Submission to the OPC’s Consultation on Consent under PIPEDA (FTC)

United States Federal Trade Commission

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Summary

Staff of the Federal Trade Commission (FTC) has submitted a comment on the consent and privacy discussion paper prepared by Canada’s Office of the Privacy Commissioner (OPC), which identifies the challenges that new technologies and business models pose to consent-based models of privacy protection, and offers some questions and proposed approaches to address these challenges. Many of the key concepts discussed in the OPC paper, including greater transparency of privacy disclosures, improved privacy messaging in the Internet of Things environment, and enhanced governance and accountability measures, are privacy protective approaches that we have supported.

The comment describes the FTC’s approach to the role of consent in the rapidly changing digital ecosystem, particularly with respect to the Internet of Things. The comment also addresses the enforcement-related questions posed in the discussion paper and recommends additional enforcement powers based on FTC staff’s experience. Such powers would strongly enhance the OPC’s ability to protect and promote privacy rights as well as strengthen the OPC’s ability to coordinate with the FTC in cases that affect both Canadian and American consumers. In particular, the comment notes that the OPC could better protect privacy by: (1) engaging in proactive enforcement activity rather than relying primarily on complaints; (2) having the power to issue or seek orders; and (3) having the authority to seek monetary remedies.

First, using consumer complaints as a sole indicator to guide enforcement decisions is not sufficient to allow authorities to investigate and address new and emerging privacy issues, especially when consumer notice of practices is more challenging. The sheer volume of personal data generated and the complex systems that facilitate its collection often make it difficult or impossible for consumers to identify and complain about privacy violations.

Second, having the power to issue or seek orders can be the cornerstone of a robust enforcement program, as it has been for the FTC, by providing a strong incentive for business compliance. The power to issue or seek such orders is consistent with the Organisation for Economic Cooperation and Development guidelines on privacy enforcement, which call for member countries to ensure that privacy enforcement authorities have the ability to deter, sanction and take “corrective action” against companies for practices that violate their domestic laws. In addition, orders not only provide a crucial basis for compliance monitoring and future enforcement by the FTC, but they also can provide the broader benefit of communicating the FTC’s expectations to companies more generally.

Finally, the ability to obtain monetary remedies—whether in the form of statutory fines or equitable remedies such as disgorgement and restitution (in those instances when consumers suffer economic losses)—can serve as an important tool to encourage compliance and deter unlawful conduct. Although our experience obtaining monetary remedies in privacy and security cases is more limited than it is in general fraud and deceptive advertising cases, the FTC has obtained monetary remedies for privacy violations in certain instances. In addition, the agency has advocated for such authority before Congress with respect to a broader range of privacy and data security cases because it would provide a strong enforcement tool, especially in cases where other monetary remedies, such as restitution, are impossible or impractical.

FTC staff appreciates the opportunity to comment on the OPC discussion paper, and looks forward to working closely with the OPC on privacy issues that affect consumers in the U.S. and Canada.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

I. Introduction

Staff of the Federal Trade Commission (“FTC”)^{Footnote 1} appreciates this opportunity to comment on the May 2016 discussion paper prepared by Canada’s Office of the Privacy Commissioner.^{Footnote 2} The OPC discussion paper identifies the challenges that new technologies and business models pose to consent-based models of privacy protection, and offers some questions and proposed approaches to address these challenges. This comment focuses on the OPC paper’s questions about enforcement powers, and provides information about the FTC’s privacy enforcement program and its efforts to grapple with the some of the same challenges recognized by the OPC.

