Safe Harbor Enforcement Overview

Federal and State “Unfair and Deceptive Practices”

Authority and Privacy

This memorandum outlines the authority of the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act (15 U.S.C. §§ 41-58, as amended) to take action against those who fail to protect the privacy of personal information in accordance with their representations and/or commitments to do so. It also addresses the exceptions to that authority and the ability of other federal and state agencies to take action where the FTC does not have authority.

FTC Authority over Unfair or Deceptive Practices

Section 5 of the Federal Trade Commission Act declares “unfair or deceptive acts or practices in or affecting commerce” to be illegal. 15 U.S.C. § 45(a)(1). Section 5 confers on the FTC the plenary power to prevent such acts and practices. 15 U.S.C. § 45(a)(2). Accordingly, the FTC may, upon conducting a formal hearing, issue a “cease and desist” in order to stop the offending conduct. 15 U.S.C. § 45(b). If it would be in the public interest to do so, the FTC can also seek a temporary restraining order or temporary or permanent injunction in the U.S. district court. 15 U.S.C. § 53(b). In cases where there is a widespread pattern of unfair or deceptive acts or practices, or where it has already issued cease and desist orders on the matter, the FTC may promulgate an administrative rule prescribing the acts or practices involved. 15 U.S.C. § 57a.

Anyone who does not comply with an FTC order is subject to a civil penalty of up to USD 11000, with each day of a continuing violation constituting a separate violation. 15 U.S.C. § 45(1). Likewise, anyone who knowingly violates an FTC rule is liable for USD 11000 for each violation. 15 U.S.C. § 45(m). Enforcement actions can be brought by either the Department of Justice, or if it declines, by the FTC. 15 U.S.C. § 56.

FTC Authority and Privacy

In exercising its Section 5 authority, the FTC takes the position that misrepresenting why information is being collected from consumers or how the information will be used constitutes a deceptive practice. For example, in 1998, the FTC filed a complaint against GeoCities for disclosing information it had collected on its website to third parties for purposes of solicitation, and without prior permission, despite its representations to the contrary. The FTC staff has also asserted that the collection of personal information from children, and sale and disclosure of that information, without the parents’ consent is likely to be an unfair practice.

It is noted the limitations on the FTC’s authority to protect privacy where there has not been a misrepresentation (or no representation at all) as to how the information collected will be used. However, companies that want to avail themselves of the proposed “safe harbor” will have to certify that they will protect the information they collect in accordance with prescribed guidelines. Consequently, where a company certifies that it will safeguard the privacy of information and then fails to do so, such action would be a misrepresentation and a “deceptive practice” within the meaning of Section 5.

As the FTC’s jurisdiction extends to unfair or deceptive acts or practices “in or affecting commerce”, the FTC will not have jurisdiction over the collection and use of personal information for non-commercial purposes, charitable fund-raising for example. However, the use of personal information in any commercial transaction will satisfy this jurisdictional predicate. Thus, for example, the sale by an employer of personal information on its employees to a direct marketer would bring the transaction within the purview of Section 5.

Section 5 Exceptions

Section 5 established exceptions to the FTC’s authority over unfair or deceptive acts or practices with respect to:

See 15 U.S.C. § 45(a)(2). We discuss each exception, and the regulatory authority that takes its place, below.

Financial institutions

The first exception applies to “banks, savings and loan institutions described in section 18(f)(3) [15 U.S.C. § 57a(f)(3)]” and “Federal credit unions described in section 18(f)(4) [15 U.S.C. § 57a(f)(4)]”. These financial institutions are instead subject to regulations issued by the Federal Reserve Board, the Office of Thrift Supervision, and the National Credit Union Administration Board, respectively. See 15 U.S.C. § 57a(f). These regulatory agencies are directed to prescribe the regulations necessary to prevent unfair and deceptive practices by these financial institutions and to establish a separate division to handle consumer complaints. 15 U.S.C. § 57a(f)(1). Finally, authority for enforcement derives from section 8 of the Federal Deposit Insurance Act (12 U.S.C. § 1818), for banks and savings and loans, and sections 120 and 206 of the Federal Credit Union Act, for Federal credit unions. 15 U.S.C. §§ 57a(f)(2)-(4).

Although the insurance industry is not specifically included in the list of exceptions in Section 5, the McCarran-Ferguson Act (15 U.S.C. § 1011 et seq.) generally leaves the regulation of the business of insurance to the individual states. Furthermore, pursuant to section 2(b) of the McCarran-Ferguson Act, no federal law will invalidate, impair, or supersede state regulation “unless such Act specifically relates to the business of insurance.” 15 U.S.C. § 1012(b). However, the provisions of the FTC Act apply to the insurance industry “to the extent that such business is not regulated by State law.” Id. It should also be noted that McCarran-Ferguson defers to the states only with respect to “the business of insurance.” Therefore, the FTC retains residual authority over unfair or deceptive practices by insurance companies when they are not engaged in the business of insurance. This could include, for example, when insurers sell personal information about their policy holders to direct marketers of non-insurance products.

