Recent Articles By Author
On June 28, 2024, as the Supreme Court term winds down, the Court issues a landmark ruling in a case called Loper Bright Enterprises v. Raimondo. The case involved a legal doctrine called “Chevron deference” – discussing when Congress grants authority to an administrative agency — say the EPA — to regulate something, and that agency interprets an ambiguous statute one way, whether the Courts are bound to defer to the way the experts at the agency have interpreted the statute, or whether the Court is free to put its own stamp on what the statute means. The doctrine required only deference to the administrative agency, not obedience — if the Court found that the administrative agency was wrong about how the statute was interpreted, the Court had final say — unless or until Congress itself acted.
The Chevron deference doctrine originates from the 1984 Supreme Court case Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc. The doctrine holds that when a statute is ambiguous, courts should defer to an agency’s interpretation of the statute as long as it is reasonable. This two-step process involves determining whether the statute is ambiguous and, if so, whether the agency’s interpretation is reasonable.
Chevron deference has been a cornerstone of administrative law, giving federal agencies significant leeway in interpreting and implementing statutes. It recognizes the expertise of agencies in their respective domains and aims to provide consistency and predictability in regulatory enforcement. An example of Chevron deference might be if a hypothetical Congress granted the EPA authority to regulate chemicals that were toxic, harmful or dangerous, and the EPA wanted to use that authority to regulate carbon dioxide – implicated in greenhouse gasses and climate change, expected to kill millions. A regulated entity might argue that CO2 is not a “chemical” or that it is not itself “toxic” or “harmful” and that it is naturally occurring, and therefore the statute is ambiguous and that a court should decide whether CO2 is “harmful” rather than some bureaucrat in Washington. Oh, and a Court in Amarillo, Texas. Rather than relying on scientific evidence, hearings, notice and comment, a court might simply look at the word “toxic”and decide that CO2 is not toxic, and therefore it was not the intention of Congress to grant the EPA the authority to regulate it.
So what does this have to do with data privacy and security?
The Federal Trade Commission (FTC) has long been a key player in regulating data privacy and security in the United States. Historically, the FTC has relied on its broad mandate to prevent unfair or deceptive practices to enforce data privacy and security standards. However, with the potential end of the Chevron deference doctrine — a judicial principle that compels courts to defer to a federal agency’s interpretation of ambiguous laws — there is growing uncertainty about the future of the FTC’s regulatory authority. This article explores the origin and history of the FTC’s regulation of data privacy and security, examines the Chevron deference doctrine, and considers the potential implications of its demise on the FTC’s enforcement actions.
The FTC’s Role in Data Privacy and Security Regulation
The FTC was established in 1914 with the primary goal of preventing unfair methods of competition and unfair or deceptive acts or practices in commerce. Over the years, the FTC’s mandate has expanded to include consumer protection, encompassing a wide range of issues, including data privacy and security. The FTC’s authority to regulate data privacy and security primarily stems from Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Although the FTC Act does not explicitly mention data privacy or security, the FTC has interpreted its mandate broadly to include these areas. This interpretation has been the basis for numerous enforcement actions against companies that fail to protect consumer data.
The FTC has found, for example, that collecting personally identifiable information without a comprehensive data privacy and security program is “unfair” and failing to comply with written privacy or security policies is “deceptive.” Is this what Congress intended in 1914? Probably not. Is it a reasonable interpretation of the broad jurisdiction of the FTC? After Loper Bright, we may have to wait and see.
Early Cases and Enforcement Actions
One of the earliest and most significant cases involving the FTC’s authority over data privacy was the 2005 case against BJ’s Wholesale Club. The FTC alleged that BJ’s failed to implement reasonable security measures to protect customer data, leading to a data breach that exposed thousands of credit and debit card numbers. The FTC’s settlement with BJ’s included requirements for the company to implement a comprehensive information security program and obtain biennial assessments of its security measures. This is typical for a FTC settlement – to require an entity to establish specific data privacy and data security programs and report to the FTC about how it is protecting sensitive data.
Another landmark case was the FTC’s action against Facebook in 2011. The FTC charged Facebook with deceiving consumers by failing to keep privacy promises, such as sharing user data with advertisers despite assurances to the contrary. The resulting settlement required Facebook to implement a comprehensive privacy program and undergo regular privacy audits for 20 years. This was based on the FTC’s authority to regulate “deceptive” practices – promising one thing and delivering another.
