March 26, 2013

Federal Trade Commission's Privacy and Data Security Enforcement Under Section 5

Jennifer Woods

While the United States lacks a comprehensive data security law akin to that in the European Union, the Federal Trade Commission has filled in gaps between industry-specific laws and rules with its general authority under Section 5 of the Federal Trade Commission (FTC) Act. Section 5 of the FTC Act gives the FTC broad authority to investigate “unfair and deceptive acts and practices in or affecting commerce”. The FTC has increasingly used this broad authority aggressively in the privacy and data security contexts, initiating investigations pertaining to a wide variety of “unfair” or “deceptive” practices. In particular, the FTC has brought a number of cases alleging that website operators engaged in deceptive acts in failing to adhere to their stated policies and practices.


The majority of the FTC’s privacy and data security cases involve the “deception” prong of Section 5. Many cases are not based solely on Section 5, and instead include violations of other related statutes under which the FTC has authority, including, for example, the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act. However, these cases generally involve a company’s failure to adhere to its own stated policies, which the FTC considers to be a deceptive act or practice. For example, in a recent case involving PLS Group, owners of the PLS Loan Stores, the FTC alleged, among other violations, that the company failed to protect consumer information in a manner consistent with the company’s written data security and privacy policies. In particular, the company did not shred or otherwise destroy consumer records, including social security numbers and credit reports, before disposing of them in unsecured dumpsters outside the stores. As part of the consent agreement, PLS Group agreed to pay more than $101,000 in civil penalties and undergo biannual third-party audits for the next 20 years.

To avoid Section 5 violations, the FTC encourages companies to implement “privacy by design”, and consider privacy and data security issues at every stage of a company’s development. Effectively, companies are encouraged to build privacy protections and safeguards into every relevant portion of the business, from employee training and password maintenance to data collection and storage practices. To the greatest extent possible, website privacy policies should clearly and truthfully disclose each kind of information collected from users, each use by the company of the information, means by which the information is stored and disposed of, security measures enacted by the company’s Because consumers may rely on privacy policies and terms of use in both the decision to use a site and in developing privacy expectations for it, companies should ensure that all privacy policies and terms of use accurately describe the company’s activities.


The FTC’s approach to data security enforcement under Section 5 of the FTC Act has evolved in recent years to include alleged violations of the “unfairness” prong of Section 5.

The extent to which the FTC has authority to pursue data security cases, namely those involving security breaches, under the “unfairness” prong of Section 5 has been the subject of considerable debate. Section 5(n) of the FTC Act, as revised, only permits the FTC to pursue investigations under the “unfairness” prong of Section 5 authority if “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” While the FTC is allowed to use established public policy considerations as evidence in making an “unfairness” determination, public policy cannot be the main justification.

To date, no court has ruled on the FTC’s interpretation of the scope of its authority under the “unfairness” prong, because, until recently, all of these cases have been resolved by consent orders. However, a case currently pending in Arizona will likely provide the first judicial guidance regarding the legality of the FTC’s approach to data security cases based on “unfairness”. In summer 2012 the FTC filed suit against Wyndham Hotels, alleging that Wyndham Hotels failed to take appropriate data security measures, resulting in a breach by member hotels that compromised consumers’ personal information. Wyndham Hotels’ privacy policy expressly excluded member hotels, which were not owned by Wyndham, and made no representations regarding the data security measures taken by the member hotels. The FTC filed suit alleging that Wyndham’s failure to enact reasonable data security policies and procedures was an unfair act or practice within the meaning of Section 5. Wyndham Hotels responded by filing a motion to dismiss arguing that, in filing suit, the FTC had exceeded both its statutory and self-professed authority, as described in previous congressional testimony by FTC representatives.

Although a ruling on the Wyndham Hotels motion to dismiss will provide much needed judicial guidance as to the extent of the FTC’s authority to bring cases under the “unfairness” prong, considerable ambiguity as to companies’ data security obligations will almost certainly remain. Clearly companies should work to implement reasonable data security policies and procedures, but in a constantly-changing technological environment, it is difficult to determine which policies and procedures will fit the FTC’s definition of “reasonable”. Companies who experience a data breach may find themselves the target of an FTC action, even if the breach occurred through no obvious fault of the company.

Additional Sources of FTC Authority

In addition to its general authority under Section 5 of the FTC Act, the FTC has authority to investigate and prosecute privacy violations and data security breaches under 33 different sets of rules, laws, and guides. Among the more frequently-invoked sources of FTC investigations are the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, including the Disposal Rule, the Graham-Leach-Bliley Act Safeguards Rule, and the Telemarketing and Consumer Fraud and Abuse Act. Although a thorough analysis of the FTC’s authority and enforcement efforts under each of the applicable laws is beyond the scope of this article, one should keep these laws and rules in mind when considering the full scope of a website or other data collector’s privacy and data security obligations. 

Premium Content For:
  • Current ABA Member
Join - Now