Submission to the OPC’s Consultation on Consent under PIPEDA (FTC)
United States Federal Trade Commission
October 2016
Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.
Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.
Summary
Staff of the Federal Trade Commission (FTC) has submitted a comment on the consent and privacy discussion paper prepared by Canada’s Office of the Privacy Commissioner (OPC), which identifies the challenges that new technologies and business models pose to consent-based models of privacy protection, and offers some questions and proposed approaches to address these challenges. Many of the key concepts discussed in the OPC paper, including greater transparency of privacy disclosures, improved privacy messaging in the Internet of Things environment, and enhanced governance and accountability measures, are privacy protective approaches that we have supported.
The comment describes the FTC’s approach to the role of consent in the rapidly changing digital ecosystem, particularly with respect to the Internet of Things. The comment also addresses the enforcement-related questions posed in the discussion paper and recommends additional enforcement powers based on FTC staff’s experience. Such powers would strongly enhance the OPC’s ability to protect and promote privacy rights as well as strengthen the OPC’s ability to coordinate with the FTC in cases that affect both Canadian and American consumers. In particular, the comment notes that the OPC could better protect privacy by: (1) engaging in proactive enforcement activity rather than relying primarily on complaints; (2) having the power to issue or seek orders; and (3) having the authority to seek monetary remedies.
First, using consumer complaints as a sole indicator to guide enforcement decisions is not sufficient to allow authorities to investigate and address new and emerging privacy issues, especially when consumer notice of practices is more challenging. The sheer volume of personal data generated and the complex systems that facilitate its collection often make it difficult or impossible for consumers to identify and complain about privacy violations.
Second, having the power to issue or seek orders can be the cornerstone of a robust enforcement program, as it has been for the FTC, by providing a strong incentive for business compliance. The power to issue or seek such orders is consistent with the Organisation for Economic Cooperation and Development guidelines on privacy enforcement, which call for member countries to ensure that privacy enforcement authorities have the ability to deter, sanction and take “corrective action” against companies for practices that violate their domestic laws. In addition, orders not only provide a crucial basis for compliance monitoring and future enforcement by the FTC, but they also can provide the broader benefit of communicating the FTC’s expectations to companies more generally.
Finally, the ability to obtain monetary remedies—whether in the form of statutory fines or equitable remedies such as disgorgement and restitution (in those instances when consumers suffer economic losses)—can serve as an important tool to encourage compliance and deter unlawful conduct. Although our experience obtaining monetary remedies in privacy and security cases is more limited than it is in general fraud and deceptive advertising cases, the FTC has obtained monetary remedies for privacy violations in certain instances. In addition, the agency has advocated for such authority before Congress with respect to a broader range of privacy and data security cases because it would provide a strong enforcement tool, especially in cases where other monetary remedies, such as restitution, are impossible or impractical.
FTC staff appreciates the opportunity to comment on the OPC discussion paper, and looks forward to working closely with the OPC on privacy issues that affect consumers in the U.S. and Canada.
Full submission:
Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.
I. Introduction
Staff of the Federal Trade Commission (“FTC”)Footnote 1 appreciates this opportunity to comment on the May 2016 discussion paper prepared by Canada’s Office of the Privacy Commissioner.Footnote 2 The OPC discussion paper identifies the challenges that new technologies and business models pose to consent-based models of privacy protection, and offers some questions and proposed approaches to address these challenges. This comment focuses on the OPC paper’s questions about enforcement powers, and provides information about the FTC’s privacy enforcement program and its efforts to grapple with the some of the same challenges recognized by the OPC.
