The FTC Act and the FTC

by John Bandler

The Federal Trade Commission Act (FTC Act) is an important piece of federal legislation to protect consumers by seeking to promote fair trade practices that are not deceptive or unfair to consumers.

The FTC Act of 1914 created the Federal Trade Commission (FTC), and has been amended over the years.

Among many other provisions, it empowers the FTC to regulate unfair or deceptive trade practices.

This power has evolved to include the general principle that companies should have fair and clear privacy practices, hold data with a certain level of security and not make deceptive claims about their level of security. Thus, the FTC is a primary federal enforcer of privacy and cybersecurity requirements.

Remember that there is no federal law that applies generally and specifically covers cybersecurity, data breach reporting, or privacy, but the FTC Act pretty much fills that role for now. There are separate specific federal laws that apply to certain sectors such as finance and health.

This short article focuses on the FTC Act regarding cybersecurity and privacy. Organizations should also consider general principles of law and other cybersecurity and privacy requirements. To zoom out a little and see the larger legal landscape, read my other article Cybersecurity Laws and Regulations Part 1 (general legal overview), and other articles.

The FTC Act established the FTC

The FTC Act established the FTC. The FTC is a "commission" made up of five commissioners, who are appointed by the President and confirmed by the Senate, and no more than three of them can be from the same political party, and their terms are seven years each, staggered. Thus the FTC is an independent agency, unlike various departments of the executive branch who report directly to the president (e.g. the head of the Department of State, or Department of Defense, which are cabinet positions reporting to the president).

The FTC authority is based upon the U.S. government's constitutional authority to regulate interstate commerce.

FTC Act § 5(a), 15 U.S.C. § 45(a)(1)

FTC Act Section 5(a) is codified as 15 U.S.C. § 45(a). It reads, in part:

(a) Declaration of unlawfulness; power to prohibit unfair practices; inapplicability to foreign trade

(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

(2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except [banks and others] ... from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.

15 U.S.C. § 45(a)

You will not find the words “privacy” or “cybersecurity” anywhere in the FTC Act, but they do have some authority over it. Certain company statements and practices regarding privacy and cybersecurity have been held to be unfair or deceptive trade practices. The FTC’s authority on these areas has been challenged and is far from absolute.

If your organization is in a specific sector, remember to look for sector specific federal laws. And don't forget  state laws.

FTC enforcement

FTC deceptive practices enforcement can include:

  • Material statement or omission likely to mislead reasonable consumers
  • False promises, failure to comply with promises, including in privacy policy or Privacy Shield

FTC unfair practices enforcement can include:

  • Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid
  • Need not have any deception
  • Inadequate disclosures or inadequate cybersecurity may be an unfair practice

FTC enforcement examples on privacy and deceptive practices include allegations regarding:

  • 2019: Facebook: $5 billion fine, violation of prior consent order, third-party developer allowed data far in excess of privacy policy
  • 2018: BLU Products: Improper collection and sharing
  • 2014: Snapchat: “Erased” messages were not; improper collection of data from address books
  • 2012: Google: Violated prior consent order, improper representations about user control, override of cookie settings.

FTC's other regulatory areas

The FTC also has other regulatory areas.

  • Regulates and enforces unfair/deceptive practices under Section 5 of the FTC Act
  • FCRA (Fair Credit Reporting Act), a privacy law regarding credit reports. FTC shares enforcement responsibility under FCRA with CFPB
    • FCRA = Fair Credit Reporting Act of 1970 (FCRA), as amended periodically including by The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
    • CFPB = Consumer Financial Protection Bureau
    • FTC used to issue rules and guidance under FCRA
    • Now rules issuance by the CFPB
  • COPPA (Children’s Online Privacy Protection Act), rule-making and enforcement for COPPA
  • CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act), shares rule-making and enforcement power with FCC under Telemarketing Sales Rule (TSR) and CAN-SPAM Act
  • Shares rule-making and enforcement with HHS regarding health records and data breaches under HITECH
  • Identity theft and Red Flags Rule. The Red Flags Rule is intended to protect consumers from identity theft, originally found in the 2003 FACTA, then the Red Flag Program Clarification Act of 2010, and there is a 2013 ID Theft Red Flags Rule from the SEC & CFTC.

Definitions matter

As with any law or regulation, we need to be mindful of definitions and what and who is covered. What organizations fall under these rules, and what data falls under these rules?

Conclusion and disclaimer

How does an organization comply with these complex laws and regulations?

My main takeaway -- as always -- is that organizations must first focus on protecting themselves and the data they hold, and prevent cybercrime and other incidents. In so doing, they comply with the spirit of laws and regulations. Then, organizations should analyze the legal requirements and ensure compliance.  All of this requires a comprehensive cybersecurity program.

Hopefully this short article simply explains some of the basics. This is a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. It is not legal advice nor consulting advice, and is not tailored to your circumstances. The research is preliminary.

If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me.

Additional reading

See all the links above for references and reading to the laws, regulations, regulators, and more.

This article is hosted at https://johnbandler.com/ftc-act, copyright John Bandler, all rights reserved.

Originally posted 06/01/2024. Last updated 06/01/2024.