LOGIN
CONTACT US twitter facebook

The Hidden Dangers of Privacy Laws

  • Date: 30th Aug 2021

In the past few years, two landmark privacy laws have changed how U.S. companies handle personal information. The first is the European Union’s General Data Protection Regulation, or GDPR, which applies to companies that do business in Europe. The second is the California Consumer Privacy Act, or CCPA, which applies to companies of a certain size that do business in California.

Both laws provide consumers more control over their data and require businesses to track and disclose how they handle personal information. They both also threaten large fines for noncompliance. The GDPR, for example, authorizes fines that reach 20 million euros or 4% of global revenue, whichever is higher.

Companies have spent billions on compliance to avoid being penalized under these two laws. But what many businesses fail to appreciate is how the GDPR and CCPA interact with other regulatory agencies. Strictly complying with aspects of the GDPR and CCPA can make companies vulnerable to a much larger threat: the Federal Trade Commission (FTC).

Federal Trade Commission

The FTC is the most active and severe privacy regulator in the United States. The federal agency protects consumers against “unfair or deceptive practices” under section 5 of the Federal Trade Commission Act. In the context of privacy, the FTC uses this authority to monitor that companies do not make misleading statements about their privacy practices.

To avoid being fined by the FTC, companies often draft privacy policies that are vague and broad and avoid committing the company to anything definite. For example, NBC Universal’s online privacy policy states, “We may have access to your information from that social network such as your name, email address…” Saying that NBC “may” have your social network information also implies that they may not have the information. This strategy makes it difficult for the FTC to find a statement like this “deceptive” because it doesn’t really say anything at all.

Companies go to these lengths to avoid the wrath of the FTC due to the history of the agency’s enforcement in this area. Out of the top 10 largest privacy fines ever issued worldwide, the FTC is responsible for four of them, including the top two. The FTC’s $5 billion fine to Facebook in 2019 is $3 billion more than all other global privacy fines combined.

But the FTC doesn’t just go after large companies. In fact, the agency routinely charges small to medium-sized businesses for misleading statements. As an example, the FTC filed charges against the privacy compliance company TRUSTe (later rebranded as TrustArc) for misleading consumers, which the company eventually settled.

The GDPR And CCPA

In contrast to the FTC, the GDPR and CCPA require companies to be specific and definite in their privacy disclosures. The CCPA, for example, requires companies to disclose to consumers “the categories of personal information to be collected” as well as “the purposes for which the categories of personal information shall be used.” Companies must also state definitively whether they sell personal information.

These definitive statements make companies vulnerable to the FTC because if any of those declarations is not 100% accurate, the FTC could file charges. There is ample precedent for the FTC fining companies that are attempting to comply with other privacy standards. In 2019 alone, the FTC brought 13 cases against businesses that made misleading statements related to their efforts to comply with “Privacy Shield,” a standard that allows companies to transfer personal information from Europe to the United States.

With the FTC pulling companies in a different direction than the GDPR and CCPA, businesses are forced to thread the needle. This requires an expert hand in drafting privacy disclosures that are not so specific that they open the door for the FTC, but specific enough that they pass the GDPR and CCPA standard. This nuance is why so many companies choose to supplement their privacy compliance services with hours from a privacy lawyer.

Conclusion

Anything that puts a company in the path of the FTC is dangerous. A definite and specific privacy policy may feel safe under the GDPR and CCPA, but in reality, this course of action may direct the company into the jaws of a much more dangerous regulator. As Facebook can attest, the FTC is no joke.