A. The FTC’s Privacy Program and its Collaboration with the OPC

The FTC is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. As part of its consumer protection mandate, the FTC has broad authority to address issues affecting the privacy and security of consumers’ personal information, including those that have emerged with the development of new technologies and business models. The primary law that the FTC enforces, the FTC Act, 15 U.S.C. §§ 45 et seq., prohibits “unfair” or “deceptive” practices in or affecting commerce, including unfair or deceptive privacy and security practices. The FTC also enforces sector-specific statutes that protect certain health, credit, financial, and children’s information, and has promulgated regulations implementing each of these statutes.^{Footnote 3}

The FTC has unparalleled experience in consumer privacy enforcement. To date, we have brought over 500 cases protecting the privacy and security of consumer information. Our enforcement actions have addressed a wide range of online and offline issues relating to children’s privacy, financial privacy, privacy-related promises and industry codes of conduct, as well as data security. They have also covered unfair, deceptive or other unlawful practices relating to spam, do not call, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and geo-location. Our enforcement actions include cases against well-known companies, such as Google, Facebook, Twitter, Snapchat, HTC and ASUS, as well as lesser-known businesses. The FTC’s enforcement actions send an important message to companies about the need to protect consumers’ privacy and data security. The FTC also protects consumers’ personal information by hosting public workshops,^{Footnote 4} conducting studies and issuing reports,^{Footnote 5} developing educational materials,^{Footnote 6} commenting on legislative and regulatory proposals,^{Footnote 7} and working with international partners on privacy and accountability issues.^{Footnote 8}

Over the years, the FTC and the OPC have enjoyed a close and highly beneficial relationship on privacy issues that affect consumers in the United States and Canada. We regularly consult with each other to share information and discuss issues we observe in our work. On several occasions, the FTC has obtained and shared confidential information with the OPC relating to specific investigations.^{Footnote 9} In addition, we participate actively together in international governmental privacy networks, including the Asia Pacific Privacy Authorities Forum (“APPA”) and the Global Privacy Enforcement Network (“GPEN”).^{Footnote 10} In GPEN, the OPC has played a critical role by participating in its management committee, supporting its website, and being a founding partner of the GPEN Alert system launched in 2015.^{Footnote 11} This cooperation embodies the recommendations made in the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy (“OECD Privacy Enforcement Guidelines”), which endorsed countries working together to “develop effective international mechanisms to facilitate cross-border privacy law enforcement co-operation” and “provide mutual assistance to one another in the enforcement of laws protecting privacy.” ^{Footnote 12}

B. Privacy and Rapid Technological Change

We commend the OPC’s effort to examine its statutory approach to privacy in this era of rapid technological change. Many of the key concepts discussed in the OPC paper, including greater transparency of privacy disclosures, improved privacy messaging in the Internet of Things (“IoT”) environment, and enhanced governance and accountability measures, are privacy protective approaches that we have supported.

The FTC, like the OPC, has been considering the transformative effects on consumer privacy of the growing “ecosystem of vast, complex information flows and ubiquitous computing.”^{Footnote 13} Over the past few years, we have convened public workshops and issued reports and comments on emerging privacy issues, including transparency in the data broker industry,^{Footnote 14} the impact of big data analytics on low income and underserved consumers,^{Footnote 15} cross-device tracking,^{Footnote 16} and the privacy and security implications of the Internet of Things.^{Footnote 17} In addition, in September the FTC will host a public workshop examining privacy disclosures to consumers to encourage the development and testing of shorter, clearer, easier-to-use disclosures and consent mechanisms.^{Footnote 18}

The discussion paper specifically seeks to “identify mechanisms that could help make consent more meaningful while enabling innovation in a digital economy.”^{Footnote 19} The FTC has examined the role of consent in the rapidly changing digital ecosystem, particularly with respect to the IoT.^{Footnote 20} For example, FTC staff has emphasized that “providing notice and choice remains important, as potential privacy and security risks may be heightened due to the pervasiveness of data collection inherent in the IoT.”^{^{Footnote 21}} Notice and choice is especially important when companies collect sensitive data, because “consumers would likely want to know, for example, if a company is collecting health information or making inferences about their health conditions, even if the company ultimately does not use the information.”^{Footnote 22} In the IoT context, staff has “acknowledge[d] the practical difficulties of providing choice when there is no consumer interface and recognize[d] that there can be no one-size-fits-all approach.”^{Footnote 23} Accordingly, we have suggested that companies explore new methods of providing consumer choice in the interconnected environment, including by presenting choices during set-up and using privacy dashboards and codes on devices.^{Footnote 24} Companies may want to consider using a combination of methods to provide choice, in light of the practical challenges posed by the IoT environment. Regardless of the approaches employed to provide consumers with meaningful notice and choice, a key issue is that companies offer consumers clear and prominent privacy choices that are not buried within lengthy legal documents.^{Footnote 25}

