amendment, Spiritualism, and “crafty sciences.”

She is a co-author of several casebooks, including Theater Law (Carolina Academic Press, 2004), Law and Popular Culture (2d ed., LEXIS Publishing, 2012), and Law of the European Union: A New Constitutional Order (2d ed., Carolina Academic Press, 2013). She is Secretary/Treasurer of the Law and Humanities Institute and a member of the Board of Editors of the International Journal for the Semiotics of Law. She also blogs at Media Law Prof Blog, the Law and Magic Blog, the Law and Humanities Blog (for the Law and Humanities Institute) and Feminist Law Professors.

She speaks frequently to the media on media law and law and popular culture.

Areas of interest: First Amendment, Freedom of Expression, Law and Religion, Legal History (including Women’s Legal History), Law and Popular Culture

US News Rankings 01
0

The Fundamental Problem with the US News School Rankings

Last week, all the law schools in America were holding their collective breaths for the latest pronouncement by US News about how their school ranked. For law schools, as well as other graduate schools as well as universities, the US News rankings play an enormously influential role. The rankings affect the number and quality of applicants. Employers use the rankings too, and the rankings thus affect job opportunities. The careers of law school deans can rise and fall on the rankings too. Key decisions about legal education are made based on the potential affect on ranking, as are admissions decisions and financial aid decisions.

In the law school world, grumbling about the US News rankings never ceases. The rankings use a formula that takes into account a host of factors that are often not very relevant, that can easily be misreported, skewed, or gamed, and that ultimately say little of value about the quality or reputation of a school. Each year, I read fervent outcries to US News to improve their formula. These cries are deftly answered with a response that is typically a variant of the following: “We’ll look into this. We are always looking to improve our ranking formula.” Not much changes, though. The formula is tweaked a little bit, but the changes are never dramatic.

And yet each year, we keep grumbling, keep hoping that someday Godot will arrive and US News will create a truly rigorous ranking.

We should stop hoping.

It isn’t going to happen. This is because there is a fundamental problem at the heart of the US News rankings — doing a rigorous and more accurate ranking is at odds with the economic interest of US News, which is to make money by selling its rankings to eager buyers each year and getting people to visit their site.

Read More

0

Call for Abstracts: The Taslitz Galaxy

I ordinarily don’t post calls for abstracts, but I’ll make an exception for this event to honor the life and work of Andrew Taslitz.  Andy’s work was creative and interdisciplinary; he saw things in ways that nobody else did, and his works were filled with insight.  He was also a wonderfully warm and kind person.  His untimely passing is such a devastating loss, not just for the scholarly community, but also because he was such a generous and genuine friend to so many people, including me.  I will miss him greatly.

CALL FOR ABSTRACTS

for

The Taslitz Galaxy: A Gathering of Scholars at Howard

Howard University School of Law is hosting a conference in honor of Andrew Taslitz. It is not a traditional symposium, for we expect concurrent sessions on many subjects. It is open to people who knew Taz and to those who were inspired by his writing or teaching.

If you would like to take part in this event, please submit an abstract by May 30, 2014 to the co-chairs named below. The conference is free but speakers must pay their own way.

Howard Law Journal is dedicating an issue to Professor Taslitz. If you would like to write a short piece for this issue, let us know when you submit your abstract. First drafts of the paper will be due on August 15, 2014.

GUIDELINES FOR SPEAKING  & WRITTEN ESSAYS

  • The Essays will be short, with a maximum of 10,000 words, including footnotes.
  • We are dividing the proposals into two tracks. The first track involves speaking &/or writing on substantive issues. The second track we are calling “The Tao of Taz,” a more personal approach. Both options are explained below.
  • You may suggest a panel for the gathering.

Read More

0

Introducing the Legal Roundup Project

I’m pleased to announce the launch of our Legal Roundup Project.  The goal of the Legal Roundup Project is for Concurring Opinions to become a central hub where people can learn about the highlights of different fields.

