Professors Woodrow Hartzog and Daniel J. Solove
83 Geo. Wash. L. Rev. 2230
Published in Connection With the Law Review’s 2014 Symposium “The FTC at 100”
For more than fifteen years, the FTC has regulated privacy and data security
through its authority to police deceptive and unfair trade practices as
well as through powers conferred by specific statutes and international agreements.
Recently, the FTC’s powers for data protection have been challenged
by Wyndham Worldwide Corp. and LabMD. These recent cases raise a fundamental
issue, and one that has surprisingly not been well explored: How
broad are the FTC’s privacy and data security regulatory powers? How
broad should they be?
In this Article, we address the issue of the scope of FTC authority in the
areas of privacy and data security, which together we will refer to as “data
protection.” We argue that the FTC not only has the authority to regulate data
protection to the extent it has been doing, but that its granted jurisdiction can
expand its reach much more. Normatively, we argue that the FTC’s current
scope of data protection authority is essential to the United States data protection
regime and should be fully embraced to respond to the privacy harms
unaddressed by existing remedies available in tort or contract, or by various
statutes. In contrast to the legal theories underlying these other claims of action,
the FTC can regulate with a much different and more flexible understanding
of harm than one focused on monetary or physical injury.
Thus far, the FTC has been quite modest in its enforcement, focusing on
the most egregious offenders and enforcing the most widespread industry
norms. Yet the FTC can and should push the development of norms a little
more (though not in an extreme or aggressive way). We discuss steps the FTC
should take to change the way it exercises its power, such as with greater transparency
and more nuanced sanctioning and auditing.