In the last article, we outlined, generally, privacy and data protection considerations for compliance with applicable laws.  This article discusses the Federal Trade Commission Act (“FTCA”) § 5, which empowers the Federal Trade Commission (“FTC”) to pursue enforcement actions against companies that engage in “unfair” acts that are (1) likely to cause substantial injury to consumers (2) that is neither reasonably avoidable (3) nor outweighed by countervailing benefits to consumers or to competition.  15 U.S.C. § 45(n).  In short, the FTC may “take action against unfair practices that have not yet been contemplated by more specific laws.” F.T.C. v. Accusearch, Inc., 570 F.3d 1187, 1194 (10th Cir. 2009).

In a recent case, F.T.C. v. Wyndham, the Third Circuit analyzed an unfair practices complaint that the FTC brought against Wyndham Worldwide Corporation after hackers successfully accessed and stole the company’s consumer information on three separate occasions.  The FTC complaint alleged that Wyndham neither took reasonable ex-ante measures to mitigate risks, nor did it reasonably respond to the attacks.

In response Wyndham argued, among other things, that the FTC did not have the authority to regulate cybersecurity practices.  In rejecting this argument, the Third Circuit considered (1) a cost-benefit analysis of “relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity”, (2) an FTC guidebook, Protecting Personal Information: A Guide for Business, and (3) previous FTC complaints resolved via consent order.  F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 255-57 (3d. Cir. 2015).  On whether Wyndham’s practices were unfair, the court stated:

A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes unsuspecting customers to substantial financial injury, and retains the profits of their business.  Id. at 245.

Moreover, a company’s failure to follow its stated data practices can open itself to an enforcement action under the “deceptive” practices prong of FTCA § 5, as Snapchat realized in 2014.  In that case, FTC filed a complaint against Snapchat for practices that contradicted both its app-store description and website FAQ assertions.  For example, users could readily obtain software to undermine Snapchat’s assertion that photos could not be saved without notifying the sender.  Additionally, Snapchat made privacy policy assertions stating that it collected a limited set of information, when the data set collected was, in fact, much larger than asserted and included information Snapchat expressly disclaimed collection of, such as geolocation data.

Both Wyndham and Snapchat ultimately agreed to consent orders rather than prolong litigation, which is the typical result of FTCA § 5 complaints.  Consent orders often outline a comprehensive privacy program, provide external oversight, and provide an expedited means of punishment for subsequent violations of the order.  Consent orders will be discussed in greater detail in the next article.