October 16, 2019

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

Officials Comment on the Future of FTC, FCC, and CFPB Privacy Enforcement Authority

At a recent IAPP privacy event, officials from the FTC and CFPB offered insight into their respective agencies’ future enforcement plans, as well as the shifting landscape of privacy enforcement actions.  Although such enforcement actions have historically been the domain of the FTC, the FCC recently entered the privacy enforcement arena, announcing a $10 million fine against two telecommunications carriers on October 24 for failing to protect customer data.  While the FTC has broad authority under Section 5 to police unfair and deceptive acts and practices, the FCC relied on its authority under Section 201(b) to prohibit “unjust or unreasonable” practices to support its recent enforcement action.  The FCC also announced on October 28 that it joined the Global Privacy Enforcement Network, an organization dedicated to fostering cross-border cooperation among privacy authorities. Prior to the FCC’s joining the Network, the FTC was the only U.S. member.

At the event, Maneesha Mithal, the associate director of the FTC’s Division of Privacy and Identity Protection, dismissed concerns about conflicts and overlaps between the FTC and FCC when it comes to enforcement.  Mithal applauded the FCC’s foray into privacy enforcement, citing the importance of having “multiple cops on the beat.” Mithal also noted that the two agencies are committed to working “very closely” to avoid the risk of creating “overlapping, duplicative or conflicting requirements.”  As part of this effort, Mithal told the audience that she meets “fairly frequently” with Travis LeBlanc, the Chief of the FCC’s Enforcement Bureau.

On a separate panel, CFPB Senior Counsel Pavneet Singh offered a summary of the CFPB’s enforcement powers, as well as guidance for what to expect from the agency’s future plans for enforcement.  Singh noted that the CFPB’s enforcement jurisdiction, like the FTC’s Section 5 authority, encompasses unfair or deceptive acts or practices, and stated that the FTC’s actions “generally inform the Bureau’s views on unfairness and deception.”  When questioned about the CFPB’s future plans for privacy enforcement, she declined to offer details but stated that the Bureau “look[s] for violations of consumer financial laws through enforcement and examination, and a lot of what priorities are made is based on what we find.”

While the FCC has just begun to explore its ability to enforce privacy regulations, the CFPB has yet to exercise the privacy enforcement authority granted to it under the Dodd-Frank Act.  Under the Act, as codified in 12 U.S.C. Section 5531, the CFPB has the power to punish any “unfair, deceptive, or abusive act or practice . . . in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.”  Singh also noted that future publications of the Bureau’s unified agenda, which is released bi-annually, may offer some insight into the CFPB’s future plans for enforcement.

© 2019 Covington & Burling LLP


About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...