From its founding in 1914 until roughly 2018, the Federal Trade Commission (FTC) enjoyed near complete hegemony as the primary consumer protection enforcement agency in the United States. The states played an important role, but the FTC set policy and, with its national reach, and with more enforcers than any single state, the FTC’s power was on display. When the FTC developed its privacy program out of Section 5’s deception and unfairness prongs in the 1990s, it was practically the only game in town. States tended to follow, rather than lead, on privacy enforcement. Corporate privacy compliance programs centered on the FTC’s enforcement agenda.
All of that began to change in 2018 when California passed the California Consumer Privacy Act, which was later amended by the California Privacy Rights Act. A dozen other comprehensive state privacy laws have passed since then, and more will likely follow. The enforcement landscape is now quite crowded, and companies are now focusing their compliance programs on those regimes rather than on the FTC Act.
The Supreme Court further weakened the FTC’s stature as an enforcement agency in 2021 with its decision in AMG Capital Management v. FTC, which stripped the FTC of its ability to seek equitable monetary relief in cases under Section 13(b) of the FTC Act. (Section 13(b) is the means through which the FTC seeks and obtains injunctive relief in federal court under Section 5). After AMG, the FTC can only obtain monetary relief against a company in the form of civil penalties, and those are only available for violation of a trade regulation rule (the FTC’s COPPA Rule, for example), and for violations of prior administrative orders.
Since 2021, the FTC has found itself struggling for relevance. Why bother to aim for Section 5 compliance with Section 5 when state law is more prescriptive, and when the FTC can only obtain injunctive relief in Section 5 enforcement actions?
Against this backdrop, the FTC has looked for ways to differentiate itself and to find effective ways to steer conduct through deterrence. It became creative with injunctive remedies, such as algorithmic disgorgement and injunctions that follow corporate officers from job to job, and it initiated a rulemaking to establish its own comprehensive privacy law with civil penalties available for violations. In a quieter way, however, the FTC has done something even more consequential: it has dusted off from decades of dormancy its penalty offense authority.
The FTC’s Penalty Offense Authority
Until 2021, the last time the FTC had exercised this authority was 1978. In the forty-three years since then, the authority was largely forgotten. Why revive this authority now? Because it offers a way for it to regain its consumer protection leadership position and to back it up with powerful enforcement tools. This program finds its authority in Section 5(m)(1)(B) of the FTC Act, under which the Commission can seek civil penalties from a company if it proves that:
- The company was aware that the conduct was unfair or deceptive in violation of the FTC Act; and
- The FTC had previously issued a written decision to that effect.
In other words, the FTC believes that it has found a third way to obtain civil penalties – by applying its prior litigated orders against companies to whom the orders did not apply. This has the potential to take the entire body of FTC decisions and clothe it with civil penalty authority against most of the American economy.
In order to satisfy the knowledge element of Section 5(m)(1)(B), the FTC sends companies a “notice of penalty offenses,” with a cover letter. The notice lists certain types of activities that the FTC has determined, in one or more litigated administrative decisions, to be unfair or deceptive in violation of Section 5 of the FTC Act. Companies that receive this notice and that engage in the identified conduct can face civil penalties – now set at up to $50,120 per violation. These civil penalties can add up: the FTC obtained civil penalties amounting to $275 million in its 2022 COPPA case against Epic Games.
The FTC has now sent almost 1,900 of these notices of penalty offenses to companies in five waves since 2021. The FTC publishes the notices, cover letters, and the list of companies to whom the notices are sent on its website. Only those who are immersed in FTC law know that even though the FTC makes the list of recipient companies public, the FTC is not alleging that any of them violated the law. Rather, the FTC intends to put them on notice that if they violate the law, the FTC will be entitled to seek civil penalties in a subsequent enforcement action.