It is not the case, however, that every data collection should require choice. The FTC has recognized that providing choice in every instance is not necessary to protect privacy. Thus, our reports suggest, both in the context of the IoT and elsewhere, that companies need not provide choice for data uses that are generally consistent with the context of the transaction or the company’s relationship with the consumer. ^{Footnote 26} This is because such data uses are generally consistent with consumers’ reasonable expectations about how their data will be used, and the costs to consumers and businesses of providing notice and choice likely outweigh the benefits. In addition, if a company enables the collection of consumers’ data and de-identifies that data immediately and effectively, it need not offer choices to consumers about this collection.^{Footnote 27}

II. Enforcement

The OPC discussion paper asks: “What additional powers, if any, should be given to the OPC to oversee compliance and enforce new or enhanced consent rules?” The paper raises several possibilities, including: (i) the ability to engage in “proactive enforcement” in addition to enforcement based on complaints; (ii) the authority to impose orders rather than simply to make non-binding recommendations; and (iii) the ability to levy fines.^{Footnote 28} Based on our own extensive privacy enforcement experience in the United States, we believe that additional enforcement powers along these lines would strongly enhance the OPC’s ability to fulfill its stated mission to “protect and promote the privacy rights of individuals.”^{Footnote 29} It would also strengthen the OPC’s ability to coordinate with the FTC in cases that affect both Canadian and American consumers.^{Footnote 30}

A. The OPC would improve privacy protection by engaging in proactive enforcement activity rather than relying primarily on complaints.

The OPC discussion paper contemplates “engaging in proactive enforcement activity . . . in addition to enforcement based on complaints, as is typically the case under the current model.”^{Footnote 31} Under current law, most of the OPC’s investigations are complaint-driven.^{Footnote 32} Consumer complaints undoubtedly help consumer protection and privacy authorities determine how to focus their enforcement efforts and how to set priorities for policy work.

In FTC staff’s experience, however, complaints do not provide a sufficient source of information for authorities to identify and investigate new and emerging privacy issues and prioritize those that raise greatest privacy concerns. This is due, in large part, to the sheer volume of personal data generated and the complex systems that facilitate its collection, which often makes it difficult or impossible for consumers to identify and complain about privacy violations. As the OPC points out, consumers may not know that their “personal information [is being] collected by, and shared among, a myriad of often invisible players [such as data brokers, analytics companies and ad networks] who use it for a host of purposes, both existing and not yet conceived of.”^{Footnote 33} Consumers therefore may not know that some of these participants in the “digital information ecosystem” are required under Canadian law to obtain their consent (or, in the FTC context, are prohibited from engaging in unfair or deceptive practices) and may never learn about improper collection and use of their personal data. Accordingly, in our experience, it is helpful for enforcers to use multiple sources of information – including news reports, internal and academic research by privacy and security experts, Congressional referrals, company and competitor disclosures, and information from domestic and international enforcement partners – to learn about privacy threats and to set their enforcement priorities.

A recent FTC enforcement action against a Singapore-based mobile advertising network, InMobi, highlights the difficulties consumers may have in identifying unlawful privacy practices. As alleged in the FTC’s complaint, the mobile ad network failed to disclose that it tracked consumers’ locations—including children’s locations—without their knowledge or consent, to serve them geo-targeted mobile advertising despite claiming otherwise.^{Footnote 34} Indeed, according to the FTC’s complaint, the company tracked consumers’ locations whether or not the apps using the company’s software asked for consumers’ permission to do so, and even when consumers had denied such permission. In such circumstances, consumers may not know they are being tracked more broadly, and would not know to complain to enforcement authorities.^{Footnote 35} Therefore, authorities benefit from being able to investigate and take actions against companies, even in the absence of consumer complaints.

