On July 20, 2021, the House passed the Consumer Protection and Recovery Act. If the bill becomes law, it will restore authority to the FTC to seek permanent injunctions and monetary relief for victims of unfair business practices. With this bill, the FTC would be able to hand the monetary rewards over to the victims, opposed to only fining the company. Notably, provisions in this bill could serve as an alternative to a Private Right of Action for privacy violations. A Private Right of Action is a provision in a law that allows victims to sue the person/business that violated the law to hurt them. The inclusion of Private Right of Action in data privacy legislation has been the center of debate between lawmakers.
The case of AMG Capital Management v. FTC
The bill seeks to reverse the April 2021 ruling in AMG Capital Management v. FTC, where the Supreme Court unanimously ruled that the FTC did not have the authority to obtain court-ordered monetary relief for victims. The Court determined that Congress did not intend to give the FTC this power since it is not explicitly stated in the FTC Act. The Court stripped this power from the FTC, preventing them from helping victims of unjust business practices. However, Justice Stephen Breyer, who penned the opinion, noted that the FTC is “free to ask Congress to grant it further remedial authority.” And that is exactly what happened.
The new bill allows the FTC to seek permanent injunctions, which is where a company receives a court order to stop an unfair practice, and secure court-ordered financial relief for a victim, including restitution, disgorgement, and calculation against any company that has engaged in unfair business practices. In terms of privacy violations, disgorgement will be the most likely relief used, as it would force the business to pay the victim whatever financial amount was gained by an illegal data sale or another violation. The FTC deems a practice unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 USC Sec. 45(n). In previous court decisions, the FTC has established the following privacy violations as “unfair practices”:
– Failing to reasonably secure personal information, including financial and health information and contents of communications.
– Engaging in telephone records pretexting, in which information brokers obtain consumers’ phone records under false pretenses and sell the information to third parties.
– Developing and marketing “stalkerware,” in which purchasers surreptitiously install monitoring software on their partners’ phones without their knowledge or consent.
– Activating webcams surreptitiously in leased computers placed in consumers’ homes.
– Selling sensitive data such as Social Security numbers to third parties that did not have a legitimate business need for the information, including known fraudsters.
Alternative to Private Right of Action
The Consumer Protection and Recover Act can also serve as an alternative to the highly disputed Private Right of Action. A Private Right of Action in a privacy context would allow consumers to sue a business that improperly collected or used their personal data. This provision is not universal for American data privacy laws; while California’s CCPA includes a Private Right of Action, this right is absent in Virginia’s CDPA and Colorado’s CPA. The addition of a Private Right of Action has also effectively killed Washington and Florida’s data privacy bills, which you can read more about here. With this being such a contentious issue preventing the creation of privacy laws, the new FTC authority may allow state legislatures to feel that their citizens will be protected without the inclusion of a Private Right of Action, leading to more states passing data privacy laws.
What is next?
The bill passed in the House 221 -205, with Democrats and a handful of Republicans voting yes on the matter. Many House Republicans who voted against the bill argued that this power should be part of legislation to establish a national privacy law. The Consumer Protection and Recovery Act still needs to be voted on by the Senate and signed by the President; however, with this bill having mass support from the Democrats, who have a majority in the Senate, this bill will likely become law.
About Ardent Privacy
Ardent Privacy is an “Enterprise Data Minimization and Privacy Technology” solutions provider based in the Maryland/DC region of the United States and Pune/Maharashtra in India. Ardent harnesses the power of AI to enable companies with comprehensive data management and automated compliance with CDPA (Virginia), CCPA/CPRA (California), HIPAA/HITECH (Healthcare), FISMA, GDPR (EU), PDPA (Singapore), and other global regulations by taking a data-driven approach.
Ardent Privacy’s solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce privacy, functional, and legal liability in their digital transformation and journey to the cloud.
Ardent Privacy articles should not be considered as legal or technical advice on data privacy regulations, or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.