Flashcards in Enforcement of U.S. Privacy and Security Laws Deck (34)
What is Civil Litigation?
Occurs in courts when one person sues another person to redress a wrong.
What types of relief may a person seek in civil litigation?
1. Monetary Judgment
When may person sue based on a violation of law?
When a law creates a private right of action (ex. FCRA)
What is Criminal Litigation?
Lawsuits brought by the government for violations of criminal laws.
What types of punishment are typical associated with Criminal Litigation?
2. Criminal Fines
Who initiates Criminal Litigation?
2. State attorney generals
What are Agency Enforcement Actions?
Actions carried out pursuant to the statues that create and empower an agency.
What is the Administrative Procedure Act?
An act laying out the basic rules for agency enforcement actions.
What Act and Agency(ies) govern Medical Privacy?
Agencies - OCR and CMS (both roll up to HHS)
Act - HIPAA
What Act and Agency(ies) govern Financial Privacy?
Agencies - CFPB, OCC, FED
Act - GLBA
What Act and Agency(ies) govern Education Privacy?
Agencies - Dept. of Education
Act - Family Educational Rights and Privacy Act
What Act and Agency(ies) govern Telemarking and Marketing Privacy?
Agencies - FCC and FTC
Act - Telephone Consumer Protection Act and other statues
What Act and Agency(ies) govern Workplace Privacy?
Agencies - EEOC and other agencies
Act - ADA other statutes
Which Acts give the FTC power to govern privacy issues?
1. FTC Act Section 5
3. Children's Online Privacy Protection Act (COPPA)
4. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
5. Telemarking Sales Rule
What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?
1. Achieves a consent decree that incorporates good privacy and security practices
2. Avoids the expense and delay of trail
3. Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree
1. Avoids a prolonged trial
2. Avoids negative publicity
What is considered "unfair"?
An injury that is:
2. Without offsetting benefits
3. one the consumers cannot reasonably avoid.
Unfair Case: Gateway
Unfair Case: BJ's Wholesale Club
Facts: BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customers' identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice.
Unfair Case: Google
Google buzz automatically enrolled consumers and provided personal information to the public. This was in conflict with Google's privacy notice.
Unfair Case: Facebook
Facts: Facebook repeatedly made designated personal private information public. This was in violation of Facebook's privacy notice.
What are the Consumer Privacy Bill of Rights?
1. Individual Control
3. Respect for Context
5. Access and Accuracy
6. Focused Collection
What areas did the FTC Report emphasize?
1. Privacy by Design
2. Simplified Consumer Choice
What five priorities did the FTC announce for attention?
1. Do Not Track
3. Data Brokers
4. Large Platform Providers
5. Promoting enforceable self-regulatory codes
How to states enforce against unfair and deceptive practices?
Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. Ina addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.
Who enforces UDAP laws?
State attorney generals
How does self regulation occur?
Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication
What does legislation refer to?
To the question of who should define the appropriate rules for protecting privacy.
What does enforcement refer to?
To the question of who should initiate enforcement actions.
What does adjudication refer to?
To the question of who should decide whether a company has violated the privacy rules, and with what penalties.