The Hidden Dangers of Privacy Laws
- Date: 30th Aug 2021
In the past few years, two landmark privacy laws have changed how U.S. companies handle personal information. The first is the European Union’s General Data Protection Regulation, or GDPR, which applies to companies that do business in Europe. The second is the California Consumer Privacy Act, or CCPA, which applies to companies of a certain size that do business in California.
Both laws provide consumers more control over their data and require businesses to track and disclose how they handle personal information. They both also threaten large fines for noncompliance. The GDPR, for example, authorizes fines that reach 20 million euros or 4% of global revenue, whichever is higher.
Companies have spent billions on compliance to avoid being penalized under these two laws. But what many businesses fail to appreciate is how the GDPR and CCPA interact with other regulatory agencies. Strictly complying with aspects of the GDPR and CCPA can make companies vulnerable to a much larger threat: the Federal Trade Commission (FTC).
Federal Trade Commission
The FTC is the most active and severe privacy regulator in the United States. The federal agency protects consumers against “unfair or deceptive practices” under section 5 of the Federal Trade Commission Act. In the context of privacy, the FTC uses this authority to monitor that companies do not make misleading statements about their privacy practices.
Companies go to these lengths to avoid the wrath of the FTC due to the history of the agency’s enforcement in this area. Out of the top 10 largest privacy fines ever issued worldwide, the FTC is responsible for four of them, including the top two. The FTC’s $5 billion fine to Facebook in 2019 is $3 billion more than all other global privacy fines combined.
But the FTC doesn’t just go after large companies. In fact, the agency routinely charges small to medium-sized businesses for misleading statements. As an example, the FTC filed charges against the privacy compliance company TRUSTe (later rebranded as TrustArc) for misleading consumers, which the company eventually settled.
The GDPR And CCPA
In contrast to the FTC, the GDPR and CCPA require companies to be specific and definite in their privacy disclosures. The CCPA, for example, requires companies to disclose to consumers “the categories of personal information to be collected” as well as “the purposes for which the categories of personal information shall be used.” Companies must also state definitively whether they sell personal information.
These definitive statements make companies vulnerable to the FTC because if any of those declarations is not 100% accurate, the FTC could file charges. There is ample precedent for the FTC fining companies that are attempting to comply with other privacy standards. In 2019 alone, the FTC brought 13 cases against businesses that made misleading statements related to their efforts to comply with “Privacy Shield,” a standard that allows companies to transfer personal information from Europe to the United States.
With the FTC pulling companies in a different direction than the GDPR and CCPA, businesses are forced to thread the needle. This requires an expert hand in drafting privacy disclosures that are not so specific that they open the door for the FTC, but specific enough that they pass the GDPR and CCPA standard. This nuance is why so many companies choose to supplement their privacy compliance services with hours from a privacy lawyer.