These cases, among others, established the FTC as a key enforcer of data privacy and security standards in the absence of comprehensive federal privacy legislation.
Challenges to FTC Authority
Despite its proactive stance, the FTC’s authority to regulate data privacy and security has been challenged on several fronts. Critics argue that the FTC’s reliance on the broad and ambiguous language of the FTC Act exceeds its statutory authority. For example, in LabMD, Inc. v. FTC, LabMD challenged the FTC’s authority to regulate its data security practices. The Eleventh Circuit Court of Appeals ultimately vacated the FTC’s order, criticizing the FTC’s approach as too vague and not providing sufficient notice of what constitutes “unfair” practices. A few examples illustrate challenges to the FTC’s authority to regulate data privacy and security. For example, in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015): Wyndham Worldwide – a hotel chain that had suffered both a data breach and a resulting FTC regulatory action, challenged the FTC’s jurisdiction, arguing that the FTC did not have clear statutory authority over data security practices and lacked fair notice of the required security standards. The Third Circuit upheld the FTC’s authority, ruling that Section 5’s prohibition of unfair practices includes unreasonable cybersecurity practices. The court found that Wyndham had fair notice through previous FTC actions against other companies, supporting the FTC’s broad interpretive authority in consumer protection matters involving data security.
In LabMD, Inc. v. FTC, 776 F.3d 1275 (11th Cir. 2015), LabMD contested the FTC’s authority to regulate its data security practices, arguing that the FTC’s interpretation of what constitutes “unfair” practices did not merit Chevron deference. The Eleventh Circuit criticized the FTC’s vague standards and vacated its order against LabMD. This decision underscores the challenges the FTC might face in enforcing data security standards without the benefit of Chevron deference, emphasizing the need for clearer statutory guidance to support FTC enforcement actions in data security.
Similarly, in American Bar Ass’n v. FTC, 430 F.3d 457 (D.C. Cir. 2005) the D.C. Circuit reviewed the FTC’s attempt to apply the Gramm-Leach-Bliley Act’s privacy provisions to attorneys. The court concluded that the FTC’s interpretation of the statute did not merit Chevron deference because it was not the only reasonable interpretation given the statutory ambiguity. This ruling highlights the potential difficulties the FTC may encounter in enforcing data privacy regulations if Chevron deference is curtailed, as courts might more frequently question whether the FTC’s interpretations are the best or only reasonable ones.
Trans Union LLC v. FTC, 295 F.3d 42 (D.C. Cir. 2002) involved the FTC’s authority to regulate the sale of consumer credit reports for marketing purposes. Trans Union challenged the FTC’s interpretation of the Fair Credit Reporting Act (FCRA). The D.C. Circuit upheld the FTC’s interpretation, applying Chevron deference to the agency’s construction of the statute. This case underscores the importance of Chevron deference in supporting the FTC’s regulatory authority over data privacy and security practices.
Potential Impact of the End of Chevron Deference
The potential end of Chevron deference could significantly impact the FTC’s ability to regulate data privacy and security. Without Chevron deference, courts may be less inclined to defer to the FTC’s interpretations of its statutory authority, leading to increased judicial scrutiny of the agency’s enforcement actions. In the absence of Chevron deference, litigants may seek to challenge the FTC’s authority in jurisdictions known for being skeptical of regulatory agencies. For example, the Fifth Circuit Court of Appeals has historically been less deferential to federal agencies compared to other circuits. Litigants may strategically file lawsuits in such jurisdictions, hoping to obtain favorable rulings that limit the FTC’s regulatory reach.
Conclusion
The potential end of Chevron deference poses significant challenges for the FTC’s authority to regulate data privacy and security. The FTC’s historical reliance on broad interpretations of its mandate under Section 5 of the FTC Act may come under increased judicial scrutiny. Without Chevron deference, courts may be less willing to defer to the FTC’s expertise, leading to more frequent and successful challenges to the agency’s jurisdiction. While the FTC has been a pivotal player in advancing data privacy and security standards, the evolving legal landscape underscores the need for clearer statutory guidance. As the debate over Chevron deference continues, stakeholders in the data privacy and security realm must closely monitor developments and adapt to the changing regulatory environment.