Significant FTC Fines Highlight Evolution in Privacy Enforcement Landscape

Last week produced a spate of interesting and instructive privacy and data security enforcement activity. The FTC (along with the CFPB and the states) announced a $575+ million settlement with Equifax, arising from that company’s massive 2017 data breach; the FTC reached a settlement with Facebook involving not only a monetary payment, but also commitments regarding corporate governance related to privacy interests of users; and the SEC reached a settlement with Facebook dealing with how the company had described privacy-related risks in its securities filings.

At the same time, while not directly focused on privacy, the Department of Justice announced a broad-ranging antitrust inquiry into the market positions of major tech firms that collect and use information about people who navigate those platforms.

None of these actions has any direct value as legal precedent: they are settlements, allegations, and investigations, not adjudicated, established claims. Even so, considered as a whole, they give insight into how federal enforcers are thinking about privacy and data security issues and , therefore, can provide meaningful guidance for companies in the online ecosystem that base their businesses, in whole or in part, on collecting and monetizing user information.

For example, in the FTC’s settlement with Facebook the two Democratic commissioners dissented, contending that the settlement’s relief (both in monetary terms and in terms of changes to corporate governance) supposedly did not go far enough. Combined with the willingness of the Republican commissioners to press for the extensive relief embodied in the settlement, this indicates that going forward we can expect privacy enforcement actions to seek and result in more extensive relief than we have seen in the past.

The most intriguing, if also the most opaque, of last week’s developments is the announcement that the antitrust authorities are undertaking a review of the claimed market power of large technology firms. At least since the mid-1970s, the focus of antitrust analysis has been on whether alleged problematic business conduct harms consumer welfare.

If a business lowers prices, raises service quality, adds new features, or fosters innovation, those activities are presumptively pro-competitive and legal, even if they are sometimes devastating to individual competitors. (This approach to antitrust is typically traced to Judge (then Professor) Robert Bork’s book, THE ANTITRUST PARADOX (1978).) In theory, technology companies should have nothing to worry about—their products and services keep improving, and an enormous array of features and functionalities are available for free, or nearly so—from listening to music, to social networking, to email, to getting directions on a map, to tracking airplanes in flight.

Moreover, while at any given time a company may seem dominant in one or another of those areas, barriers to entry—at least as traditionally understood—are low in the online ecosystem, so even seemingly dominant firms are always vulnerable to entry and displacement by an entrepreneur with a better idea.

Even if the recently announced antitrust review of large technology firms reflects an inflection point in antitrust doctrine—and, of course, it may not—it will likely be decades before we have a coherent economic theory that converts alleged privacy harms into harms that the antitrust laws can deal with. But farsighted practitioners (and farsighted clients) should begin to consider the relationship between consumers’ privacy expectations and possible antitrust liability. Concepts originally derived from antitrust and other competition-focused laws are already starting to show up in emerging privacy laws such as the GDPR and the CCPA—such as portability requirements that would permit consumers to demand copies of their data that can be provided to and used by other, competitive service providers. Forewarned is forearmed.

From this broad perspective, the recent spate of privacy enforcement actions—and the announced antitrust review—simply emphasizes the lack of any overall, coherent federal privacy law—a void that the newfangled antitrust theories are trying to fill. There is no federal agency with a general mandate to investigate claimed violations of consumer privacy or take enforcement action when it thinks violations have occurred.

Rather, the FTC has to link those claimed violations to conduct that is allegedly “unfair” or “deceptive” or to a prior violation of a court order. Similarly, the SEC has no direct statutory authority to impose privacy obligations on firms under its jurisdiction; it has to link claimed privacy problems to a company’s failure to disclose risks to investors and similar bootstrapping arguments.

Efforts to link privacy and antitrust may be just the latest version of trying to shoehorn privacy concerns into statutes that, fairly read, really deal with other issues. At the same time, though, it may be that the pressure to find a clear statutory basis for protecting consumer privacy interests will lead to a general federal privacy law—of which there are a range of potential examples.

Whatever problems such a law might create—and there would be many—from a practical lawyer’s standpoint, privacy legislation would at least make it unnecessary for enforcement authorities to keep trying to stretch other statutes to fit concerns they were not really drafted to address.