Cheat Sheet: In-house counsel’s guide to privacy regulation
The era when protecting consumer privacy was a simple matter is long gone.
March 21, 2013 at 05:15 AM
9 minute read
The original version of this story was published on Law.com
The era when protecting consumer privacy was a simple matter is long gone. The digital age brought with it digital privacy problems, and using federal laws written by Congress in a pre-digital era to solve today's problems is like using a carrier pigeon to send an email. InsideCounsel's March issue takes a look at the state of consumer privacy law today: the likelihood of new legislation, the Federal Trade Commission's (FTC) enforcement strategy and how the Obama administration is dealing with cybersecurity. On the following pages, we've got answers to some of the most important privacy questions facing in-house counsel today.
Can we expect Congress to take action on comprehensive privacy legislation?
There's an optimistic and a pessimistic way to look at it. If you're an optimist, consider that it took more than a decade of discussion for the Clean Water Act and Clean Air Act to pass. Hogan Lovells Partner Christopher Wolf thinks that, after a similar period of debate, the time may finally be ripe for comprehensive privacy legislation.
If you're more glass-half-empty, you might focus on partisan rifts (Democrats are more interested in pushing through privacy legislation than Republicans), new technologies such as cloud computing that keep piling on privacy concerns or Hothe fact that the current Congress still has pressing issues from the recession, among other things, to deal with.
Regardless, keep in mind that the Obama administration is pushing a self-regulatory approach that could enhance privacy protection without legislation through voluntary standards.
What kind of regulation should we look for from the FTC?
Without comprehensive legislation, the FTC has taken the lead on privacy regulation, using its authority under Section 5 of the FTC Act to police things like online data tracking. The agency has the power to regulate unfair and deceptive trade practices, and in a settlement with Epic Marketplace Inc., the FTC reasoned that Epic's online data gathering was deceptive because it collected information from far more websites than it claimed to in its privacy policy.
The FTC is also creatively applying much older statutes, like the Fair Credit Reporting Act (FCRA) and the Fair Debt Collection Practices Act to situations where it deems companies have used data inappropriately.
Are there any areas receiving extra scrutiny?
The FTC has its eye fixed on data brokers—companies that resell collected consumer data. In December 2012, the agency announced an inquiry into nine data brokers' practices. Earlier, in June 2012, the FTC used the FCRA to charge data broker Spokeo, claiming that the consumer profiles it sold to human resources departments were consumer reports covered by the FCRA.
The concern when it comes to data brokers is that consumers aren't aware that their data is being collected online and then sold, and they have no control over it.
What steps are being taken to address data breaches?
It's hard to be responsible with consumer data when hackers keep trying to get access to it. But as with many issues, Congress has been struggling to get a cybersecurity bill passed. One died just last year, cause of death: Senate filibuster.
So the Obama administration is doing what it can to move forward without legislation. In February, the president signed an executive order on cybersecurity, which will create a framework that will allow the government to share information on potential threats with the private sector. It also asks agencies to create a set of voluntary standards for companies for things like updating antivirus programs and limiting access to company networks, and instructs the Department of Homeland Security to identify companies that operate important infrastructure, where a data breach could be catastrophic.
The era when protecting consumer privacy was a simple matter is long gone. The digital age brought with it digital privacy problems, and using federal laws written by Congress in a pre-digital era to solve today's problems is like using a carrier pigeon to send an email. InsideCounsel's March issue takes a look at the state of consumer privacy law today: the likelihood of new legislation, the Federal Trade Commission's (FTC) enforcement strategy and how the Obama administration is dealing with cybersecurity. On the following pages, we've got answers to some of the most important privacy questions facing in-house counsel today.
Can we expect Congress to take action on comprehensive privacy legislation?
There's an optimistic and a pessimistic way to look at it. If you're an optimist, consider that it took more than a decade of discussion for the Clean Water Act and Clean Air Act to pass.
If you're more glass-half-empty, you might focus on partisan rifts (Democrats are more interested in pushing through privacy legislation than Republicans), new technologies such as cloud computing that keep piling on privacy concerns or Hothe fact that the current Congress still has pressing issues from the recession, among other things, to deal with.
Regardless, keep in mind that the Obama administration is pushing a self-regulatory approach that could enhance privacy protection without legislation through voluntary standards.
What kind of regulation should we look for from the FTC?
Without comprehensive legislation, the FTC has taken the lead on privacy regulation, using its authority under Section 5 of the FTC Act to police things like online data tracking. The agency has the power to regulate unfair and deceptive trade practices, and in a settlement with Epic Marketplace Inc., the FTC reasoned that Epic's online data gathering was deceptive because it collected information from far more websites than it claimed to in its privacy policy.
The FTC is also creatively applying much older statutes, like the Fair Credit Reporting Act (FCRA) and the Fair Debt Collection Practices Act to situations where it deems companies have used data inappropriately.
Are there any areas receiving extra scrutiny?
The FTC has its eye fixed on data brokers—companies that resell collected consumer data. In December 2012, the agency announced an inquiry into nine data brokers' practices. Earlier, in June 2012, the FTC used the FCRA to charge data broker Spokeo, claiming that the consumer profiles it sold to human resources departments were consumer reports covered by the FCRA.
The concern when it comes to data brokers is that consumers aren't aware that their data is being collected online and then sold, and they have no control over it.
What steps are being taken to address data breaches?
It's hard to be responsible with consumer data when hackers keep trying to get access to it. But as with many issues, Congress has been struggling to get a cybersecurity bill passed. One died just last year, cause of death: Senate filibuster.
So the Obama administration is doing what it can to move forward without legislation. In February, the president signed an executive order on cybersecurity, which will create a framework that will allow the government to share information on potential threats with the private sector. It also asks agencies to create a set of voluntary standards for companies for things like updating antivirus programs and limiting access to company networks, and instructs the Department of Homeland Security to identify companies that operate important infrastructure, where a data breach could be catastrophic.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Khan Defends FTC Tenure, Does Not Address Post-Inauguration Plans
Best Practices for Adopting and Adapting to AI: Mitigating Risk in Light of Increasing Regulatory and Shareholder Scrutiny
7 minute read
Crypto Groups Sue IRS Over Decentralized Finance Reporting Rule
SEC Penalizes Wells Fargo, LPL Financial $900,000 Each for Inaccurate Trading Data
Trending Stories
- 1Eversheds Sutherland Adds Hunton Andrews Energy Lawyer With Cross-Border Experience
- 2Balancing Judicial Authority: Understanding Sanctions, Severance, and Interferences
- 3Up in the Air: Boeing’s Deferred Prosecution Saga Continues
- 4Legal Tech's Predictions for Knowledge Management in 2025
- 5Fenwick Shutters Shanghai Office
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