A. The FTC’s Privacy Program and its Collaboration with the OPC
The FTC is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. As part of its consumer protection mandate, the FTC has broad authority to address issues affecting the privacy and security of consumers’ personal information, including those that have emerged with the development of new technologies and business models. The primary law that the FTC enforces, the FTC Act, 15 U.S.C. §§ 45 et seq., prohibits “unfair” or “deceptive” practices in or affecting commerce, including unfair or deceptive privacy and security practices. The FTC also enforces sector-specific statutes that protect certain health, credit, financial, and children’s information, and has promulgated regulations implementing each of these statutes.Footnote 3
The FTC has unparalleled experience in consumer privacy enforcement. To date, we have brought over 500 cases protecting the privacy and security of consumer information. Our enforcement actions have addressed a wide range of online and offline issues relating to children’s privacy, financial privacy, privacy-related promises and industry codes of conduct, as well as data security. They have also covered unfair, deceptive or other unlawful practices relating to spam, do not call, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and geo-location. Our enforcement actions include cases against well-known companies, such as Google, Facebook, Twitter, Snapchat, HTC and ASUS, as well as lesser-known businesses. The FTC’s enforcement actions send an important message to companies about the need to protect consumers’ privacy and data security. The FTC also protects consumers’ personal information by hosting public workshops,Footnote 4 conducting studies and issuing reports,Footnote 5 developing educational materials,Footnote 6 commenting on legislative and regulatory proposals,Footnote 7 and working with international partners on privacy and accountability issues.Footnote 8
Over the years, the FTC and the OPC have enjoyed a close and highly beneficial relationship on privacy issues that affect consumers in the United States and Canada. We regularly consult with each other to share information and discuss issues we observe in our work. On several occasions, the FTC has obtained and shared confidential information with the OPC relating to specific investigations.Footnote 9 In addition, we participate actively together in international governmental privacy networks, including the Asia Pacific Privacy Authorities Forum (“APPA”) and the Global Privacy Enforcement Network (“GPEN”).Footnote 10 In GPEN, the OPC has played a critical role by participating in its management committee, supporting its website, and being a founding partner of the GPEN Alert system launched in 2015.Footnote 11 This cooperation embodies the recommendations made in the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy (“OECD Privacy Enforcement Guidelines”), which endorsed countries working together to “develop effective international mechanisms to facilitate cross-border privacy law enforcement co-operation” and “provide mutual assistance to one another in the enforcement of laws protecting privacy.” Footnote 12
B. Privacy and Rapid Technological Change
We commend the OPC’s effort to examine its statutory approach to privacy in this era of rapid technological change. Many of the key concepts discussed in the OPC paper, including greater transparency of privacy disclosures, improved privacy messaging in the Internet of Things (“IoT”) environment, and enhanced governance and accountability measures, are privacy protective approaches that we have supported.
The FTC, like the OPC, has been considering the transformative effects on consumer privacy of the growing “ecosystem of vast, complex information flows and ubiquitous computing.”Footnote 13 Over the past few years, we have convened public workshops and issued reports and comments on emerging privacy issues, including transparency in the data broker industry,Footnote 14 the impact of big data analytics on low income and underserved consumers,Footnote 15 cross-device tracking,Footnote 16 and the privacy and security implications of the Internet of Things.Footnote 17 In addition, in September the FTC will host a public workshop examining privacy disclosures to consumers to encourage the development and testing of shorter, clearer, easier-to-use disclosures and consent mechanisms.Footnote 18
The discussion paper specifically seeks to “identify mechanisms that could help make consent more meaningful while enabling innovation in a digital economy.”Footnote 19 The FTC has examined the role of consent in the rapidly changing digital ecosystem, particularly with respect to the IoT.Footnote 20 For example, FTC staff has emphasized that “providing notice and choice remains important, as potential privacy and security risks may be heightened due to the pervasiveness of data collection inherent in the IoT.” Footnote 21 Notice and choice is especially important when companies collect sensitive data, because “consumers would likely want to know, for example, if a company is collecting health information or making inferences about their health conditions, even if the company ultimately does not use the information.”Footnote 22 In the IoT context, staff has “acknowledge[d] the practical difficulties of providing choice when there is no consumer interface and recognize[d] that there can be no one-size-fits-all approach.”Footnote 23 Accordingly, we have suggested that companies explore new methods of providing consumer choice in the interconnected environment, including by presenting choices during set-up and using privacy dashboards and codes on devices.Footnote 24 Companies may want to consider using a combination of methods to provide choice, in light of the practical challenges posed by the IoT environment. Regardless of the approaches employed to provide consumers with meaningful notice and choice, a key issue is that companies offer consumers clear and prominent privacy choices that are not buried within lengthy legal documents.Footnote 25
It is not the case, however, that every data collection should require choice. The FTC has recognized that providing choice in every instance is not necessary to protect privacy. Thus, our reports suggest, both in the context of the IoT and elsewhere, that companies need not provide choice for data uses that are generally consistent with the context of the transaction or the company’s relationship with the consumer. Footnote 26 This is because such data uses are generally consistent with consumers’ reasonable expectations about how their data will be used, and the costs to consumers and businesses of providing notice and choice likely outweigh the benefits. In addition, if a company enables the collection of consumers’ data and de-identifies that data immediately and effectively, it need not offer choices to consumers about this collection.Footnote 27
II. Enforcement
The OPC discussion paper asks: “What additional powers, if any, should be given to the OPC to oversee compliance and enforce new or enhanced consent rules?” The paper raises several possibilities, including: (i) the ability to engage in “proactive enforcement” in addition to enforcement based on complaints; (ii) the authority to impose orders rather than simply to make non-binding recommendations; and (iii) the ability to levy fines.Footnote 28 Based on our own extensive privacy enforcement experience in the United States, we believe that additional enforcement powers along these lines would strongly enhance the OPC’s ability to fulfill its stated mission to “protect and promote the privacy rights of individuals.”Footnote 29 It would also strengthen the OPC’s ability to coordinate with the FTC in cases that affect both Canadian and American consumers.Footnote 30
A. The OPC would improve privacy protection by engaging in proactive enforcement activity rather than relying primarily on complaints.
