FTC Takes New Privacy Initiatives
Enforces Privacy Obligations Offline
The Federal Trade Commission recently alleged that privacy disclosures made by an offline company were deceptive and in violation of consumer protection laws. The case is significant because it extends the FTC's enforcement stance on online privacy matters to the offline world. In addition, the case reveals the agency's expectation that companies will not only be truthful in their privacy disclosures, but that they will also avoid deception by giving individuals a reasonably comprehensive description of how personally-identifiable information (PII) will be used. Howard Beales, Director of the FTC's Bureau of Consumer Protection, and other agency officials have said the case is an "important" signal as to the agency's enforcement policy.
The National Research Center for College and University Admissions (NRCCUA) collected PII from high school students, saying the information would be used for educational purposes. In fact, NRCCUA also disclosed students' information to direct marketers. The FTC sued NRCCUA claiming that it had deceived students and high school administrators about how the PII would be disclosed. The company has entered into a consent decree with the FTC, promising to reveal how PII will be used and disclosed, not to share previously-collected PII for non-educational purposes, and to document these compliance efforts.
With some exceptions, U.S. law does not require companies to disclose to consumers how they share PII and for what purpose. But the FTC has made clear that if online companies in fact describe how they gather, manipulate or share personal data, they must be accurate and not misleading, or risk violating laws against unfair and deceptive trade practices. The NRCCUA case affirms that the offline world must likewise avoid misrepresentations in its privacy disclosures.
The Charge Against Spam
The FTC recently announced a new joint initiative against deceptive spam involving federal, state and local consumer protection agencies. So far, the group has filed more than 30 law enforcement actions and sent approximately 100 warning letters to suspected illegal spammers. The agencies jointly conducted a "Spam Harvest" in which email addresses were planted in chat rooms, commercial websites and with other online service providers in order to identify which actions by consumers are likely to lead to spam. Based on the results of the Harvest and other investigations, the agencies sued spammers who used familiar logos without authorization, forged email headers ("spoofing") or made fraudulent offers. Charges include violations of the FTC Act based on unfair and deceptive practices, and in cases of "pretexting"-posing as another entity in order to get financial information- violations of the Gramm-Leach-Bliley Act.