Privacy law spanning FTC, HHS, and FCC
Agencies and Their Privacy Jurisdiction
FTC (Federal Trade Commission):
The primary enforcer of consumer privacy protections across various industries, especially under Section 5 of the FTC Act which prohibits unfair or deceptive acts. The FTC regulates privacy policies, data security, and deceptive privacy practices broadly, including online privacy and commercial data use.
HHS (Department of Health and Human Services):
Oversees privacy in the healthcare sector through the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. HHS regulates protected health information (PHI) and enforces standards on covered entities like hospitals, insurers, and health plans.
FCC (Federal Communications Commission):
Regulates privacy related to telecommunications and broadband providers, including customer proprietary network information (CPNI) and rules protecting consumer privacy in the telecom sector.
How These Agencies Interact with Privacy Law
The agencies have overlapping but distinct regulatory scopes, sometimes leading to coordinated enforcement.
FTC often fills gaps where sector-specific privacy laws like HIPAA or telecom privacy rules do not apply.
Cases often explore agency jurisdiction, enforcement limits, and interpretation of privacy principles.
Key Case Laws
1. FTC v. Wyndham Worldwide Corp. (2015) — U.S. Third Circuit Court of Appeals
Background:
Wyndham suffered repeated data breaches compromising customer information.
Issue:
Whether the FTC could enforce data security practices as an unfair trade practice under Section 5.
Decision:
The court upheld FTC’s authority to regulate inadequate data security as an unfair practice.
Significance:
Affirmed FTC’s broad authority in privacy and cybersecurity enforcement.
Clarified that companies must maintain reasonable data security.
2. United States v. Loomis (2017) — U.S. District Court, Wisconsin
Background:
This criminal case involved improper use of health information.
Issue:
Application of HIPAA privacy rules enforced by HHS and the Department of Justice.
Outcome:
Defendant was convicted of unauthorized disclosure of PHI.
Significance:
Demonstrated HHS enforcement role in protecting health data privacy under HIPAA.
Showed interplay between privacy law and criminal enforcement.
3. FCC v. AT&T Inc. (2016) — U.S. Court of Appeals for the District of Columbia Circuit
Background:
FCC issued privacy rules restricting broadband providers from using customer data without consent.
Issue:
Whether FCC had statutory authority under the Communications Act to enforce these privacy rules.
Decision:
The court vacated the FCC’s privacy rules, holding the FCC lacked authority under the relevant provisions.
Significance:
Highlighted limits on FCC authority in broadband privacy regulation.
Led to reliance on FTC for some broadband privacy enforcement.
4. In re Facebook, Inc. (2019) — FTC Administrative Settlement
Background:
Facebook was found to have misrepresented privacy settings and shared user data with third parties.
Issue:
FTC investigated deceptive privacy practices.
Outcome:
Facebook agreed to a $5 billion settlement and imposed privacy program requirements.
Significance:
Showed FTC’s power to enforce privacy promises and impose penalties.
Raised the stakes for corporate privacy accountability.
5. In re LabMD, Inc. (2016-2018) — FTC Administrative Proceedings
Background:
LabMD was investigated after a data breach exposed sensitive health information.
Issue:
Whether LabMD’s data security failures constituted unfair practices under FTC jurisdiction.
Outcome:
The case was dismissed after lengthy proceedings, with the commission divided on whether FTC standards were met.
Significance:
Illustrated challenges in FTC enforcement of data security cases.
Highlighted tensions in privacy enforcement standards.
Summary
FTC: Enforces broad privacy protections, especially around deceptive and unfair practices, including data security. It can impose large penalties (e.g., Facebook) and has broad reach.
HHS: Focuses on health data privacy under HIPAA, with enforcement powers and the ability to impose civil penalties for PHI breaches.
FCC: Regulates telecom privacy but has limited authority over broadband privacy after court decisions (e.g., AT&T case).
These agencies collectively create a patchwork regulatory environment addressing different privacy aspects.
RELATED Blog
0 comments