Federal Trade Commission Privacy Enforcement

Created by Laura Biber on March 11, 2016 1896

The FTC, at the request of Congress and privacy experts, began enforcing breaches of privacy policies in 1998. Based on its authority in the FTC Act, the FTC maintains that using or disseminating personal information in a manner contrary to a posted privacy policy is a "deceptive practice" that is prohibited by the FTC Act's ban on "unfair or deceptive acts or practices in or affecting commerce." 

There are generally two types of cases brought by the FTC: deception and unfairness cases. Under the deception prong are cases for broken promises of privacy, general deception, insufficient notice, and unreasonable data security practices. Under the unfairness prong, the FTC brings cases for retroactive changes to privacy policies, deceitful data collection, improper use of data, unfair design or unfair default settings, and unfair data security practices.

When the FTC has reason to believe that a violation of privacy rights has occurred, they will issue a complaint outlining the charges against those suspected of violating privacy rights. In most cases, the company accused of violating privacy rights will settle without admitting liability (see links with examples of SnapChat and Facebook settlements). Accompanying any settlement will be a consent decree. This consent decree will contain items such as a prohibition on the activities violating the FTC Act, steps to remedy the problematic activities (such as notice to consumers or software patches), deletion of wrongfully obtained consumer data, modifications to privacy policies, establishment of a comprehensive privacy program, privacy assessment reports by independent auditors, record keeping to ensure the FTC can monitor compliance with the consent decree, and the obligation to alert the FTC to any material changes. Companies that violate the terms of settlement agreements are subject to fines of up to $16,000 per violation of the agreement.  

A consumer can submit a complaint for a pri...

Show More >>

Written by Laura Biber on April 24, 2016 0 2748
View all explanation (1)

Supporting Authority

FTC v. Wyndham Worldwide Corporation, 799 F. 3d 236 (2015)
Link to Supporting Resource

The U.S. Court of Appeals for the Third Circuit upheld the District Court's ruling that the FTC has the authority to bring an enforcement action against a company whose failure to protect sensitive consumer data has resulted in financial harm to customers. This case was based on Wyndham's cybersecurity practices that "unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."  Between 2008-2010 the FTC alleged that there were three unauthorized intrusions into Wyndham's network that compromised 619,000 customer credit cards resulting in $10.6 million in fraudulent charges. Following this decision by the appellate court, Wyndham settled with the FTC.

Created by Laura Biber on March 11, 2016 0 2906

In the Matter of Snapchat, Inc., 2014 WL 1993567
Link to Supporting Resource

The FTC filed a complaint against Snapchat based on Snapchat's collection of geolocation and contact information and claim of "disappearing messages." Snapchat initially did not notify users, or obtain their consent, that when they used the "Find Friends" feature, Snapchat was collecting the names and phone numbers of all the contacts in the user's phone. Also, contrary to Snapchat's privacy policy, the Android version of the app broadcast locational data based on Wi-Fi and cell phone information. Finally, the FTC noted that the messages sent through Snapchat did not disappear forever, as advertised by Snapchat. Snapchat settled with the FTC in May 2014.  

Created by Laura Biber on March 11, 2016 0 2903


Federal Trade Commission
Link to Supporting Resource

This statute outlines the establishment, organization, and roles of the FTC. Of particular importance in privacy law enforcement is Section 45, which lays out the FTC's power to prohibit unfair trade practices. 

Created by Laura Biber on March 11, 2016 0 2907
Federal Trade Commission 2014 Privacy and Data Security Update
Link to Supporting Resource

This article outlines the ways in which the FTC protects consumer privacy and provides examples of the enforcement actions brought by the FTC to protect consumer privacy. Included in the examples are cases involving spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and mobile devices.

Created by Laura Biber on April 24, 2016 0 2895

Study: What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices
Link to Supporting Resource

This article argues that one of the challenges with complying with FTC regulations is the lack of clear standards. The author suggests that one way to find some clarity is to look at recent FTC enforcement actions and determine what it is that the FTC found was inadequate in terms of privacy protection. From that information companies could then extrapolate what would have been adequate. The article looks at 47 cases in the following areas: privacy, security, software/product review, service providers, risk assessment, unauthorized access/disclosure, and employee training. 

Created by Laura Biber on April 24, 2016 0 2876