Schneier on Security
A blog covering security and security technology.
« Feds Target Polygraph-Beating Company |
| How Many Leakers Came Before Snowden? »
August 29, 2013
The Federal Trade Commission and Privacy
New paper on the FTC and its actions to protect privacy:
Abstract: One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies' privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States -- more so than nearly any privacy statute and any common law tort.
In this article, we contend that the FTC's privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC's privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy "common law" demonstrates that the FTC's privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this "common law" into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, that extends far beyond privacy policies, and that involves a full suite of substantive rules that exist independently from a company's privacy representations.
Posted on August 29, 2013 at 12:28 PM
• 2 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
While it is chilling to think of bureaucrats from the executive branch making laws and overturning contracts.
Still from a moral "what the law oughtta be, not what is" prespective, there are two plusses:
(1) If a contract is an agreement as understood by the two parties, then "consumer expectations of privacy" are a more genuine part of a contract than small print hidden deep in an opaque document.
(2) A specialist quasi-court can probably formalise those expectations more cheaply, quickly and accurately than the real judiciary (let alone the real legislature).
It still scares the --it out of me that the real governing of democracies is moving from the traditional three branches and towards unknown, unelected apparatchiks.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.