Common carriers

The second Section 5 exception extends to those common carriers that are “subject to the acts to regulate commerce.” 15 U.S.C. § 45(a)(2). In this case, the “Acts to regulate commerce” refer to subtitle IV of Title 49 of the United States Code and to the Communications Act of 1934 (47 U.S.C. § 151 et seq.) (the Communications Act). See 15 U.S.C. § 44.

49 U.S.C. subtitle IV (Interstate Transportation) covers rail carriers, motor carriers, water carriers, brokers, freight forwarders, and pipeline carriers. 49 U.S.C. § 10101 et seq. These various common carriers are subject to regulation by the Surface Transportation Board, an independent agency within the Department of Transportation. 49 U.S.C. §§ 10501, 13501, and 15301. In each instance, the carrier is prohibited from disclosing information about the nature, destination, and other aspects of its cargo that might be used to the shipper’s detriment. See 49 U.S.C. §§ 11904, 14908, and 16103. We note that these provisions refer to information regarding the shipper’s cargo and thus do not appear to extend to personal information about the shipper that is unrelated to the shipment in question.

As for the Communications Act, it provides for the regulation of “interstate and foreign commerce in communication by wire and radio” by the Federal Communications Commission (FCC). See 47 U.S.C. §§ 151 and 152. In addition to common carrier telecommunications companies, the Communications Act also applies to companies such as television and radio broadcasters and cable service providers which are not common carriers. As such, these latter companies do not qualify for the exception under Section 5 of the FTC Act. Thus, the FTC has jurisdiction to investigate these companies for unfair and deceptive practices, while the FCC has concurrent jurisdiction to enforce its independent authority in this area as described below.

Under the Communications Act, “every telecommunications carrier”, including local exchange carriers, has a duty to protect the privacy of customer proprietary information. 47 U.S.C. § 222(a). In addition to this general privacy-protection authority, the Communications Act was amended by the Cable Communications Policy Act of 1984 (the Cable Act), 47 U.S.C. § 521 et seq., to mandate specifically that cable operators protect the privacy of “personally identifiable information” on cable subscribers. 47 U.S.C. § 551. The Cable Act restricts the collection of personal information by cable operators and requires the cable operator to notify the subscriber of the nature of the information collected and how that information will be used. The Cable Act gives subscribers the right of access to the information about them and requires cable operators to destroy that information when it is no longer needed.

The Communications Act empowers the FCC to enforce these two privacy provisions, either at its own initiation or in response to an outside complaint. 47 U.S.C. §§ 205, 403; id. § 208. If the FCC determines that a telecommunications carrier (including a cable operator) has violated the privacy provisions of section 222 or section 551, there are three basic actions it may take. First, after a hearing and determination of violation, the Commission may order the carrier to pay monetary damages. 47 U.S.C. § 209. Alternatively, the FCC may order the carrier to cease and desist from the offending practice or omission. 47 U.S.C. § 205(a). Finally, the Commission may also order an offending carrier to “conform to and observe [any] regulation or practice” that the FCC may prescribe. Id.

Private persons who believe a telecommunications carrier or cable operator has violated the relevant provisions of the Communications Act or the Cable Act may either file a complaint with the FCC or take their claims to a federal district court. 47 U.S.C. § 207. A complainant who prevails in a federal court action against a telecommunications carrier for failure to protect customer proprietary information under the broader section 222 of the Communications Act may be awarded actual damages and attorneys’ fees. 47 U.S.C. § 206. A complainant who files suit claiming a privacy violation under the cable-specific section 551 of the Cable Act may, in addition to actual damages and attorneys’ fees, also be awarded punitive damages and reasonable litigation costs. 47 U.S.C. § 551(f).

The FCC has adopted detailed rules to implement section 222. See 47 CFR 64.2001-2009. The rules set out specific safeguards to protect against unauthorized access to customer proprietary network information. The regulations require telecommunications carriers to:

Air carriers

U.S. and foreign air carriers that are subject to the Federal Aviation Act of 1958 are also exempt from Section 5 of the FTC Act. See 15 U.S.C. § 45(a)(2). This includes anyone who provides interstate or foreign transportation of goods or passengers, or who transports mail, by aircraft. See 49 U.S.C. § 40102. Air carriers are subject to the authority of the Department of Transportation. In this regard, the Secretary of Transportation is authorized to take action “preventing unfair, deceptive, predatory, or anticompetitive practices in air transportation.” 49 U.S.C. § 40101(a)(9). The Secretary of Transportation can investigate whether a U.S. or foreign air carrier, or a ticket agent, has engaged in an unfair or deceptive practice if it is in the public interest. 49 U.S.C. § 41712. After a hearing, the Secretary of Transportation can issue an order to stop the illegal practice. Id.