B. The OPC could better protect privacy with the power to issue or seek orders.

As explained in the OPC Discussion Paper, the OPC can only make non-binding recommendations and has no power to make legally enforceable orders. The FTC, by contrast, can obtain legally enforceable orders in its administrative and federal court proceedings, either via settlement (“consent orders”) or through litigation. The agency’s ability to obtain orders is the cornerstone of its robust enforcement program and provides a strong incentive for business compliance. Indeed, the power to issue or seek such orders is consistent with the international best practice set forth in the OECD Privacy Enforcement Guidelines, which calls for member countries to ensure that privacy enforcement authorities have the ability to deter, sanction, and take “corrective action” against companies for practices that violate their domestic laws.^{Footnote 36}

The FTC’s authority to issue orders derives from the FTC Act, which authorizes agency enforcement through both administrative and judicial processes. In the administrative process, the agency, after an investigation and administrative settlement or adjudication, may issue an order enjoining specific practices and imposing requirements to ensure the defendant’s future compliance.^{Footnote 37} In the judicial process, the FTC may seek preliminary and permanent injunctions in federal court to remedy any provision of law enforced by the Federal Trade Commission.^{Footnote 38} By the end of 2015, the FTC had issued or obtained from courts several hundred orders relating to unlawful privacy and data security practices. These orders bind the companies that are subject to them, and provide relief that covers all consumers, not just consumers that have filed complaints with the FTC. For example, in the InMobi case discussed above, the FTC’s settlement order prohibits the company from collecting consumers’ location information without their affirmative express consent, and requires it to honor consumers’ location privacy settings.^{Footnote 39} It also requires the mobile ad network to delete the location information of consumers it collected without their consent and prohibits it from misrepresenting its privacy practices. The settlement also requires InMobi to institute a comprehensive privacy program that will be independently audited every two years for the next 20 years. The InMobi case, which involved a Singapore-based company, also illustrates that the FTC Act’s prohibition on unfair and deceptive acts or practices is not limited to protecting U.S. consumers from U.S. companies. The FTC Act also prohibits those practices that (1) cause or are likely to cause reasonably foreseeable injury in the United States, or (2) involve material conduct in the United States. Accordingly, in the cross-border context, the FTC has authority to protect Canadian and other foreign consumers from certain practices taking place in the United States, as well as the authority to protect American consumers victimized by foreign-based practices in the circumstances described above.^{Footnote 40}

As the discussion above shows, administrative orders and court orders obtained by the FTC may include several key injunctive provisions, depending on the circumstances of the particular enforcement action. These may include: (1) a prohibition on engaging in the challenged conduct, or similar conduct, in the future; (2) in the appropriate case, a requirement to implement a comprehensive privacy or data security program, with specific components set forth in the order; and (3) affirmative monitoring and compliance provisions that last for a specified period of time (e.g., requirements to keep relevant business records; notify employees of the existence of the order; and notify the Commission of any changes that may affect compliance obligations). The affirmative requirements enhance the FTC’s ability to monitor ongoing compliance with the order and the FTC Act.

