Protection of Our Privacy in the Age of Social Media

Protection of our privacy in the age of social media is at the forefront of our concerns as consumers. We must think beyond product claims and deceptive TV commercials. We are familiar with the public concern over misuse of personal data stored in Facebook accounts. ReadthisInformation about the Federal Trade Commission(FTC).See alsoOverview of Statutory Authority to Remedy Privacy Infringements, anEpic.Orgarticle on the limitations of the FTC's Authority to Remedy Privacy Infringements below.

Tell us about an experience you have had with the unauthorized use or disclosure of personal information on a social media site or about a concern you have about the security and potential misuse of such information. How does thatexperience,or concern conform with the Social Media site's promises about your privacy? Is your experience or concern covered in the site's disclaimer? Explain how it is, or might be, a violation of the FTC Act as an unfair or deceptive practice.

Information about the Federal Trade Commission

This is an edited excerpt from the Prepared Statement of the Federal Trade Commission on "Examining the Proposed FCC Privacy Rules" Before the United States Senate Committee on the Judiciary Subcommittee for Privacy, Technology and the Law Washington, D.C. May 11, 2016.

The FTC has unparalleled experience in consumer privacy enforcement. The Commission has used its core enforcement authority - Section 5 of the FTC Act - to take action against companies engaged in unfair or deceptive practices involving the privacy and security of consumers' information. If a company makes materially misleading statements or omissions about a product or service, including its privacy or data security features, and such statements or omissions are likely to mislead reasonable consumers, such statements or omissions can be found to be deceptive and in violation of Section 5.4 Further, if a company's privacy or data security practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition, those practices can be found to be unfair and in violation of Section 5.

The FTC also enforces sector-specific statutes that protect certain health, credit, financial, and children's information. The FTC has brought over 500 enforcement actions protecting the privacy of consumer information. This body of cases covers both offline and online information and includes enforcement actions against companies large and small. These cases cover all parts of the Internet ecosystem, including social networks, search engines, ad networks, online retailers, mobile apps, mobile handsets, and Internet Service Providers (ISPs). In this wide range of cases, the FTC has alleged that companies made deceptive claims about how they collect, use, and share consumer data; failed to provide reasonable security for consumers' personal information; deceptively tracked consumers online; spammed consumers; installed spyware or other malware on consumers' computers; violated Do Not Call and other telemarketing rules; and publicly posted highly sensitive, private consumer data online without consumers' knowledge or consent. The FTC's enforcement actions - in both the physical and digital worlds - send an important message to companies about the need to protect consumer privacy. The FTC's current privacy enforcement priorities include mobile, health, the Internet of Things, and data security.

One example of FTC enforcement action in the mobile area is the Snapchat case. In that case, messaging app Snapchat promised that the photos and videos sent through its app would disappear at a time set by the sender. In fact, the FTC alleged that recipients could use easy workarounds, such as third party apps, to keep the messages forever. Despite a researcher warning the company about this possibility, the complaint alleged, Snapchat continued to misrepresent that the sender could control how long a recipient can view a 'snap.'

Federal Trade Commission

Overview of Statutory Authority to Remedy Privacy Infringements

a) Power to prohibit unfair and deceptive practices.

Under15 U.S.C. 45(a)(2)(section 5 of the Federal Trade Commission Act) the Federal Trade Commission ("FTC") is empowered to "prevent persons, partnerships, or corporations" from using "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." Although this law does not grant the FTC specific authority to protect privacy, over the last number of years it has been construed to prohibit certain privacy invasions based on deception. So, for example, if a company makes a written promise on its website or in any other company literature to abide by certain practices and then later breaches, or fails to meet, that promise it may be prosecuted by the FTC for committing an unfair and deceptive practice contrary to section 5 of the FTC Act.

Although this authority is useful where there is a clear violation of a previous commitment, it is not a sufficient substitute for a comprehensive and enforceable privacy law. It does not require data collectors to abide by standard Fair Information Practices such as notice, consent, use limitation, access and security. An "unfair and deceptive practice", as defined by the Commission, includes only a violation of a former written agreement (such as a privacy policy). There is no obligation on companies to actually post such a policy. In its own words:

"[T]he Commission lacks authority to require firms to adopt information practice policies or to abide by the fair information practices principles on their web sites...." [1]

This leads to the curious situation whereby a company without a privacy policy is arguably less likely to be punished for privacy invasive practices than a company with a privacy policy. Although the agency itself may encourage companies to follow good principles, it lacks the statutory authority to require them to do so.

