Category: Consumer Protection Law

FTC 01
1

Should the FTC Be Regulating Privacy and Data Security?

This post was co-authored with Professor Woodrow Hartzog.

This past Tuesday the Federal Trade Commission (FTC) filed a complaint against AT&T for allegedly throttling the Internet of its customers even though they paid for unlimited data plans. This complaint was surprising for many, who thought the Federal Communications Commission (FCC) was the agency that handled such telecommunications issues. Is the FTC supposed to be involved here?

This is a question that has recently been posed in the privacy and data security arenas, where the FTC has been involved since the late 1990s. Today, the FTC is the most active federal agency enforcing privacy and data security, and it has the broadest reach. Its fingers seem to be everywhere, in all industries, even those regulated by other agencies, such as in the AT&T case. Is the FTC going too far? Is it even the FTC’s role to police privacy and data security?

The Fount of FTC Authority

The FTC’s source of authority for privacy and data security comes from some specific statutes that give the FTC regulatory power. Examples include the Children’s Online Privacy Protection Act (COPPA) where the FTC regulates online websites collecting data about children under 13 and the Gramm-Leach-Bliley Act (GLBA) which governs financial institutions.

But the biggest source of the FTC’s authority comes from Section 5 of the FTC Act, where the FTC can regulate “unfair or deceptive acts or practices in or affecting commerce.” This is how the FTC has achieved its dominant position.

Enter the Drama

Until recently, the FTC built its privacy and security platform with little pushback. All of the complaints brought by the FTC for unfair data security practices quickly settled. However, recently, two companies have put on their armor, drawn their swords, and raised the battle cry. Wyndham Hotels and LabMD have challenged the FTC’s authority to regulate data security. These are more than just case-specific challenges that the FTC got the facts wrong or that the FTC is wrong about certain data security practices. Instead, these challenges go to whether the FTC should be regulating data security under Section 5 in the first place. And the logic of these challenges could also potentially extend to privacy as well.

The first dispute involving Wyndham Hotels has already resulted in a district court opinion affirming the FTC’s data protection jurisprudence. The second dispute over FTC regulatory authority involving LabMD is awaiting trial.

In the LabMD case, LabMD is contending that the U.S. Department of Health and Human Services (HHS) — not the FTC — has the authority to regulate data security practices affecting patient data regulated by HIPAA.

With Wyndham, and especially LabMD, the drama surrounding the FTC’s activities in data protection has gone from 2 to 11. The LabMD case has involved the probable shuttering of business, a controversial commissioner recusal, a defamation lawsuit, a House Oversight committee investigation into the FTC’s actions, and an entire book written by the LabMD’s CEO chronicling his view of the conflict. And the case hasn’t even been tried yet!

The FTC Becomes a Centenarian

And so, it couldn’t be more appropriate that this year, the FTC celebrates its 100th birthday.

To commemorate the event, the George Washington Law Review is hosting a symposium titled “The FTC at 100: Centennial Commemorations and Proposals for Progress,” which will be held on Saturday, November 8, 2014, in Washington, DC.

The lineup for this event is really terrific, including U.S. Supreme Court Justice Steven Breyer, FTC Chairwoman Edith Ramirez, FTC Commissioner Joshua Wright, FTC Commissioner Maureen Ohlhausen, as well as many former FTC officials.

FTC 03 GW

Some of the participating professors include Richard Pierce, William Kovacic, David Vladeck, Howard Beales, Timothy Muris, and Tim Wu, just to name a few.

At the event, we will be presenting our forthcoming article:

The Scope and Potential of FTC Data Protection
83 George Washington Law Review (forthcoming 2015)

So Is the FTC Overreaching?

Short answer: No. In our paper, The Scope and Potential of FTC Data Protection, we argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but it also has the authority to expand its reach much more. Here are some of our key points:

* The FTC has a lot of power. Congress gave the FTC very broad and general regulatory authority by design to allow for a more nimble and evolutionary approach to the regulation of consumer protection.

* Overlap in agency authority is inevitable. The FTC’s regulation of data protection will inevitably overlap with other agencies and state law given the very broad jurisdiction in Section 5, which spans nearly all industries. If the FTC’s Section 5 power were to stop at any overlapping regulatory domain, the result would be a confusing, contentious, and unworkable regulatory system with boundaries constantly in dispute.

* The FTC’s use of a “reasonable” standard for data security is quite reasonable. Critics of the FTC have attacked its data security jurisprudence as being too vague and open-ended; the FTC should create a specific list of requirements. However, there is a benefit to mandating reasonable data security instead of a specific, itemized checklist. When determining what is reasonable, the FTC has often looked to industry standards. Such an approach allows for greater flexibility in the face of technological change than a set of rigid rules.