We have invited academics in a variety of fields to post roundups of key scholarship, cases, events, news, and developments in their fields.  Far too often, we can get so immersed in our own fields that we might miss out on useful ideas, debates, developments, cases, and scholarship in other fields.

We have asked participating scholars to focus on the developments and scholarship in their field that would be most relevant and interesting for everyone, not just to write primarily for others in their field.

Over the next few months, we plan to expand the project to cover more fields.  We hope that you will find the Legal Roundup Project to be useful and interesting.

0

Welcome to Ron Collins

Collins-Ron 02I’m delighted to announce that Ron Collins will be posting here on a regular basis.  Ron is the Harold S. Shefelman scholar at the University of Washington Law School and a senior fellow at the Newseum’s First Amendment Center in Washington, D.C. He was a Supreme Court Fellow in 1982-83 under Chief Justice Warren Burger and a law clerk to Oregon Supreme Court Justice Hans Linde. He is the book editor at SCOTUSblog.

Collins is the author, co-author, or editor of several books including: When Money Speaks: The McCutcheon Case, Campaign Financing Laws, and The First Amendment (e-book, Spring, 2014) Ÿ On Dissent: Its Meaning in America (Cambridge, 2013) Ÿ Mania: The Story of the Outraged & Outrageous Lives that Launched a Cultural Revolution (Top-Five Books, 2013) Ÿ Nuance Absolutism: Floyd Abrams & the First Amendment (Carolina Academic Press, 2013) Ÿ We Must not be Afraid to be Free (Oxford, 2011) Ÿ The Fundamental Holmes (Cambridge, 2010) Ÿ The Trials of Lenny Bruce (Sourcebooks, 2002, 2012) Ÿ and  Constitutional Government in America (Carolina Academic Press, 1980). He has authored over 60 scholarly articles including publications in Harvard Law Review Ÿ Stanford Law Review Ÿ Supreme Court Review Ÿ Michigan Law Review Ÿ Texas Law Review Ÿ Duke Law Journal Ÿ and the Southern California Law Review. He has also authored over 250 articles in the popular press including articles in the New York Times Ÿ Washington Post Ÿ Los Angeles Times Ÿ and The Nation.

In 2003, Collins and others successfully petitioned the governor of New York to posthumously pardon Lenny Bruce. In 2010, Collins was a fellow in residence at the Norman Mailer Writers Colony in Provincetown, Massachusetts. In 2011 he received the Supreme Court Fellow’s Administration of Justice award “in recognition of his scholarly and professional achievements in advancing the rule of law.” And in 2012, the American Society of Legal Writers awarded him a Scribes Book Award (bronze) for We Must not be Afraid to be Free.

His areas of interest are First Amendment law, constitutional law, legal history, and jurisprudence.

I
0

4 Points About the Target Breach and Data Security

There seems to be a surge in data security attacks lately. First came news of the Target attack. Then Neiman Marcus. Then the U.S Courts. Then Michael’s. Here are four points to consider about data security:

1. Beware of fraudsters engaging in post-breach fraud.

After the Target breach, fraudsters sent out fake emails purporting to be from Target about the breach and trying to trick people into providing personal data. It can be hard to distinguish the real email from an organization having a data breach from a fake one by fraudsters. People are more likely to fall prey to a phishing scheme because they are anxious and want to take steps to protect themselves. Post-breach trickery is now a growing technique of fraudsters, and people must be educated about it and be on guard.

2. Credit card fraud and identity theft are not the same.

The news media often conflates credit card fraud with identity theft. Although there is one point of overlap, for the most part they are very different. Credit card fraud involving the improper use of credit card data can be stopped when the card is cancelled and replaced. An identity theft differs because it involves the use of personal information such as Social Security number, birth date, and other data that cannot readily be changed. It is thus much harder to stop identity theft. The point of overlap is when an identity thief uses a person’s data to obtain a credit card. But when a credit card is lost or stolen, or when credit card data is leaked or improperly accessed, this is credit card fraud, and not identity theft.