Once a defendant company or individual is subject to an FTC order, the defendant must comply with the order or face a variety of sanctions. Such sanctions could include a new FTC action seeking substantial monetary relief. The FTC takes order violations very seriously. For example, in 2012, the FTC settled a case against Google for $22.5 million. The FTC alleged that Google misrepresented its use of tracking cookies and thereby violated a 2011 consent order between the FTC and Google relating to Google’s social network, Google Buzz.^{Footnote 41} Similarly, in 2015, the FTC alleged that LifeLock, a company selling identity theft protection services, violated a 2010 agreement with the FTC when it failed to establish and maintain a comprehensive information security program to protect customers’ sensitive information, among other violations. The company agreed to pay $100 million for its alleged violations.^{Footnote 42}

Finally, orders not only provide a crucial basis for compliance monitoring and future enforcement by the FTC, but they also can provide the broader benefit of communicating the FTC’s expectations to companies more generally. Indeed, the FTC’s 2015 publication “Start with Security” distills the lessons learned from the more than 50 data security settlements announced before then into 10 specific actions companies should take when implementing reasonable security measures.^{Footnote 43}

C. The OPC could better protect privacy with the authority to seek monetary remedies.

The OPC’s paper cites to U.S. and European authorities’ ability to obtain monetary remedies as a possible component of an effective privacy enforcement system.^{Footnote 44} In FTC staff’s experience, the ability to obtain monetary remedies—whether in the form of statutory fines or equitable remedies such as disgorgement and restitution (in those instances when consumers suffer economic losses)—can serve as an important tool to encourage compliance and deter unlawful conduct. The FTC routinely seeks monetary remedies in consumer fraud and deceptive advertising cases, both to remedy financial injury to consumers and deprive defendants of wrongful monetary gains. This authority to obtain monetary remedies stems from three legal sources. First, the FTC Act authorizes the FTC to bring federal district court lawsuits seeking preliminary and permanent injunctions for unfair or deceptive trade practices in violation of the FTC Act.^{Footnote 45} These injunctions can include not only “conduct remedies” such as those described above, but also in appropriate cases equitable monetary relief, such as restitution for consumers and disgorgement of profits. Second, the FTC has the ability to seek civil penalties for violations of administrative orders.^{Footnote 46} Third, the FTC has the authority to obtain monetary civil penalties when a statute expressly provides for such penalties, based on statutorily determined maximum penalty amounts.^{Footnote 47}

Although FTC staff’s experience with monetary remedies in privacy and security cases is more limited, the FTC has been able to rely on these three sources of authority to obtain monetary remedies for privacy violations in certain instances. A recent example involved the FTC’s action against Henry Schein Practice Solutions.^{Footnote 48} There, the FTC alleged that the company falsely advertised the level of encryption its patient management software provided. Under the settlement terms, the company agreed to disgorge $250,000, which represented a portion of its software sales. Three of the FTC’s privacy-related statutes also provide the FTC with authority to obtain civil penalties for violations: the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), and the provisions relating to breaches of personal health records in the American Recovery and Reinvestment Act.^{Footnote 49} To date, the FTC has brought more than 20 cases and obtained over $10 million in civil penalties under COPPA, and brought more than 100 cases and obtained over $200 million under the FCRA. At this time, the FTC’s civil penalty authority in the privacy and data security area is limited to these three statutes. However, the agency has advocated for such authority before Congress with respect to a broader range of data security cases because it would provide a strong enforcement tool, especially in cases where other monetary remedies, such as restitution, are impossible or impractical. In sum, the ability to seek monetary sanctions could enable the OPC to deter unlawful practices more effectively, as it has for the FTC.

III. Conclusion

The FTC has significant experience enforcing U.S. laws that protect consumer privacy. Based on our extensive privacy enforcement experience in the United States, FTC staff believes that giving the OPC the ability to proactively investigate potential privacy violations, issue or seek orders, and obtain monetary remedies would empower the agency to further protect consumer privacy.

Footnote 1

This comment represents the views of the FTC’s Office of International Affairs. It does not necessarily represent the views of the FTC or of any individual FTC Commissioner.

Return to footnote 1

Footnote 2

See Policy and Research Group of the Office of the Privacy Commissioner of Canada, Consent and Privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (May 2016), (hereinafter “OPC Discussion Paper”).

Return to footnote 2

Footnote 3

See generally FTC Staff Report, 2015 Privacy and Data Security Update (Jan. 2016), (providing an overview of such statutes and rules enforced by the FTC, as well as examples of recent privacy and data security enforcement actions).

Return to footnote 3

Footnote 4

Since January 2014, the FTC has held workshops on big data, mobile device tracking, connected health and fitness devices, online lead generation, and cross-device tracking. This fall, the FTC will host workshops on emerging consumer technologies issues, including ransomware, drones, and smart TVs. See Press Release, FTC to Host Fall Seminar Series on Emerging Consumer Technology Issues.

Return to footnote 4

Footnote 5

See FTC Report, Protecting Consumer Privacy in an Era of Rapid Change (March 2012), (hereinafter “Privacy Report”); FTC Staff Report, Internet of Things: Privacy & Security in a Connected World (Jan. 2015), (hereinafter “IoT Report”).

Return to footnote 5

Footnote 6

See Start with Security: A Guide for Business (June 2015); Online Tracking (June 2016).

Return to footnote 6

Footnote 7

See FTC Staff Comment, Comment of the Staff of the Bureau of Consumer Protection of the Federal Trade Commission Before the Federal Communications Commission: In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 2016).

Return to footnote 7

Footnote 8

See Press Release, FTC Welcomes a New Privacy System for the Movement of Consumer Data Between the United States and Other Economies in the Asia-Pacific Region, Nov. 14, 2011, (announcing the creation of the APEC Cross-Border Privacy Rules System).

Return to footnote 8

Footnote 9

For example, in 2009, the OPC found, “based largely on information provided by the FTC,” that American company Accusearch, Inc. violated Canada’s privacy law, known as PIPEDA. See Press Release, Complaint under PIPEDA against Accusearch, Inc., doing business as Abika.com. As the OPC noted then, “This is an important step in international co-operation and collaboration that will become increasingly necessary to adequately protect privacy rights on both sides of the border in years to come. The collaborative efforts of the OPC and the FTC in this case have enhanced and ensured consistency in approach between the two jurisdictions.” Id.

Return to footnote 9

Footnote 10

GPEN is an informal network of more than 60 privacy enforcement authorities that, among other things, share best practices with respect to cross-border challenges and support joint enforcement initiatives.

Return to footnote 10

Footnote 11

See Press Release, FTC and Seven International Partners Launch New Initiative to Boost Cooperation in Protecting Consumer Privacy, Oct. 26, 2015.

Return to footnote 11

Footnote 12

See OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy (2007).

Return to footnote 12

Footnote 13

See OPC Discussion Paper at 1.

Return to footnote 13

Footnote 14

See FTC Report, Data Brokers: A Call for Transparency and Accountability (May 2014).

Return to footnote 14

Footnote 15

See FTC Report, Big Data: A Tool for Inclusion or Exclusion? (January 2016), (hereinafter “Big Data Report”). In the report, the FTC noted that the use of big data analytics of consumer information for commercial use raises important issues about notice and choice.

Return to footnote 15

Footnote 16

See FTC Website, Cross-Device Tracking: An FTC Workshop.

Return to footnote 16

Footnote 17

See IoT Report.

Return to footnote 17

Footnote 18

See Press Release, FTC to Host September Workshop on Testing Effectiveness of Consumer Disclosures, May 24, 2016.

Return to footnote 18

Footnote 19

See OPC Discussion Paper at 10.

Return to footnote 19

Footnote 20

See IoT Report; FTC Staff Comment, Comment of the Staff of the Bureau of Consumer Protection and the Office of Policy Planning Before the NTIA: The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things (June 2016).

Return to footnote 20

Footnote 21

See IoT Report at 39.

Return to footnote 21

Footnote 22

See IoT Report at 45. We have also emphasized the importance of obtaining affirmative express consent before sharing sensitive data or using data in a manner materially different from what was represented at the time of its collection. See Privacy Report at 57-60.

Return to footnote 22

Footnote 23

See IoT Report at 41.

