Should privacy policies be mandatory? How specific should they be, and why? Does it matter that few people, according to behavioral studies, actually read privacy policies? Is there are better way to provide individuals with this information, or is this as good as it gets? Do privacy policies fulfil any additional purposes?

1. Section 5 of The FTC Act: 15 U.S.C. 45(a), 45(n) 2. Selected State UDAP Laws New York, N.Y. Gen. Bus. Law, 349 California, Cal. Bus. & Prof. Code, 17200 Massachusetts, Mass. G.L., 93A 3. Federal Trade Commission, "A Brief Overview of the Federal Trade Commission's Investigative, Law Enforcement, and Rulemaking Authority," (Last Revised May 2021) 4. Daniel Solove and Woodrow Hartzog, "The FTC and Privacy Common Law," 114 Columbia Law Review 583 (2014) (excerpted for brevity) 5. Examples of recent FTC Cases FTC Press Release, "ASUS settles FTC Charges That Insecure Home Routers and "Cloud" Services Put Consumers' Privacy at Risk FTC Press Release, "Operators of AshleyMadison.com Settle FTC, State Charges Resulting From 2015 Data Breach that Exposed 36 Million Users' Profile Information," December 14, 2016 6. Paige Bosh ell, "The LabMD Case and the Evolving Concept of Reasonable Security," American Bar Association, Business Law Today, July 2018