The OPC discussion paper contemplates “engaging in proactive enforcement activity . . . in addition to enforcement based on complaints, as is typically the case under the current model.”Footnote 31 Under current law, most of the OPC’s investigations are complaint-driven.Footnote 32 Consumer complaints undoubtedly help consumer protection and privacy authorities determine how to focus their enforcement efforts and how to set priorities for policy work.
In FTC staff’s experience, however, complaints do not provide a sufficient source of information for authorities to identify and investigate new and emerging privacy issues and prioritize those that raise greatest privacy concerns. This is due, in large part, to the sheer volume of personal data generated and the complex systems that facilitate its collection, which often makes it difficult or impossible for consumers to identify and complain about privacy violations. As the OPC points out, consumers may not know that their “personal information [is being] collected by, and shared among, a myriad of often invisible players [such as data brokers, analytics companies and ad networks] who use it for a host of purposes, both existing and not yet conceived of.”Footnote 33 Consumers therefore may not know that some of these participants in the “digital information ecosystem” are required under Canadian law to obtain their consent (or, in the FTC context, are prohibited from engaging in unfair or deceptive practices) and may never learn about improper collection and use of their personal data. Accordingly, in our experience, it is helpful for enforcers to use multiple sources of information – including news reports, internal and academic research by privacy and security experts, Congressional referrals, company and competitor disclosures, and information from domestic and international enforcement partners – to learn about privacy threats and to set their enforcement priorities.
A recent FTC enforcement action against a Singapore-based mobile advertising network, InMobi, highlights the difficulties consumers may have in identifying unlawful privacy practices. As alleged in the FTC’s complaint, the mobile ad network failed to disclose that it tracked consumers’ locations—including children’s locations—without their knowledge or consent, to serve them geo-targeted mobile advertising despite claiming otherwise.Footnote 34 Indeed, according to the FTC’s complaint, the company tracked consumers’ locations whether or not the apps using the company’s software asked for consumers’ permission to do so, and even when consumers had denied such permission. In such circumstances, consumers may not know they are being tracked more broadly, and would not know to complain to enforcement authorities.Footnote 35 Therefore, authorities benefit from being able to investigate and take actions against companies, even in the absence of consumer complaints.
B. The OPC could better protect privacy with the power to issue or seek orders.
As explained in the OPC Discussion Paper, the OPC can only make non-binding recommendations and has no power to make legally enforceable orders. The FTC, by contrast, can obtain legally enforceable orders in its administrative and federal court proceedings, either via settlement (“consent orders”) or through litigation. The agency’s ability to obtain orders is the cornerstone of its robust enforcement program and provides a strong incentive for business compliance. Indeed, the power to issue or seek such orders is consistent with the international best practice set forth in the OECD Privacy Enforcement Guidelines, which calls for member countries to ensure that privacy enforcement authorities have the ability to deter, sanction, and take “corrective action” against companies for practices that violate their domestic laws.Footnote 36
The FTC’s authority to issue orders derives from the FTC Act, which authorizes agency enforcement through both administrative and judicial processes. In the administrative process, the agency, after an investigation and administrative settlement or adjudication, may issue an order enjoining specific practices and imposing requirements to ensure the defendant’s future compliance.Footnote 37 In the judicial process, the FTC may seek preliminary and permanent injunctions in federal court to remedy any provision of law enforced by the Federal Trade Commission.Footnote 38 By the end of 2015, the FTC had issued or obtained from courts several hundred orders relating to unlawful privacy and data security practices. These orders bind the companies that are subject to them, and provide relief that covers all consumers, not just consumers that have filed complaints with the FTC. For example, in the InMobi case discussed above, the FTC’s settlement order prohibits the company from collecting consumers’ location information without their affirmative express consent, and requires it to honor consumers’ location privacy settings.Footnote 39 It also requires the mobile ad network to delete the location information of consumers it collected without their consent and prohibits it from misrepresenting its privacy practices. The settlement also requires InMobi to institute a comprehensive privacy program that will be independently audited every two years for the next 20 years. The InMobi case, which involved a Singapore-based company, also illustrates that the FTC Act’s prohibition on unfair and deceptive acts or practices is not limited to protecting U.S. consumers from U.S. companies. The FTC Act also prohibits those practices that (1) cause or are likely to cause reasonably foreseeable injury in the United States, or (2) involve material conduct in the United States. Accordingly, in the cross-border context, the FTC has authority to protect Canadian and other foreign consumers from certain practices taking place in the United States, as well as the authority to protect American consumers victimized by foreign-based practices in the circumstances described above.Footnote 40
As the discussion above shows, administrative orders and court orders obtained by the FTC may include several key injunctive provisions, depending on the circumstances of the particular enforcement action. These may include: (1) a prohibition on engaging in the challenged conduct, or similar conduct, in the future; (2) in the appropriate case, a requirement to implement a comprehensive privacy or data security program, with specific components set forth in the order; and (3) affirmative monitoring and compliance provisions that last for a specified period of time (e.g., requirements to keep relevant business records; notify employees of the existence of the order; and notify the Commission of any changes that may affect compliance obligations). The affirmative requirements enhance the FTC’s ability to monitor ongoing compliance with the order and the FTC Act.