* The FTC performs an essential role in US data protection. The FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced. The FTC’s regulation of data protection gives the U.S. system of privacy law needed legitimacy and heft. Without the FTC’s data protection enforcement authority, the E.U. Safe Harbor agreement and other arrangements that govern the international exchange of personal information would be in jeopardy. The FTC can also harmonize discordant privacy-related laws and obviate the need for new laws.

* Contrary to the critics, the FTC has used its powers very conservatively. Thus far, the FTC has been quite modest in its enforcement, focusing on the most egregious offenders and enforcing the most widespread industry norms. The FTC should push the development of the norms a little more (though not in an extreme or aggressive way).

* The FTC can and should expand its enforcement, and there are areas in need of improvement. The FTC now sits atop an impressive body of jurisprudence. We applaud its efforts and believe it can and should do even more. But as it grows into this role of being the data protection authority for the United States, some gaps in its power need to be addressed and it can improve its processes and transparency.

The FTC currently plays the role as the primary regulator of privacy and data security in the United States. It reached this position in part because Congress never enacted comprehensive privacy regulation and because some kind of regulator was greatly needed to fill the void. The FTC has done a lot so far, and we believe it can and should do more.

If you want more detail, please see our paper, The Scope and Potential of FTC Data Protection. And with all the drama about the FTC these days, please contact us if you want to option the movie rights.

Cross-posted on LinkedIn

0

On National Ice Cream Day, Thanks Dairy Queen

DQIn honor of National Ice Cream Day (July 20), here is a brief celebration of Dairy Queen, an institution of American culture—entrepreneurial, legal, literary, and familial—that helped put this cold concoction on the national calendar. I developed these reflections when researching my upcoming book, Berkshire Beyond Buffett: The Enduring Value of Values (Columbia U. Press 2014), which provides deep looks at the corporate culture of Berkshire Hathaway’s fifty-plus subsidiaries, including Dairy Queen.

While full treatment must await publication of the book (which can be pre-ordered now), here are a few passages along with many outtakes—i.e., sections that did not make it into the final book because they are too technical, but may appeal to readers of this blog interested in the history of franchising businesses and intellectual property rights.

Dairy Queen’s roots date to 1927’s founding of Homemade Ice Cream Company by John F. (“Grandpa”) McCullough (1871‒1963) and his son Alex near the Iowa-Illinois border. Innovative ice cream makers, they experimented with temperatures and textures and eventually pioneered soft ice creams. One discovery: ice cream was frozen for the convenience of manufacturers and merchants, not for the delight of consumers.

At first, the McCulloughs were unable to interest any manufacturer in building the necessary freezers and dispensers to serve soft ice cream. Luckily, however, Grandpa happened to see a newspaper ad in the Chicago Tribune describing a newly-patented continuous freezer that could dispense soft ice cream. Grandpa answered the inventor/manufacturer, Harry M. Oltz, and the two made a deal in the summer of 1939.

The McCullough-Oltz agreement entitled Oltz to patent royalties equal to two cents per gallon of soft ice cream run through the freezer; the agreement also granted the McCulloughs patent licensing rights in the Western U.S., while Oltz retained them for the Eastern part of the country. The agreements that McCullough and Oltz made with licensees seemed to cover only the patent, rather than the DQ trademark, and contained few quality controls.

After World War II, DQ stores hit their stride, drawing lengthy lines of increasingly loyal customers enjoying the cooling effects of soft ice cream all sultry-summer long. The customer throngs at one store in Moline, Illinois caught the attention of Harry Axene. An entrepreneurial farm equipment salesman for Allis-Chalmers, Axene wanted to invest in the business. He contacted the McCulloughs and acquired both the rights to sell the ice cream in Illinois and Iowa as well as an interest in the McCullough’s ice cream manufacturing facility. Read More

Facebook’s Model Users

DontAnthropomorphizePeopleFacebook’s recent pscyhology experiment has raised difficult questions about the ethical standards of data-driven companies, and the universities that collaborate with them. We are still learning exactly who did what before publication. Some are wisely calling for a “People’s Terms of Service” agreement to curb further abuses. Others are more focused on the responsibility to protect research subjects. As Jack Balkin has suggested, we need these massive internet platforms to act as fiduciaries.

The experiment fiasco is just the latest in a long history of ethically troubling decisions at that firm, and several others like it. And the time is long past for serious, international action to impose some basic ethical limits on the business practices these behemoths pursue.

Unfortunately, many in Silicon Valley still barely get what the fuss is about. For them, A/B testing is simply a way of life. Using it to make people feel better or worse is a far cry from, say, manipulating video poker machines to squeeze a few extra dollars out of desperate consumers. “Casino owners do that all the time!”, one can almost hear them rejoin.

Yet there are some revealing similarities between casinos and major internet platforms. Consider this analogy from Rob Horning:

Social media platforms are engineered to be sticky — that is, addictive, as Alexis Madrigal details in [a] post about the “machine zone.” . . . Like video slots, which incite extended periods of “time-on-machine” to assure “continuous gaming productivity” (i.e. money extraction from players), social-media sites are designed to maximize time-on-site, to make their users more valuable to advertisers (Instagram, incidentally, is adding advertising) and to ratchet up user productivity in the form of data sharing and processing that social-media sites reserve the rights to.
 

That’s one reason we get headlines like “Teens Can’t Stop Using Facebook Even Though They Hate It.” There are sociobiological routes to conditioning action. The platforms are constantly shaping us, based on sophisticated psychological profiles.

For Facebook to continue to meet Wall Street’s demands for growth, its user base must grow and/or individual users must become more “productive.” Predictive analytics demands standardization: forecastable estimates of revenue-per-user. The more a person clicks on ads and buys products, the better. Secondarily, the more a person draws other potential ad-clickers in–via clicked-on content, catalyzing discussions, crying for help, whatever–the more valuable they become to the platform. The “model users” gain visibility, subtly instructing by example how to act on the network. They’ll probably never attain the notoriety of a Lei Feng, but the Republic of Facebookistan gladly pays them the currency of attention, as long as the investment pays off for top managers and shareholders.

As more people understand the implications of enjoying Facebook “for free“–i.e., that they are the product of the service–they also see that its real paying customers are advertisers. As Katherine Hayles has stated, the critical question here is: “will ubiquitous computing be coopted as a stalking horse for predatory capitalism, or can we seize the opportunity” to deploy more emancipatory uses of it?  I have expressed faith in the latter possibility, but Facebook continually validates Julie Cohen’s critique of a surveillance-innovation complex.

P
0

The FTC and the New Common Law of Privacy

I’m pleased to announce that my article with Professor Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), is now out in print.  You can download the final published version at SSRN.  Here’s the abstract:

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States — more so than nearly any privacy statute or any common law tort.

In this Article, we contend that the FTC’s privacy jurisprudence is functionally equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC’s privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, extends far beyond privacy policies, and involves a full suite of substantive rules that exist independently from a company’s privacy representations.

P
0

FTC v. Wyndham

The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and it has finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Some Quick Background

For the past 15 years, the FTC has been one of the leading regulators of data security. It has brought actions against companies that fail to provide common security safeguards on personal data. The FTC has claimed that inadequate data security violates the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In many cases, the FTC has alleged that inadequate data security is deceptive because it contradicts promises made in privacy policies that companies will protect people’s data with “good,” “adequate,” or “reasonable” security measures. And in a number of cases, the FTC has charged that inadequate data security is unfair because it creates actual or likely unavoidable harm to consumers which isn’t outweighed by other benefits.

For more background about the FTC’s privacy and data security enforcement, please see my article with Professor Woodrow Hartzog: The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014). The article has just come out in print, and the final published version can be downloaded for free here.

Thus far, when faced with an FTC data security complaint, companies have settled. But finally one company, Wyndham Worldwide Corporation, challenged the FTC. A duel has been waging in court. The battle has been one of gigantic proportions because so much is at stake: Wyndham has raised fundamental challenges the FTC’s power to regulate data security under the FTC Act.

The Court’s Opinion and Some Thoughts

1. The FTC’s Unfairness Authority

Wyndham argued that because Congress enacted several data security laws to regulate specific industries (FCRA, GLBA, HIPAA, COPPA) that Congress did not intend for the FTC to be able to regulate data security more generally under FTC Act unfairness. The court rejected this argument, holding that “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority.”

This holding seems quite reasonable, as the FTC Act was a very broad grant of authority to the FTC to regulate for consumer protection for most industries.

Read More

0

Economic Dynamics and Economic Justice: Making Law Catastrophic, Middling, or Better?

Contrary to Livermore,’s post,  in my view Driesen’s book is particularly powerful as a window into the  profound absurdity and destructiveness of the neoclassical economic framework, rather than as a middle-ground tweaking some of its techniques.  Driesen’s economic dynamics lens makes a more important contribution than many contemporary legal variations on neoclassical economic themes by shifting some major assumptions, though this book does not explore that altered terrain as far as it might.

