Enforcement of U.S. Privacy and Security Laws

Question 1

What is Civil Litigation?

Answer 1

Occurs in courts when one person sues another person to redress a wrong.

Question 2

What types of relief may a person seek in civil litigation?

Answer 2

1. Monetary Judgment

2. Injunction

Question 3

When may person sue based on a violation of law?

Answer 3

When a law creates a private right of action (ex. FCRA)

Question 4

What is Criminal Litigation?

Answer 4

Lawsuits brought by the government for violations of criminal laws.

Question 5

What types of punishment are typical associated with Criminal Litigation?

Answer 5

1. Imprisonment

2. Criminal Fines

Question 6

Who initiates Criminal Litigation?

Answer 6

1. DOJ

2. State attorney generals

Question 7

What are Agency Enforcement Actions?

Answer 7

Actions carried out pursuant to the statues that create and empower an agency.

Question 8

What is the Administrative Procedure Act?

Answer 8

An act laying out the basic rules for agency enforcement actions.

Question 9

What Act and Agency(ies) govern Medical Privacy?

Answer 9

Agencies - OCR and CMS (both roll up to HHS)

Act - HIPAA

Question 10

What Act and Agency(ies) govern Financial Privacy?

Answer 10

Agencies - CFPB, OCC, FED

Act - GLBA

Question 11

What Act and Agency(ies) govern Education Privacy?

Answer 11

Agencies - Dept. of Education

Act - Family Educational Rights and Privacy Act

Question 12

What Act and Agency(ies) govern Telemarking and Marketing Privacy?

Answer 12

Agencies - FCC and FTC

Act - Telephone Consumer Protection Act and other statues

Question 13

What Act and Agency(ies) govern Workplace Privacy?

Answer 13

Agencies - EEOC and other agencies

Act - ADA other statutes

Question 14

Which Acts give the FTC power to govern privacy issues?

Answer 14

1. FTC Act Section 5
2. FCRA
3. Children’s Online Privacy Protection Act (COPPA)
4. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
5. Telemarking Sales Rule

Question 15

What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?

Answer 15

FTC

1. Achieves a consent decree that incorporates good privacy and security practices
2. Avoids the expense and delay of trail
3. Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree

Company

1. Avoids a prolonged trial
2. Avoids negative publicity

Question 16

What is considered “unfair”?

Answer 16

An injury that is:

1. Substantial
2. Without offsetting benefits
3. one the consumers cannot reasonably avoid.

Question 17

Unfair Case: Gateway

Answer 17

Facts: Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out.

Question 18

Unfair Case: BJ’s Wholesale Club

Answer 18

Facts: BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customers’ identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice.

Question 19

Unfair Case: Google

Answer 19

Google buzz automatically enrolled consumers and provided personal information to the public. This was in conflict with Google’s privacy notice.

Question 20

Unfair Case: Facebook

Answer 20

Facts: Facebook repeatedly made designated personal private information public. This was in violation of Facebook’s privacy notice.

Question 21

What are the Consumer Privacy Bill of Rights?

Answer 21

1. Individual Control
2. Transparency
3. Respect for Context
4. Security
5. Access and Accuracy
6. Focused Collection
7. Accountability

Question 22

What areas did the FTC Report emphasize?

Answer 22

1. Privacy by Design
2. Simplified Consumer Choice
3. Transparency

Question 23

What five priorities did the FTC announce for attention?

Answer 23

1. Do Not Track
2. Mobile
3. Data Brokers
4. Large Platform Providers
5. Promoting enforceable self-regulatory codes

Question 24

How to states enforce against unfair and deceptive practices?

Answer 24

Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. Ina addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.

Question 25

Who enforces UDAP laws?

Answer 25

State attorney generals

Question 26

How does self regulation occur?

Answer 26

Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication

Question 27

What does legislation refer to?

Answer 27

To the question of who should define the appropriate rules for protecting privacy.

Question 28

What does enforcement refer to?

Answer 28

To the question of who should initiate enforcement actions.

Question 29

What does adjudication refer to?

Answer 29

To the question of who should decide whether a company has violated the privacy rules, and with what penalties.

Question 30

Where does self regulation occur with Section 5 of the FTC and state UDAP laws?

Answer 30

At the legislation stage - companies write their privacy policies.

Question 31

What is PCI DSS?

Answer 31

Payment Card Institute Data Security Standard

Question 32

Where does self regulation occur with PCI DSS?

Answer 32

At all three stages.

Question 33

What is GPEN?

Answer 33

Global Privacy Enforcement Network. it aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.

Question 34

What is APEC?

Answer 34

Asia-Pacific Economic Cooperation. The Asia-PAcific Cross-Border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating member to share information and evidence in cross-border investigations and enforcement actions in the Asia-Pacific region.

Question 35

Deceptive case: GeoCities

Answer 35

GeoCities operated website that allowed users to maintain personal home pages. Users had to fill out form containing personal information. Geo Cities promised not to sell. FTC alleged that it misrepresented by reselling which violated its privacy notice. Consent decree to post and adhere to online privacy notice.

Question 36

Unfair case: Eli Lilly

Answer 36

Eli Lilly had website where users provided personal information for updates reminding them to take medication. When program ended, it inadvertently emailed all subscribers. Resulted in consent decree requiring Eli Lilly to adhere to its policies and also develop an information privacy and security program.

Question 37

Deceptive case: Nomi

Answer 37

Nomi provided services to brick and mortar retailers whereby sensors tracked MAC addresses of mobile devices searching for WiFi. Nomi used info for analytics and retail traffic patterns. Nomi misled consumers about ability to opt out and failed to inform about location of stores that were tracking. Resulted in consent decree to stop practices for 20 years

Question 38

Deceptive case: SnapChat

Answer 38

Snapchat promised that snaps disappeared forever and “Find Friends” appeared to be only way to provide company with info on who you knew. Snap was saving chats indefinitely and gathering contacts from address book. Resulted in consent decree to stop practice for 20 years.

Question 39

Deceptive case: TRUSTe

Answer 39

TRUSTe (nka TrustArc) provides privacy certifications and represented that it re-certified annually. TRUSTe failed to re-certify in over 1,000 instances. Resulted in consent decree requiring TRUSTe to keep certification records for 10 years and pay $200,000 fine.