The most recent notice of penalty offenses was sent to five tax preparation companies and addressed what the FTC believes is a “misuse” of information collected in confidential contexts. It stated that the FTC believed that Section 5 prohibits the secondary use of information – any information – collected in a confidential context for any purpose not explicitly requested by the individual unless the individual first provides affirmative express consent for such use. By way of examples, the FTC goes on to state that:
- “It is an unfair or deceptive trade practice to use information collected in a Confidential Context to obtain a financial benefit [any financial benefit] that is separate from the benefit generated from providing the product or service requested by the individual unless the individual first provides affirmative express consent for such use”; and that
- “It is an unfair or deceptive trade practice to use information collected in a Confidential Context to advertise, sell, or promote products or services unless the individual first provides affirmative express consent for such use.”
Prior notices of penalty offenses since 2021 involved advertising standards for health care products, as well as claims in connection with money-making opportunities, endorsements and testimonials, and for-profit colleges.
The FTC’s most recent notice of penalty offense cites a single FTC case from 1975 whereby a tax preparation services company used consumers’ personal information to advertise for its tax refund anticipation loan service. The FTC’s cover letter takes this case – from a full generation before the modern internet became available – and applies it to the use of “tracking technologies such as pixels, cookies, APIs, or SDKs to amass, analyze, infer, and transfer information collected in a Confidential Context [for secondary purposes] without first obtaining affirmative express consent.” The FTC’s cover letter goes on to cite cases the FTC has settled, without litigation, as well as FTC reports and even blog posts, to shore up its legal analysis.
The most recent notice of penalty offenses is the FTC’s first use of its penalty offense authority in a privacy context, but it is almost certainly not the last. The FTC’s Section 5 authority is vast, its 109 years of case law is immense, and the FTC has applied it in countless scenarios against companies in countless industries. The FTC can, and likely will, pivot to a broader assertion of what it believes is settled privacy law. Moreover, having sent notices to almost 700 companies in the FTC’s previous use of this authority, it’s also clear that the FTC is not reluctant to put large swaths of companies in different sectors of the economy on notice of what the FTC thinks the law is, and to dangle its civil penalty authority to discourage certain conduct.
What’s next? Having established a foothold that consent is necessary for secondary uses of personal information provided to tax preparation services, the FTC may well, in future notices of penalty offenses, identify other types of “confidential contexts” in which consumers provide companies with their personal information. Because a “confidential context” is in the eye of the beholder – the FTC defines it as “a context where an individual reasonably expects that such information will remain confidential” – one wonders how far this domain extends. Health care comes to mind, as does banking, of course. What about precise location information collected in contexts where it is not necessary to provide a good or service? What about biometric data used to make purchases, or for employment purchases? In the context of online purchases, the collection of data is often accompanied by a data security representation. Does that give rise to a reasonable belief that the information provided is confidential? What about data supplied to social media platforms and scraped for use in training algorithms? Do consumers reasonably believe that those data are confidential with respect to secondary uses? Does the FTC really mean that based on a single administrative decision from forty-three years ago that it is now illegal to advertise products to your existing consumers using information they provided in connection with a “confidential context”? After all, the FTC’s press release offers a chilling view that, “[c]ompanies that violate American’s privacy by seeking to monetize personal data without consent can face significant financial consequences.” That is a very broad statement that could have significant effects on the economy.
As with most privacy questions, the problem is with the limiting principle. It is hard to see one here. Moreover, the FTC’s willingness to dig into its decisions to find haystack needles it can use to place large sectors of the economy on notice of civil penalties also suggests that it will continue to do so to bootstrap long-ago opinions to carry the force of law in a wide variety of contexts.
The FTC’s reinvigoration of its penalty offense authority after decades of dormancy bears close attention. Use of this authority in narrow contexts may be appropriate, but the lack of a limiting principle invites questions on where the FTC is going with this newly-rediscovered enforcement power. As the FTC distills fact-specific administrative decisions into broader statements of law, applied to large numbers of companies across industries, its influence as a policymaker and enforcer increases. It’s hard to see the FTC going to the trouble of putting companies on notice of enforcement with civil penalties if it does not actually plan on bringing those enforcement actions. What we see emerging, then, is a new body of law with what amounts to liquidated administrative damages available. How far that body of law extends remains to be seen.