In a recent blog from the Washington Post, FTC Chairwoman Edith Ramirez was interviewed about the FTC’s ever growing role as the government’s de facto privacy cop. Ramirez, who was a Harvard Law School classmate of President Obama, was named the head of the FTC in 2013. Since that time, the FTC hasn’t been bashful in its efforts to go after some of the world’s largest tech giants, including Google, Apple, and Snapchat.
In addition to the enforcement actions and subsequent settlements garnered by the FTC, the FTC has also established a new technology research office. The Office of Technology Research and Investigation (“OTRI”) is the successor to the FTC’s Mobile Technology Unit, and will go beyond just mobile devices and will investigate issues, “including privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.” The FTC also plans to hold workshops on the “sharing economy,” which includes companies such as Uber or Airbnb, as well as workshops regarding advertisers’ ability to follow online users from their computers or smartphones.
In the interview, Chairwoman Ramirez was asked about what role she saw the FTC playing in protecting consumer privacy, and whether her previous background in corporate law litigation were shaping the FTC’s view of privacy enforcement. When asked if she agreed that the FTC is often times regarded as the government’s de facto privacy cop, Ms. Ramirez responded:
We absolutely are in my mind the key cop on the beat when it comes to privacy. We do a very effective job on enforcement and are also thinking on the policy side. It’s very important for us to stay on top of technological developments, so we’re not only thinking about what’s happening today and ensuring companies are complying with the law, but also about what companies will do tomorrow.
Given that the FTC views itself as the top privacy cop, how does the FTC go about applying its oversight to technology? In answering this question, Ms. Ramirez stated:
[W]hen it comes to data security, if a company makes a particular promise to consumers about providing reasonable protections, we expect them to fulfill that promise. It’s quite a simple test, and we’ve used it very effectively because we find that companies say things about their practices and don’t follow through . . . [W]e think a company’s failure to provide reasonable data protections constitutes an unfair practice, because we think it’s a reasonable expectation for a consumer. If a company is making use of personal financial information, they ought to have appropriate protections in place to make sure that information isn’t compromised.
Even though the FTC has the authority to oversee unfair and deceptive practices, what can it do beyond seeking injunctive relief against such practices? Ms. Ramirez recognizes that while the FTC doesn’t have direct civil penalty authority, it can still seeks monetary judgments against tech wrongdoers:
As a general matter we don’t have civil penalty authority – we can’t simply fine a company because they failed to comply with Section V [which contains the authority to protect consumers from unfair and deceptive powers]. If, however, a company is under order [from the FTC] and they violate the order, at that point we do have civil penalty authority . . . What we can do, however, is seek monetary relief for redress to consumers – so it’s not always the case that a company we don’t have an order against won’t be subject to a judgment that would encompass financial penalties.
Finally, Ms. Ramirez was asked about how her previous experience in corporate litigation might be shaping the FTC’s privacy enforcement views, and whether it had any impact on the FTC’s decision not to pursue action against Google. To that, Ms. Ramirez responded:
Being both on the side of defending companies and as an enforcer gives you an important perspective – so it’s not just one side pitted against the other. I think it’s important to understand that the vast majority of companies do want to comply with the law. You need to have a constructive relationship with them and provide guidance. Learning how to assess a case, learning how to evaluate whether it’s appropriate to move forward with an enforcement action, determining what type of relief is needed – these are all things I was familiar with from my days as a litigator . . . I’m not going to get into the Google situation. We issued a statement that articulated our thinking and why it was that we felt it appropriate to close that particular investigation. But as a general matter, the first question we ask when we are determining whether to bring an enforcement is: What is the right outcome here? Has there been a violation of the law? Sometimes we deal with issues that are very complex, but that’s the first and foremost question that is in my mind when I’m helping to decide whether we ought to proceed.