Insights

On September 30, 2010, David Vladeck, the Director of the Federal Trade Commission’s Bureau of Consumer Protection, delivered a keynote address at the International Association of Privacy Professional’s annual Privacy Academy. Vladeck used this opportunity to highlight the FTC’s commitment to privacy and data security issues. He discussed recent enforcement actions, summarized key points from the FTC’s three Privacy Roundtables, considered developments in legislation and self-regulation, and hypothesized about the future in privacy and data security.

With respect to enforcement, Vladeck touted the case against Rite Aid pharmacy that the FTC brought together with the Department of Health and Human Services. The FTC’s component of the case challenged Rite Aid’s practices for safeguarding consumers’ sensitive information. The FTC targeted Rite Aid’s unreasonable methods for disposal of personal information, inadequate employee training, and insufficient processes for discovering and remedying risks to personal information. The FTC alleged that these shortcomings made it deceptive and unfair for Rite Aid to claim that it protected consumers’ privacy. The HHS’s component asserted violations of the federal health information privacy law, known as HIPAA. Although Vladeck conceded that the FTC lacked civil penalty authority in this action, HHS secured a $1 million civil penalty against Rite Aid.

The FTC’s case against Twitter claimed that the company’s failure to require strong administrative passwords or disable accounts after multiple failed log-in attempts unlawfully compromised the privacy of users’ accounts.

Vladeck also noted that the FTC was focusing on “pure privacy” cases as well as data security cases. The FTC’s case against LifeLock, Inc., alleged that the company made widely promoted promises to consumers about its anti-identity theft tools that it could not keep, such as an absolute promise to prevent identity theft. The FTC and 35 states collectively imposed a $12 million penalty against LifeLock. The FTC’s data broker case against US Search alleged that the company misled consumers regarding their opt-out rights. The settlement required US Search to offer full refunds and implement effective opt-out choices.

Also in the enforcement context, Vladeck explained that the FTC’s increased cooperation with international law enforcement partners, such as the new Cross-Border Privacy Enforcement Arrangement, resulted in the takedown of the largest spam operation in the world.

Vladeck also provided a summary of the FTC’s three Privacy Roundtables, held in 2009-2010. The Roundtables were a series of moderated discussions that covered a wide range of privacy concerns. Vladeck highlighted issues raised regarding meaningful consumer notice and choice for information sharing. Vladeck seemed to agree with the popular view that existing privacy notices were not as helpful to consumers as they could be. He also noted that technology developments are making it cheaper to store data than to destroy it, leading to longer data retention times and new, undisclosed uses for stored data. He also expressed concern over the fact that the line between personally identifiable information and non-personally identifiable information was increasingly blurring, leading some to question whether the construct of existing privacy standards, with a focus on personally identifiable information, was still meaningful.

Vladeck predicted that the FTC would release a draft Privacy Roundtable Report this fall, with an opportunity for the public to comment on the draft. He indicated that the report will address “privacy by design” – building privacy into an organization’s foundation and implementing good “data hygiene.” It will also address increased transparency regarding a business’s data practices and privacy notices, and simplified consumer choice, including providing the opportunity for choice at the right time. Vladeck said that the report should address issues of access to consumer information, such as by data brokers and aggregators, who collect a lot of information without having direct contact with consumers.

Finally, Vladeck considered developments in self-regulation and legislation. He reported that the FTC was disappointed by the pace of self-regulation in the areas of behavioral advertising, consumer choice, and enforcement of industry standards. With respect to legislation, he noted that prospects were up in the air for the two privacy bills currently being considered by Congress (those offered by Representatives Boucher and Rush). The FTC does not take positions on legislation, but Vladeck cautioned against any provision that further overburdened privacy notices or that overemphasized the value of a safe harbor based on self-regulation. He also mentioned data security breach legislation, which has been floating around Congress for several years. He identified the key elements of such legislation as notice tied to a reasonable risk of harm, civil penalty authority for failure to implement reasonable data security, and the value of a single nationwide standard.

As for the future, Vladeck closed his remarks with the hope that consumers will receive greater access to information in a way that will allow them to make quick, informed choices about their information. He also encouraged businesses to have respect for consumer choices. In sum, Vladeck’s speech reflected the FTC’s strong commitment to vigorous enforcement, increased consumer control over their information, and an ongoing dialog between industry, government, and consumers in the areas of privacy and data security.

Michael Goodman is a partner in the Washington, D.C., office of Hudson Cook, LLP. Michael can be reached at 202-327-9704 or by email at mgoodman@hudco.com.