Once a defendant company or individual is subject to an FTC order, the defendant must comply with the order or face a variety of sanctions. Such sanctions could include a new FTC action seeking substantial monetary relief. The FTC takes order violations very seriously. For example, in 2012, the FTC settled a case against Google for $22.5 million. The FTC alleged that Google misrepresented its use of tracking cookies and thereby violated a 2011 consent order between the FTC and Google relating to Google’s social network, Google Buzz.Footnote 41 Similarly, in 2015, the FTC alleged that LifeLock, a company selling identity theft protection services, violated a 2010 agreement with the FTC when it failed to establish and maintain a comprehensive information security program to protect customers’ sensitive information, among other violations. The company agreed to pay $100 million for its alleged violations.Footnote 42
Finally, orders not only provide a crucial basis for compliance monitoring and future enforcement by the FTC, but they also can provide the broader benefit of communicating the FTC’s expectations to companies more generally. Indeed, the FTC’s 2015 publication “Start with Security” distills the lessons learned from the more than 50 data security settlements announced before then into 10 specific actions companies should take when implementing reasonable security measures.Footnote 43
C. The OPC could better protect privacy with the authority to seek monetary remedies.
The OPC’s paper cites to U.S. and European authorities’ ability to obtain monetary remedies as a possible component of an effective privacy enforcement system.Footnote 44 In FTC staff’s experience, the ability to obtain monetary remedies—whether in the form of statutory fines or equitable remedies such as disgorgement and restitution (in those instances when consumers suffer economic losses)—can serve as an important tool to encourage compliance and deter unlawful conduct. The FTC routinely seeks monetary remedies in consumer fraud and deceptive advertising cases, both to remedy financial injury to consumers and deprive defendants of wrongful monetary gains. This authority to obtain monetary remedies stems from three legal sources. First, the FTC Act authorizes the FTC to bring federal district court lawsuits seeking preliminary and permanent injunctions for unfair or deceptive trade practices in violation of the FTC Act.Footnote 45 These injunctions can include not only “conduct remedies” such as those described above, but also in appropriate cases equitable monetary relief, such as restitution for consumers and disgorgement of profits. Second, the FTC has the ability to seek civil penalties for violations of administrative orders.Footnote 46 Third, the FTC has the authority to obtain monetary civil penalties when a statute expressly provides for such penalties, based on statutorily determined maximum penalty amounts.Footnote 47
Although FTC staff’s experience with monetary remedies in privacy and security cases is more limited, the FTC has been able to rely on these three sources of authority to obtain monetary remedies for privacy violations in certain instances. A recent example involved the FTC’s action against Henry Schein Practice Solutions.Footnote 48 There, the FTC alleged that the company falsely advertised the level of encryption its patient management software provided. Under the settlement terms, the company agreed to disgorge $250,000, which represented a portion of its software sales. Three of the FTC’s privacy-related statutes also provide the FTC with authority to obtain civil penalties for violations: the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), and the provisions relating to breaches of personal health records in the American Recovery and Reinvestment Act.Footnote 49 To date, the FTC has brought more than 20 cases and obtained over $10 million in civil penalties under COPPA, and brought more than 100 cases and obtained over $200 million under the FCRA. At this time, the FTC’s civil penalty authority in the privacy and data security area is limited to these three statutes. However, the agency has advocated for such authority before Congress with respect to a broader range of data security cases because it would provide a strong enforcement tool, especially in cases where other monetary remedies, such as restitution, are impossible or impractical. In sum, the ability to seek monetary sanctions could enable the OPC to deter unlawful practices more effectively, as it has for the FTC.
III. Conclusion
The FTC has significant experience enforcing U.S. laws that protect consumer privacy. Based on our extensive privacy enforcement experience in the United States, FTC staff believes that giving the OPC the ability to proactively investigate potential privacy violations, issue or seek orders, and obtain monetary remedies would empower the agency to further protect consumer privacy.- Date modified: