The FTC, LabMD, and the state of US privacy law

Omer Tene

Partner, Goodwin

Published Jun 11, 2018

I published some thoughts on the U.S. Court of Appeals decision in the latest saga between LabMD and the FTC. While very narrow, the ruling does present obstacles for future FTC enforcement in the privacy and data security space. More than anything, it demonstrates the need for U.S. privacy and data security legislation. The FTC continues to operate in this space against an unconventional legal backdrop, merely 14 words in Section 5 of the FTC Act, which dates back to 1914 (“unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful”). Compare this to the 55,000 words in the European General Data Protection Regulation of 2018 and you can clearly see why the agency must chart its own path.

It's also a good opportunity to revisit research we've produced at the IAPP Westin Center. In September 2014, IAPP Westin Fellow Patricia Bailin published a study titled What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices. In it, she sought to “reverse engineer” the FTC’s implied standard for privacy and data security, exactly the standard the Court found lacking in the LabMD decision. Reading between the lines of numerous cases where the FTC articulated why certain practices were unreasonable, the Westin Center tried to delineate the zone of activity that the agency would consider to be reasonable. Perhaps this helps respond to some of the criticism of the agency's actions. In addition, we now present an updated piece, written by IAPP Westin Fellow Müge Fazlioglu, What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices: A Follow Up Study. In it, Fazlioglu adds new categories to and updates Bailin's report with the numerous FTC privacy and security cases between 2014 and 2018.

My conclusion in the piece is that with states rushing in to fill the legislative void in Washington - Vermont legislating against data brokers, Illinois restricting biometric information and California weighing a sweeping privacy ballot initiative - businesses may soon be clamoring for a uniform, national privacy law, overseen by a responsible agency like the FTC.

The FTC, LabMD, and the state of US privacy law

Omer Tene

Partner, Goodwin

More articles by this author

Insights from the community

Others also viewed

This Week in Data Privacy

Privacy Round-Up 2022

The American Privacy Rights Act: Implications and Insights for a Data-Driven Future

State Privacy News - 5/17

The APRA (Federal Privacy Bill) is here: What do you need to do?

Privacy vs. Transparency: How the DPDPA Protects Individuals in Public FIRs

Bill C-27: Not a Requiem

🗂️🚀 A US federal privacy law may actually happen this time, but does it matter?

Illinois Courts Consider Retroactivity of Amendment to Biometric Information Privacy Act

The American Privacy Rights Act (APRA) – It’s Like Déjà Vu All Over Again!

Explore topics

Dobbs v. Jackson Women's Health Organization: Privacy Implications

May 4, 2022

First Read of India's Draft Data Protection Act 2021

Dec 2, 2021

4 problems with the EDPB data transfer opinion

Nov 29, 2021

5 things you need to do now to comply with China's PIPL

Sep 10, 2021

Quick Reaction to EDPB Schrems II Guidance

Nov 12, 2020

Reflections on a heavyweight: China's draft data protection law

Oct 30, 2020

Not all privacy training programs are born equal

Aug 14, 2017

Introducing the U.S.-Israel Tech Policy Institute

Jun 20, 2017

Israel's New Data Security Regulations: FAQs - and Answers

May 19, 2017

GDPR Basics: What You Need to Get Started

Mar 27, 2017