3. Data breaches cause harm.

What’s the harm when data is leaked? This question has confounded courts, which often don’t recognize a harm. If your credit card is just cancelled and replaced, and you don’t pay anything, are you harmed? If your data is leaked, but you don’t suffer from identity theft, are you harmed? I believe that there is a harm. The harm of credit card fraud is that it can take a long time to replace all the credit card information in various accounts. People have card data on file with countless businesses and organizations for automatic charges and other transactions. Replacing all this data can be a major chore. People’s time has a price. That price will vary, but it rarely is zero.

Read More

Surveillance Man 02
0

10 Reasons Why Privacy Matters

Why does privacy matter? Often courts and commentators struggle to articulate why privacy is valuable. They see privacy violations as often slight annoyances. But privacy matters a lot more than that. Here are 10 reasons why privacy matters.

1. Limit on Power

Privacy is a limit on government power, as well as the power of private sector companies. The more someone knows about us, the more power they can have over us. Personal data is used to make very important decisions in our lives. Personal data can be used to affect our reputations; and it can be used to influence our decisions and shape our behavior. It can be used as a tool to exercise control over us. And in the wrong hands, personal data can be used to cause us great harm.

2. Respect for Individuals

Privacy is about respecting individuals. If a person has a reasonable desire to keep something private, it is disrespectful to ignore that person’s wishes without a compelling reason to do so. Of course, the desire for privacy can conflict with important values, so privacy may not always win out in the balance. Sometimes people’s desires for privacy are just brushed aside because of a view that the harm in doing so is trivial. Even if this doesn’t cause major injury, it demonstrates a lack of respect for that person. In a sense it is saying: “I care about my interests, but I don’t care about yours.”

3. Reputation Management

Privacy enables people to manage their reputations. How we are judged by others affects our opportunities, friendships, and overall well-being. Although we can’t have complete control over our reputations, we must have some ability to protect our reputations from being unfairly harmed. Protecting reputation depends on protecting against not only falsehoods but also certain truths. Knowing private details about people’s lives doesn’t necessarily lead to more accurate judgment about people. People judge badly, they judge in haste, they judge out of context, they judge without hearing the whole story, and they judge with hypocrisy. Privacy helps people protect themselves from these troublesome judgments.

Read More

0

NSA Metadata Surveillance and the Fourth Amendment

Phone NSA 01

 

A U.S. District Court recently held that the NSA surveillance of telephone metadata likely violates the Fourth Amendment. The case is Klayman v. Obama.

The NSA surveillance program involves an incredibly broad gathering of metadata about people’s conversations. Metadata doesn’t include the conversations themselves, just data about when and to whom they are made — i.e., not the content of the phone conversations but the phone numbers of the people having the conversations.

The key Fourth Amendment case at issue is Smith v. Maryland, 442 U.S. 745 (1979), which held that a pen register device capturing the phone numbers a person dialed wasn’t protected by the Fourth Amendment partly because the phone company had access to the phone numbers and partly because phone numbers weren’t viewed to be as sensitive as the phone conversations themselves.

The court in Klayman has an interesting view of why Smith v. Maryland is no longer applicable. Essentially, the court argues that the pen register information the government could gather when Smith was decided is much different from the very broad systematic gathering of phone records today.

The Klayman court relies on the U.S. Supreme Court’s fairly recent decision in United States v. Jones, 132 S.Ct. 945 (2012), where five justices in concurrences noted that wide-scale extensive surveillance technologies have different implications than there older more limited counterparts. Jones involved GPS, and the Court there distinguished an earlier case involving a beeper device that tracked a car. In a concurring opinion, Justice Alito wrote that “relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable. But the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy. For such offenses, society’s expectation has been that law enforcement agents and others would not—and indeed, in the main, simply could not—secretly monitor and catalogue every single movement of an individual’s car for a very long period.”

I find much merit to the Klayman court’s analysis. I have long argued that Smith was wrongly decided, and not too long ago, I wrote here about why there are strong privacy interests in metadata.

Read More