How good a job is the Federal Trade Commission doing with privacy cases? In three recent instances, the FTC reached a settlement that state attorneys general found inadequate. In each case, the states negotiated a more pro-privacy settlement. Whether you are an information company or a privacy advocate, the FTC’s record should be disquieting.
Let’s begin with Toysmart. In 2000, the online toy retailer was going under and decided to sell its customer list. The company’s privacy policy said that customer data would never be shared with a third party. It was a dumb promise, but the FTC decided to hold the company to it. Sort of. Under pressure from the commission, the company agreed to sell the list only to a business in the family-oriented market that agreed to restrictions on the data’s use.
That wasn’t good enough for a couple dozen states that intervened in the case. They wanted the original no-sharing promise enforced, and they negotiated a better deal for consumers. They persuaded the principal owner of Toysmart to pay for the list and then destroy it. The FTC deal looked lame in comparison.
Next up is Eli Lilly. Lilly had offered consumers at its Prozac Web site an e-mail prescription reminder service. When Lilly canceled the service, it sent all subscribers an e-mail notice. Unfortunately, each message included the e-mail address of every subscriber. The error was unintentional, but the privacy breach was significant.
Lilly and the FTC quickly negotiated a settlement that basically required Lilly to improve security. It wasn’t much of a concession by Lilly since the bad publicity was enough to give security priority anyway.
The commission’s press release rapped Lilly’s knuckles for the privacy breach and, at the same time, patted the company on the back for its privacy activities. I hope that the FTC was suitably embarrassed about the praise when Lilly was caught a few months later mailing unsolicited boxes of Prozac to consumers. That incident was much worse than Lilly’s e-mail error, and it remains on the agenda at various agencies and courtrooms.
But back to the e-mail case. Eight state attorneys general wanted more and got it. In addition to paying the states $160,000, Lilly agreed to undergo annual, independent compliance reviews over the next five years and report the findings of those reviews to the states. The states once again forced a privacy transgressor to agree to more than did the FTC.
The most recent example involves DoubleClick, the online advertising company. Over a year ago, the FTC investigated DoubleClick to see whether any of its consumer information activities constituted an unfair or deceptive trade practice. In January 2001, the staff closed its investigation, finding that DoubleClick did not violate its privacy policy.
Skip ahead to August 2002. Ten states reached a separate settlement with DoubleClick. The states got DoubleClick to agree to pro-privacy actions including independent compliance reviews and the development of a cookie viewer that will let consumers track how ads are served to them. The company also paid $450,000 to the states to cover costs. Given the failure of the FTC and of private lawsuits, the settlement that the states managed was a particular accomplishment.
So this brings us back to the original question. How well is the FTC doing with privacy cases? From the privacy advocate’s perspective, these cases indicate that the FTC is too willing to settle for half a loaf or less. The commission seems mostly interested in easy, high-profile cases, and it will let companies off the hook at a low price. The FTC isn’t doing much for consumers.
A very recent case involving publisher Ziff Davis and three states shows the FTC’s weakness in another way. A security breach at Ziff Davis put personal information of thousands of magazine subscribers online. Three states forced a settlement that included a payment of $500 to consumers who were hurt by the disclosures. The FTC did not play a role in this case.
The recovery of damages for consumers is something that the FTC rarely accomplishes. Julie Brill, from the attorney general’s office in Vermont and one of the most important state privacy litigators, observed that consumers deserve compensation for the time they spent dealing with the problem that the company caused.
From a corporate perspective, the FTC looks even worse. Settling with the FTC gets a company nothing. The settlement is just a starting point for the next round of negotiations with the state attorneys general. Companies cannot rely on the FTC to speak for all consumers. The result is that companies are damned if they settle and damned if they don’t.
As long as the FTC accepts cheap settlements, there will still be room to give more to the states. However, a tougher FTC will not be welcome because the states may ask for more anyway. Does anyone still need help figuring out why some of the anti-privacy bills on Capitol Hill want to stop states from enforcing privacy laws?
These weak-kneed settlements by the FTC undermine its credibility and the value of the agency to everyone. They don’t protect against private lawsuits. The wimpy FTC privacy actions aren’t helping anyone, but the FTC obviously thinks that they make for good press releases.
