FTC Privacy Report Principles Not Quasi-Legislative, Says Commission Official
The FTC’s privacy report isn’t a set of “quasi-legislative principles” that the commission can use to enforce the FTC Act, an FTC official said Monday. “Unless Congress enacts legislation, these principles are merely best practices for industry,” said Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection. “It’s not going to be a template for FTC enforcement.” Mithal said at a Washington event hosted by the Congressional Internet Caucus Advisory Committee that she “often gets asked” whether the “principles” enumerated in the report have quasi-legislative force.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Mithal told a questioner there are “some things that we highlight” in the report that the commission already has resorted to under Section 5 of the FTC Act. The commission can sue a company under the FTC Act if it makes deceptive statements in its privacy policy or doesn’t provide “reasonable” data security, she said. “But by and large the principles in the report are best practices,” she said. And unless Congress acts, “this is not going to be a roadmap for how the FTC is going to enforce the FTC Act."
Mithal said she would “quibble” with an observation by moderator Christopher Wolf of law firm Hogan Lovells and the Future of Privacy Forum that the FTC’s enforcement actions at times set “new best practices in the comprehensive privacy program requirements,” such as in the recent action against Myspace (WID May 9 p7). “You have to take the complaints and orders separately,” she said. In the case of Myspace, the company said it wouldn’t “share your personal information with private” advertisers, but did it, she said. “That is classic enforcement” under Section 5, she said. One of the remedies that the FTC proposed for that practice in its order was that the company should “implement a comprehensive privacy program,” she said. But she isn’t sure that the FTC can take action against a company if it merely did not have a comprehensive privacy policy, Mithal said.
Panelists largely agreed that privacy would remain an issue even if legislation doesn’t materialize this year. Privacy is a bipartisan issue and “we will continue to have conversations” about legislation and whether self-regulation is viable, said Rachel Thomas, vice president of government affairs at the Direct Marketing Association. Predicting that there would be “no legislation this time” would be a “rash prediction,” said Peter Swire, law professor at Ohio State University and former privacy counselor in the Clinton administration. Congress shouldn’t enact legislation based on polls on public perceptions of privacy but should base it on facts, said Steve DelBianco, executive director of NetChoice.