At first glance, Driesen’s foregrounding of the “dynamic” question of change over time may, as Livermore suggests, seem to be consistent with the basic premise of neoclassical law and economics:   that incentives matter, and that law should focus ex ante, looking forward at those effects.   A closer look through Driesen’s economic dynamics lens reveals how law and economics tends to instead take a covert ex post view that enshrines some snapshots of the status quo as a neutral baseline.  The focus on “efficiency” – on maximizing an abstract pie of “welfare”  given existing constraints —  constructs the consequences of law as essentially fixed by other people’s private choices, beyond the power and politics of the policy analyst and government, without consideration of how past and present and future rights or wrongs constrain or enable those choices.  In this neoclassical view, the job of law is narrowed to the technical task of measuring some imagined sum of these individual preferences shaped through rational microeconomic bargains that represent a middling stasis of existing values and resources, reached through tough tradeoffs that nonetheless promise to constantly bring us toward that glimmering goal of maximizing overall societal gain (“welfare”) from scarce resources.

Driesen reverses that frame by focusing on complex change over time as the main thing we can know with certainty.  In the economic dynamic vision, “law creates a temporally extended commitment to a better future.” (Driesen p. 52). Read More

4

What Do Car Dealers Do?

120px-Blue_Tesla_Roadster_frontNew Jersey recently barred Tesla from selling cars through its own stores.  Car dealers are not fond of Tesla’s distribution model, since Elon Musk does not want to have dealers.  And since many states require cars to be sold by dealers, this poses a significant problem for Tesla’s future.

Here’s my question.  What is the public purpose behind a statute or regulation that says that you can only buy new cars through a dealer?  I’ll grant that the dealership model has been around for a long time, and dealers are a powerful lobby, but is there anything else to this regulation?  For example, can you say that car dealers do a better job at protecting consumer safety or welfare than a store owned by the manufacturer?  I find that hard to believe.  I’m not sure these dealership statutes are constitutionally irrational, but they are ridiculous.

0

UCLA Law Review Vol. 61, Issue 2

Volume 61, Issue 2 (January 2014)
Articles

Negotiating Nonproliferation: International Law and Delegation in the Iranian Nuclear Crisis Aslı Ü. Bâli 232
Detention Without End?: Reexamining the Indefinite Confinement of Terrorism Suspects Through the Lens of Criminal Sentencing Jonathan Hafetz 326
Transparently Opaque: Understanding the Lack of Transparency in Insurance Consumer Protection Daniel Schwarcz 394

 

Comments

California’s Unloaded Open Carry Bans: A Constitutional and Risky, but Perhaps Necessary, Gun Control Strategy Charlie Sarosy 464
Exclusion, Punishment, Racism and Our Schools: A Critical Race Theory Perspective on School Discipline David Simson 506

 

 

 

0

Opportunities and Roadblocks Along the Electronic Silk Road

977574_288606077943048_524618202_oLast week, Foreign Affairs posted a note about my book, The Electronic Silk Road, on its Facebook page. In the comments, some clever wag asked, “Didn’t the FBI shut this down a few weeks ago?” In other venues as well, as I have shared portions of my book across the web, individuals across the world have written back, sometimes applauding and at other times challenging my claims. My writing itself has journed across the world–when I adapted part of a chapter as “How Censorship Hurts Chinese Internet Companies” for The Atlantic, the China Daily republished it. The Financial Times published its review of the book in both English and Chinese.

International trade was involved in even these posts. Much of this activity involved websites—from Facebook, to The Atlantic, and the Financial Times, each of them earning revenue in part from cross-border advertising (even the government-owned China Daily is apparently under pressure to increase advertising) . In the second quarter of 2013, for example, Facebook earned the majority of its revenues outside the United States–$995 million out of a total of $1,813 million, or 55 percent of revenues.

But this trade also brought communication—with ideas and critiques circulated around the world.  The old silk roads similarly were passages not only for goods, but knowledge. They helped shape our world, not only materially, but spiritually, just as the mix of commerce and communication on the Electronic Silk Road will reshape the world to come.

Read More

6

Credit Card Merchant Fee Settlement — Injunctive Relief

Credit Card CroppedPrior installments in this series addressed the background leading up to the credit card merchant fee class action and the damages provisions in the b(3) opt out class action.  This post addresses the injunctive relief provisions that the settlement in In re: Payment Card Interchange Fee and Merchant Discount Antitrust Litigation styles as a mandatory b(2) non-opt out class action.  An upcoming final installment in this series will address the release provisions in the settlement.

B(2) classes are appropriate where the nature of the injunctive relief is such that it will necessarily affect every class member.  After setting out the relief proposed in the settlement, I’ll provide some thoughts on whether b(2) is really an appropriate device for this case.  Perhaps class action experts out there could weigh in on this issue in the comments.

The injunctive relief set out by the settlement is notable for what is not provided.  Nothing in the settlement addresses the core concerns in the complaint about (1) the collective setting of a default interchange fee; (2) the rule prohibiting merchants from rejecting the cards of, surcharging the card transactions of, or otherwise discriminating against some card-issuing banks, but not others; or (3) the rules making it impossible for merchants to route transactions over the least expensive network.

Read More