Return to footnote 23

Footnote 24

See IoT Report at 41-42.

Return to footnote 24

Footnote 25

See IoT Report at 43.

Return to footnote 25

Footnote 26

See Privacy Report at 48; see IoT Report at 40. (“For example, suppose a consumer buys a smart oven from ABC Vending, which is connected to an ABC Vending app that allows the consumer to remotely turn the oven on to the setting, ‘Bake at 400 degrees for one hour.’ If ABC Vending decides to use the consumer’s oven-usage information to improve the sensitivity of its temperature sensor or to recommend another of its products to the consumer, it need not offer the consumer a choice for these uses, which are consistent with its relationship with the consumer. On the other hand, if the oven manufacturer shares a consumer’s personal data with, for example, a data broker or an ad network, such sharing would be inconsistent with the context of the consumer’s relationship with the manufacturer, and the company should give the consumer a choice.”).

Return to footnote 26

Footnote 27

See IoT Report at 43.

Return to footnote 27

Footnote 28

See OPC Discussion Paper at 24-25.

Return to footnote 28

Footnote 29

See OPC website, “Mandate and Mission.”

Return to footnote 29

Footnote 30

See OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (2013) (“The continuous flows of personal data across global networks amplify the need for improved interoperability among privacy frameworks as well as strengthened cross-border co-operation among privacy enforcement authorities.”).

Return to footnote 30

Footnote 31

See OPC Discussion Paper at 24.

Return to footnote 31

Footnote 32

See The Personal Information Protection and Electronic Documents Act, 2000 S.C., c. 5. § 11,

Return to footnote 32

which pertains to complaints filed not just by individual consumers but also by consumer and privacy organizations.

Footnote 33

See OPC Discussion Paper at 6.

Return to footnote 33

Footnote 34

United States v. InMobi Pte Ltd., Civil No. 3:16-cv-03474 (N.D.Cal. June 22, 2016) (Complaint).

Return to footnote 34

Footnote 35

See OECD, Enhancing Consumer Policy Making: The Role of Consumer Complaints (2012) (“Complaints can only be relied on to help to identify problems which consumers have observed; problems which are less obvious, but which could nonetheless be causing significant consumer detriment, will not be captured.”).

Return to footnote 35

Footnote 36

See OECD Privacy Enforcement Guidelines at 9.

Return to footnote 36

Footnote 37

See 15 U.S.C § 45(b).

Return to footnote 37

Footnote 38

See 15 U.S.C § 53(b).

Return to footnote 38

Footnote 39

United States v. InMobi Pte Ltd., Civil No. 3:16-cv-03474 (N.D.Cal. June 22, 2016) (Stipulated Order).

Return to footnote 39

Footnote 40

See 15 U.S.C. § 45(a)(4)(A).

Return to footnote 40

Footnote 41

See FTC Website, Google Inc.

Return to footnote 41

Footnote 42

See FTC Website, LifeLock, Inc.

Return to footnote 42

Footnote 43

See Start with Security: A Guide for Business (June 2015).

Return to footnote 43

Footnote 44

See OPC Discussion Paper at 30.

Return to footnote 44

Footnote 45

See 15 U.S.C. § 53(b).

Return to footnote 45

Footnote 46

See 15 U.S.C. §§ 45(l), (m).

Return to footnote 46

Footnote 47

On August 1, 2016, the maximum civil penalty amount the FTC can seek per violation will increase from $16,000 to $40,000. See Press Release, FTC Raises Civil Penalty Maximums to Adjust for Inflation.

Return to footnote 47

Footnote 48

Henry Schein Practice Solutions, Inc., No. C-4575 (F.T.C. May 20, 2016) (Decision and Order).

Return to footnote 48

Footnote 49

Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506; Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681u, as amended; American Recovery and Reinvestment Act of 2009, 42 U.S.C. § 17932.

Return to footnote 49

Date modified:: 2016-10-05

Language selection

Search and menus

Search