Cheat Sheet: In-house counsel’s guide to privacy regulation

Checking in on legislation, executive orders and the FTC’s creative enforcement strategy

The era when protecting consumer privacy was a simple matter is long gone. The digital age brought with it digital privacy problems, and using federal  laws written by Congress in a pre-digital era to solve today’s problems is like using a carrier pigeon to send an email. InsideCounsel’s March issue takes a look at the state of consumer privacy law today: the likelihood of new legislation, the Federal Trade Commission’s (FTC) enforcement strategy and how the Obama administration is dealing with cybersecurity. On the following pages, we’ve got answers to some of the most important privacy questions facing in-house counsel today.

Can we expect Congress to take action on comprehensive privacy legislation?

There’s an optimistic and a pessimistic way to look at it. If you’re an optimist, consider that it took more than a decade of discussion for the Clean Water Act and Clean Air Act to pass. Hogan Lovells Partner Christopher Wolf thinks that, after a similar period of debate, the time may finally be ripe for comprehensive privacy legislation.

If you’re more glass-half-empty, you might focus on partisan rifts (Democrats are more interested in pushing through privacy legislation than Republicans), new technologies such as cloud computing that keep piling on privacy concerns or Hothe fact that the current Congress still has pressing issues from the recession, among other things, to deal with.

 Regardless, keep in mind that the Obama administration is pushing a self-regulatory approach that could enhance privacy protection without legislation through  voluntary  standards.

What kind of regulation should we look for from the FTC?

Without comprehensive legislation, the FTC has taken the lead on privacy regulation, using its authority under Section 5 of the FTC Act to police things like online data tracking. The agency has the power to regulate unfair and deceptive trade practices, and in a settlement with Epic Marketplace Inc., the FTC reasoned that Epic’s online data gathering was deceptive because it collected information from far more websites than it claimed to in its privacy policy.

The FTC is also creatively applying much older statutes, like the Fair Credit Reporting Act (FCRA) and the Fair Debt Collection Practices Act to situations where it deems companies have used data inappropriately.

Are there any areas receiving extra scrutiny?

The FTC has its eye fixed on data brokers—companies that resell collected consumer data. In December 2012, the agency announced an inquiry into nine data brokers’ practices. Earlier, in June 2012, the FTC used the FCRA to charge data broker Spokeo, claiming that the consumer profiles it sold to human resources departments were consumer reports covered by the FCRA.

The concern when it comes to data brokers is that consumers aren’t aware that their data is being collected online and then sold, and they have no control over it.

What steps are being taken to address data breaches?

It’s hard to be responsible with consumer data when hackers keep trying to get access to  it. But as with many issues, Congress has been struggling to get a cybersecurity bill passed. One died just last year, cause of death: Senate filibuster.

So the Obama administration is doing what it can to move forward without legislation. In February, the president signed an executive order on cybersecurity, which will create a framework that will allow the government to share information on potential threats with the private sector. It also asks agencies to create a set of voluntary standards for companies for things like updating antivirus programs and limiting access to company networks, and instructs the Department of Homeland Security to identify companies that operate important infrastructure, where a data breach could be catastrophic.

Contributing Author

Contributing Author

Mary Swanton

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.