In 2003, at the request of a public interest organization, the Department initiated an investigation of Northwest Airlines for alleged violations of its stated privacy policy. Although Northwest Airlines has not notified the Department of Commerce to state that it adheres to the Safe Harbor Framework, it had adopted during the period in question, and continues to honor, a publicly stated privacy policy. In a decision that was widely reported and closely followed by the air transportation industry, the Department did not find that a violation of Northwest Airlines’ privacy policy had occurred, but emphasized that “a carrier is bound by the representations it makes to its customers, not only by the law of contract and tort, enforced by the courts, but also by the law of unfair and deceptive practices, regulated under 49 U.S.C. § 41712.” DOT Order 2004-9-13, Sept. 10, 2004 at 9. Subsequently, the Department made clear to U.S. air carriers that the violation of a publicly stated privacy policy similar to the policy adopted by Northwest Airlines might result in a substantial civil penalty if data is sold for profit, is transferred to a non-governmental entity, is transferred to an entity whose data protection protocols were not at least as secure as those of the air carrier itself, or is otherwise treated in a manner expressly barred by the terms of the policy. DOT Order 2005-3-9, March 7, 2005, affirming Order 2004-9-13. At this time, it appears that all U.S. certificated air carriers have adopted publicly stated privacy policies that provide significant protection to the personal information of their passengers and customers.

There are two provisions protecting the privacy of personal information that apply to air carriers in specific contexts. First, the Federal Aviation Act protects the privacy of pilot applicants. See 49 U.S.C. § 44936(f). While allowing air carriers to obtain an applicant’s employment records, the Act gives the applicant the right to notice that the records have been requested, to give consent to the request, to correct inaccuracies, and to have the records divulged only to those involved in the hiring decision. Second, DOT regulations require passenger manifest information collected for government use in the event of an aviation disaster to “be kept confidential and released only to the U.S. Department of State, the National Transportation Safety Board (upon the NTSB’s request), and the U.S. Department of Transportation.” 14 CFR part 243, § 243.9(c) (as added by 63 FR 8258).

Packers and stockyards

With regard to the Packers and Stockyards Act of 1921 (7 U.S.C. § 181 et seq.), the Act makes it unlawful for “any packer with respect to livestock, meats, meat food products, or livestock products in unmanufactured form, or for any live poultry dealer with respect to live poultry, to engage in or use any unfair, unjustly discriminatory, or deceptive practice or device.” 7 U.S.C. § 192(a); see also 7 U.S.C. § 213(a) (prohibiting “any unfair, unjustly discriminatory, or deceptive practice or device” in connection with livestock). The Secretary of Agriculture has the primary responsibility to enforce these provisions, while the FTC retains jurisdiction over retail transactions and those involving the poultry industry. 7 U.S.C. § 227(b)(2).

It is not clear whether the Secretary of Agriculture will interpret the failure by a packer or stockyard operator to protect personal privacy in accordance with stated policy to be a “deceptive” practice under the Packers and Stockyards Act. However, the Section 5 exception applies to persons, partnerships, or corporations only “insofar as they are subject to the Packers and Stockyards Act.” Therefore, if personal privacy is not an issue within the purview of the Packers and Stockyards Act, then the exception in Section 5 may very well not apply, and packers and stockyard operators would be subject to the authority of the FTC in that regard.

State “Unfair and Deceptive Practices” Authority

According to an analysis prepared by FTC staff, “All 50 states plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted laws more or less like the Federal Trade Commission Act (‘FTCA’) to prevent unfair or deceptive trade practices.” FTC fact sheet, reprinted in “Comment, Consumer Protection: The Practical Effectiveness of State Deceptive Trade Practices Legislation”, 59 Tul. L. Rev. 427 (1984). In all cases, an enforcement agency has the authority “to conduct investigations through the use of subpoenas or civil investigative demands, obtain assurances of voluntary compliance, to issue cease and desist orders or obtain court injunctions preventing the use of unfair, unconscionable or deceptive trade practices. Id. In 46 jurisdictions, the law allows private actions for actual, double, treble, or punitive damages and, in some cases, recovery of costs and attorney’s fees. Id.”

Florida’s Deceptive and Unfair Trade Practices Act, for example, authorizes the attorney general to investigate and file civil actions against “unfair methods of competition, unfair, unconscionable or deceptive trade practices,” including false or misleading advertising, misleading franchise or business opportunities, fraudulent telemarketing, and pyramid schemes. See also N.Y. General Business Law § 349 (prohibiting unfair acts and deceptive practices carried out in the course of business).

A survey conducted by the National Association of Attorneys General (NAAG) in 2000 confirms these findings. Of 43 states that responded, all have “mini-FTC” statutes or other statutes that provide comparable protection. Also according to the NAAG survey, 39 states indicated they would have the authority to hear complaints by non-residents. With respect to consumer privacy, in particular, 37 out of 41 states that responded indicated that they would respond to complaints alleging that a company within their jurisdiction was not adhering to its self-declared privacy policy.