In addition, individuals have no right to private action under the FTC Act nor can they compel the agency to act on their behalf. Consumers are entitled to notify the FTC of market failures by submitting complaints against specific companies, however, the FTC is not under any obligation to review or respond to individual privacy complaints. [2] Where the agency does take a case, it acts entirely according to its own discretion. There is no opportunity for individuals to be involved and even judicial review is expressly precluded by the Act. [3]

In June 2000, following three years of detailed marketplace study the FTC concluded in its annualreport to Congressthat new privacy legislation was necessary to protect consumers against privacy invasions in the online marketplace. The report called on Congress to enact legislation that would "establish basic standards of practice for the collection of information online, and provide an implementing agency with the authority to promulgate more detailed standards." This position was reversed, however, in October 2001 by new FTC Chairman Timothy Muris. In announcing anew privacy agendafor the agency the Chairman stated that it was "too soon" to recommend broad-based online privacy legislation and that there needed to be developed "better information about how such legislation would work and the costs and benefits it would generate."

b) Other Powers

The FTC is also responsible for overseeing and enforcing the privacy provisions of the following laws:

i) TheFair Credit Reporting Act(15 U.S.C. 1681-1681 (u), as amended) which regulates the use and disclosure of "consumer reports" by consumer reporting agencies;

ii) theTelemarketing and Consumer Fraud and Abuse Prevention Act( 15 U.S.C. 6101-6108) which protects consumers from invasive and fraudulent telemarketing practices;

iii) theChildren's Online Privacy Protection Act(15 U.S.C. 6501-6506) which restricts the online collection of personal information from children under the age of 13;

iv) theGramm-Leach-Bliley Act( 15 U.S.C 6801-6827) which provides limited "notice" and "opt-out" rights to consumers over their financial records; and

v) theIdentity Theft Assumption and Deterrence Act(18 U.S.C. 1028) which strengthens the criminal laws governing identity theft and charges the FTC which establishing a centralized complaint and consumer education service for victims of identity theft.

c) How the FTC Takes an Action

If the FTC believes that a company is engaging in an unfair or deceptive practice, it initially attempts to negotiate a settlement with the company. A successful settlement results in a consent decree, under which the company voluntarily agrees to refrain from the disputed practice and to take steps to remedy the situation, without admitting any violation of law. The order is then placed on record for a public comment period of 60 days. After this period the Commission decides whether to make the consent agreement final.[4] If the consent order becomes final, it has the force of law and violations are subject to a civil penalty.[5]

If no settlement can be reached, the FTC may bring an enforcement action (issue a complaint) against a party if it believes that the party was engaging in an unlawful practice and that a proceeding "would be in the interest of the public."[6] This complaint must set out the specific charges and notify the party that a formal hearing on the matter will take place before an administrative law judge within 30 days.[7] The Commission may also seek a temporary restraining order or preliminary injunction against a company pending the issuance or dismissal of a complaint to prevent them from engaging in a deceptive act or practice.[8] At the hearing, witnesses submit evidence, give testimony and are examined and cross-examined. If a violation of law is found, the FTC will issue a "cease and desist" order instructing the impugned party to refrain from continuing to engage in the unlawful practice. This decision may be appealed to the full Commission, which, subject to certain restrictions, may modify or set aside the order, in whole or in part, where it is of the opinion that either new conditions of fact or law, or the public interest, so requires.

Final decisions of the Commission may be appealed, within 60 days of the date of issuance of the order, to the US Court of Appeals for any circuit in which the accused practice was used or the accused party does business.[9] The appeals court then has full jurisdiction to enter a decree affirming, modifying or setting aside the order of the Commission. The judgment of the court is final and subject only to review of the Supreme Court upon certiorari. There is a civil penalty of up to $11,000, for each separate violation of the final "cease and desist" order.[10] Under section 45(m)(1)(B), the Commission may enforce this penalty against any party who violates the final cease and desist order if it can show that they have "actual knowledge or knowledge fairly implied.....that such act is unfair or deceptive."[11] Similarly, the Commission may take measures against persons for engaging in dishonest and fraudulent acts. Section 57b empowers it to bring a civil action against any person, organization or corporation that knowingly engages in an unfair and deceptive practice or a practice "which a reasonable man would have known under the circumstances was dishonest or fraudulent." In such a case, the court may grant such relief as it finds necessary "to redress injury to consumers or other persons, partnerships, and corporations resulting from the rule violation or the unfair or deceptive act or practice."

Footnotes

[1]Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000), p34.

[2] Code of Federal Regulations Title 16, Chap 1, Part 1, Sec 2.2 empowers "Any individual, partnership, corporation, association, or organization [to] request the Commission to institute an investigation in respect to any matter over which the Commission has jurisdiction." The Commission, however, retains full discretion to decide whether or not to take the action.

[3]15 U.S.C. 57b-3(c)

[4] See further, 'A Brief Overview of the FTC's Investigative and Law Enforcement Authority'.

[5] Commission Rule 1.98, set out in 16CFR1.98, as last adjusted in 1996 sets the civil monetary penalty amount at $11,000 .

[6]15 U.S.C. 45 (b)

[7] Settlements between the FTC and respondent companies are often made at this stage also.

[8] 15 U.S.C. 53(b)

[9] 15 U.S.C. 45(c)

[10] Supra.

[11] The Commission explains that in order to prove actual knowledge it would typically show that "it had provided the violator with a copy of the Commission determination in question, or a "synopsis" of that determination." See FTC, 'A Brief Overview of the FTC's Investigative and Law Enforcement Authority', supra n.4.