Think the FTC Is the De Facto U.S. Data Protection Authority? State AGs May Have Something To Say

By Divonne Smoyer, CIPP/US
and Aaron Lancaster, CIPP/US

The U.S. Federal Trade Commission (FTC) has understandably been the focus of much attention in the data privacy world. The FTC is considered by many to be the primary U.S. data privacy regulator, and this blog has gone so far as calling the FTC the U.S.’s de facto data protection authority (DPA). We respectfully disagree. The FTC is facing unprecedented challenges, while state attorneys general (AGs), who have similar—and in some instances greater—authority, are taking more and more steps to protect the privacy of their citizens.

Although the FTC has used its authority under Section 5 of the FTC Act to regulate data privacy, it is facing a number of hurdles that could curtail such use, including: 

  • Challenges from litigants: The FTC now is facing not one, but two high-profile challenges to its authority to regulate data privacy and cybersecurity. In addition to the Wyndham case, LabMD also is fighting the FTC’s allegations that the company failed to protect consumer data, claiming, like Wyndham, that the FTC lacks authority under Section 5 of the FTC Act to bring a data security enforcement action on unfairness grounds. If successful, the FTC’s authority to regulate consumer data privacy could be radically restricted.
  • Congressional skepticism: Last week, all four sitting FTC commissioners testified in their first-ever joint appearance in Congress before the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade. The commissioners called for federal privacy legislation while facing inquiries from lawmakers who questioned the FTC’s budget and scope of its regulatory actions.  
  • Dissension in its own ranks: Last week’s hearing highlighted another issue nagging the FTC—the scope of its “unfairness” authority. Although the FTC Act provides the FTC with the authority to prevent unfair acts affecting commerce, Commissioner Joshua Wright has suggested that the FTC has not sufficiently outlined its interpretation of “unfair,” a criticism echoing the challenges made by Wyndham and LabMD.

AGs, on the other hand, do not face these same barriers.

Most AGs have authority to protect privacy under their state unfair and deceptive trade practice statutes (UDAP statutes, often referred to as “mini-the FTC Acts”), which, notably, do not contain the same limitations on recovery of civil penalties as does the FTC Act (the FTC cannot, under Section 5, recover penalties for violations of the act itself but only for a rule or final order issued by the FTC), as well as a wide range of other state data privacy laws and regulations (including a host of new California laws, Massachusetts data privacy regulations, Nevada PCI compliance law, etc.).

AGs also have concurrent authority with the FTC or other federal regulators under various federal laws, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA) and others. AGs are demonstrating that they are not hesitant to use their authority to enforce the privacy rights of their states’ citizens. For example:

These are by no means the only examples of AGs exercising their authority to police data privacy but more than amply show that the FTC has some stiff competition as to whether it’s the U.S. DPA. The FTC is certainly a significant concern, but companies that are cavalier with their customers’ privacy ignore AGs at their peril. Thus, rather than having one de facto DPA in the FTC, the U.S. actually has 50+ such DPAs.

About the Author

Divonne Smoyer, CIPP/US, is a Washington, DC-based partner in Dickstein Shapiro’s State Attorneys General Practice, where she advises clients on a wide range of legal matters, including cybersecurity and data privacy issues. She has been recognized repeatedly by Chambers USA: America’s Leading Lawyers for Business as one of the country’s top attorneys in her field. Smoyer has extensive experience counseling major corporations through government investigations and litigation, as well as private litigation. Divonne can be found on Twitter @DivonneSmoyer.

See all posts by Divonne Smoyer

Aaron Lancaster is counsel in Dickstein Shapiro’s State Attorneys General Practice, where he primarily represents clients in state investigations and litigation in a wide variety of consumer protection and data privacy matters. He also counsels clients on building relationships with State Attorneys General to minimize their exposure to state-led lawsuits and negative publicity and advises them on dealing with data breaches and other privacy concerns. 

See all posts by Aaron Lancaster


To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!