08/10/2018 by Authored by Law Clerk Daniel Salmon, with assistance of Attorney Jonathan Gallo
The last article discussed the consent orders that typically result from Federal Trade Commission Act (“FTCA”) § 5 enforcement actions. This article, the final in a four-article series on data custodianship, discusses some sector-specific laws and provides links for further research. While these laws are more industry-specific than FTCA § 5, these laws provide the Federal Trade Commission (“FTC”), other agencies, and sometimes individual victims impactful recourse against privacy and data protection violations in specific industry sectors. This article discusses, generally, the notice and consent requirements for collection, storage, and disclosure of consumer information under the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), and the Children’s Online Privacy Protection Act (“COPPA”).
First, the FCRA, 15 U.S.C. §§ 1681 et seq., which governs consumer reporting agencies (“CRA”), permits both federal regulators, such as the FTC, and certain individual victims to bring actions against FCRA violators. The FCRA defines CRAs as entities that assemble reports “bearing on consumer’s credit worthiness,” character, or other similar factors to establish the consumer’s eligibility for credit, insurance, employment, or other specifically enumerated purposes. CRAs are prohibited from furnishing consumer reports for any reason beyond the specifically enumerated purposes of FCRA. Additionally, FCRA prohibits entities from obtaining consumer reports for purposes that are not statutorily enumerated. See Bakker v. McKinnon, 152 F.3d 1007 (8th Cir. 1998) (holding that attorney violated FCRA when she willfully obtained consumer report to assess dentist’s assets to coerce professional malpractice settlement).
Next, the GLBA, 15 U.S.C. §§ 6801-6809, which governs financial institutions, permits certain agencies, such as the FTC, to set forth notification, safeguarding, and opt-out requirements for institutions who obtain nonpublic personal consumer information through financial transactions. Unlike FRCA, GLBA permits enforcement only through federal regulators and states’ attorneys general. While GLBA primarily applies to banks and other financial entities, entities that offer financial products and services, such as automotive dealerships, may also be subject to FTC enforcement of the GLBA.
Finally, COPPA, 5 U.S.C. §§ 6501-6505, which governs websites and online services directed toward children under the age of 13, has the potential to bankrupt a company on a single demonstration of noncompliance. COPPA prohibits certain websites or online services from collecting, using, or disclosing information from children under the age of 13 without parental consent. Like GLBA, COPPA provides no private right of action, but is enforced by governmental entities. Though the FTC does not always exert its full authority against COPPA violators, COPPA carries up to a $41,484 fine per violation. Though COPPA is unlikely to apply to most businesses, understanding how to maintain compliance may be critical to the future of yours.
While these sector-specific laws only apply to certain businesses or acts, their scope of authority is generally larger than one might expect. Additionally, violations of these laws may result in fines and liability to individual victims. Thus, if your business has entered the realm of data custodianship, awareness of these laws, and privacy and data protection laws generally, is critical to avoid liability.