OPINION -- FTC Chief’s Big Data Speech Felt Like a Mandate for Industry

By Alan L. Friel, Esq.;

Chairman, Media & Technology Practice Group, Edwards Wildman Palmer LLP --

In her  August 19, 2013 address to the Technology Policy Institute Aspen Forum, FTC Chairwoman Edit Ramirez suggested that the FTC should employ its unfairness authority to regulate the evolution of big data in the interest of consumer privacy "to ensure that these advance [in data collection and use] are accomplished by sufficiently rigorous privacy safeguards."  [Click here to read excerpts from the speech as posted in this release of The Advisory.]

Ramirez likened her role to that of a lifeguard: "Like a vigilant lifeguard the FTC's job is not to spoil anyone's fun but to make sure that no one gets hurt.  With big data, the FTC's job is to get out of the way of innovation while making sure that consumer privacy is respected."  The rest of her speech, however, suggested not recommendations of best practices but what could be interpreted as mandates for industry.  She also opined that consumers are in fact harmed when companies gather more data than they need and do not give consumer's meaningful choice prior to collection and at the point of collection.  Actual harm is a requirement of the FTC's unfairness authority.

Use of unfairness authority under Section 5 of the FTC Act  is a long-standing controversial issue.  Invocation of unfairness authority in the privacy context should be cause for concern.  Basically, the FTC must establish (1) an act or practice is likely to cause substantial harm or injury to consumers; (2) that injury is not reasonably avoidable; and (3) that injury is not outweighed by countervailing benefits to consumer or competition.  Ramirez did not apply any set of facts to these standards or balance the competing interests in her speech.  Many feel that the unfairness authority does not permit a clear standard sufficient to give companies notice of what they can and cannot do with respect to consumer privacy.  Applying the unfairness authority to big data potentially would essentially allow the FTC to create law A) without the clear authority or direction of Congress and B) outside of the rulemaking process which requires notice and public comment.  Application of the unfairness authority is a matter of notice and due process, or rather the lack thereof. 

Deception, the other Section 5 authority, is pretty clear cut.   Companies are more hard pressed to argue they lack notice of the rules of the road on that one -- don't make privacy representations that are not true or are misleading

Technically, there should not be a common law built on FTC consent orders, in the same way judicial precedent builds the common law.  That is not the way executive branch and administrative law are supposed to operate.  But, it is the practical reality.  We all look to consent orders for direction on what is and is not appropriate, notwithstanding that the FTC is really just exercising "fencing in" of a specific alleged bad actor through a settlement.  A suggestion that the FTC may take such an approach to establishing rules rather than best practices with regard to consumer privacy is disturbing.

This was one of the key complaints of Wyndham Hotels in its challenge in  FTC v. Wyndham Worldwide (specifically referenced in the speech) of the FTC's authority to regulate data security.  Whether or not Wyndham is successful, its challenge to FTC’s unfairness authority, and to essentially regulate by enforcement actions and consent orders rather than legislation or administrative rulemaking, is very important.  It may serve to check the creeping expanse of authority of the current FTC in the area of consumer protection where there is no Congressional mandate and no process for vetting what makes good public policy in the open light where all stakeholders have an opportunity to contribute their thoughts and opinions.

The FTC should maintain its course of recommending privacy best practices, encouraging industry self-regulation, bringing deception cases and enforcing laws where Congress has given it specific authority, like the Children's Online Privacy Protection Act and the Fair Credit Reporting Act. 

If a national legal standard for data privacy and security is to be set, it is the role of Congress -- not the executive branch -- to develop that policy.  However, Chairwoman Ramirez seems to be signaling a willingness to step in and fill the void left by Congressional inaction.  Accordingly, companies should be looking at the FTC's best practice directions, such as in its 2012 Privacy Report (cited approvingly by Ramirez in her speech) and think of them not as mere recommendations.

Alan Friel is a partner at Edwards Wildman, where he is Chair of the Media and Technology Licensing & Transactions practice, Co-Chair of the Technology, Media and Telecommunications practice, and is on the steering committees of both the Intellectual Property Department and the Privacy and Data Protection Department (which has been recommended in the 2013 Legal 500 United States guide as well as the 2013 Chambers USA directory).  Friel will be one of the speaker’s at HB Litigation Conferences’ NetDiligence® Cyber Risk & Privacy Liability Forum in Los Angeles, running from Oct. 9 to Oct. 11, 2013.  For more information, please visit www.LitigationConferences.com.

Disclaimer: The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent.