September 24, 2020

Volume X, Number 268

September 24, 2020

Subscribe to Latest Legal News and Analysis

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

Upcoming FTC Workshop on Informational Harm; Next Brushstrokes on the FTC’s Consumer Privacy and Security Enforcement Canvas

On September 29, the Federal Trade Commission (FTC) formally announced a December 12th workshop on informational injury—the injury a consumer suffers when information about them is misused. The workshop will address questions such as, how to characterize and measure such injury and what factors businesses and consumers should consider the benefits and risks of collecting, using and providing personal information so as to gain further perspective for how the FTC should apply its legal framework for privacy and security enforcement under 15 USC § 45 (Section 5). In her September 19th remarks to the Federal Communications Bar Association, Commissioner Maureen Ohlhausen, the Acting Chairman of the FTC, metaphorically characterized the workshop’s purpose as providing the next brushstrokes on the unfinished enforcement landscape the FTC is painting on its legal framework canvas. The full list of specific questions to be addressed may be accessed here.

BackgroundThe FTC views itself as the primary US enforcer of data privacy and security, a role it recently assumed. While the FTC’s enforcement against practices causing informational injury through administrative proceedings goes back as far as 2002, its ability to pursue corporate liability for data security and privacy practices under its Section 5 “unfair or deceptive trade practices” jurisdiction was only ratified in 2015 by the US Court of Appeals for the Third Circuit in FTC v. Wyndham Worldwide Corporation. The FTC has actively invoked its enforcement authority but, in doing so, has been selective in determining which consumer informational injuries to pursue by questioning the strength of evidence connecting problematic practices with the injury, examining the magnitude of the injury and inquiring as to whether the injury is imminent or has been realized.

The FTC has generally taken a case-by-case approach to addressing informational injuries, which include deception, financial injury, health or safety injuries, unwarranted intrusion on privacy, and reputational harm, focusing on real-world facts and specifically alleged behaviors and practices. Rather than viewing the impact of each case in a vacuum, the cases should be viewed as part of a series whereby the FTC has integrated feedback on prior cases from advocates, the marketplace and the courts. What have emerged are various patterns comprising the current FTC enforcement landscape.

The WorkshopAccording to Chairman Ohlhausen’s remarks, the FTC is now stepping back to look at those patterns as they relate to consumer injury and to obtain additional perspectives from consumers and businesses. The purpose of this exercise is to further inform and refine the FTC’s use of its privacy and enforcement authority in future cases in a way that is measured and effective in protecting consumers from injury without stifling ongoing innovation and achieving the most good with the fewest unintended consequences (e.g., targeting substantial rather than hypothetical injury, an important distinction various courts have addressed in determining what constitutes standing for bringing a case). The workshop will be the first step in that effort and has three underlying goals: (1) to better identify the qualitatively different types of injury to consumer and business from privacy and data security incidents; (2) to explore frameworks for how the FTC may measure informational injuries and determine the risk of their occurrence; and (3) to better understand how consumers and businesses weigh informational injuries and risk when evaluating the tradeoffs to sharing, collecting, storing and using information.

The FTC’s engagement of consumers and businesses is commendable and should contribute meaningfully to its effort to achieve the right balance between protecting consumers and supporting technological innovation. Digital health innovators and other businesses whose strategies rely largely on the exchange of patient and other consumer personal information should watch closely as the FTC’s privacy and security enforcement landscape continues to unfold.

© 2020 McDermott Will & EmeryNational Law Review, Volume VII, Number 298


About this Author

Bernadette M. Broccolo, McDermott Will Emery Law Firm, Health Care Attorney

Bernadette M. Broccolo is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Bernadette has been counseling health industry organizations for over  33 years on leading edge health industry relationship formation and realignments, with a recent focus on development of provider network strategies for responding to health reform; health information technology acquisitions; electronic health information network strategy development and implementation to support innovations in care delivery and payment models, translational research and...

Marcus Ryan, Mc Dermott Law Firm, General Healthcare Attorney

Ryan B. Marcus maintains a general health care practice. He advises hospitals health systems, and health industry clients on a variety of regulatory and transactional matters, including mergers, acquisitions, affiliations, and joint ventures.

While in law school, Ryan was editor-in-chief for the Annals of Health Law and a student fellow at the Loyola University Chicago Institute for Consumer and Antitrust Studies. He served as a judicial extern for the Honorable Virginia M. Kendall in the United States District Court for the Northern District of Illinois, and completed an externship in the general counsel’s office of a Chicago-area hospital. Ryan is a recipient of the Loyola Leadership, Service, and Public Interest Recognition Award.