Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Gellman, Robert --- "US Regulators differ on Privacy Enforcement" [2005] PrivLawPRpr 13; (2005) 11(6) Privacy Law and Policy Reporter 177

US Regulators differ on Privacy Enforcement

Robert Gellman

This article first appeared in the US journal Direct Marketing News, November 2, 2004 and is reproduced here by kind permission of the author and DM News.

Remember exams in school when you were asked to compare and contrast two things? That is what I propose to do with actions taken by the Federal Trade Commission and Federal Communications Commission. You can play along if you like.

The first case involves Primus Telecommunications and a violation of the FCC’s no-call rule. Primus hired Spanco Telesystems to make calls pitching international long-distance service. Primus said it had a system to prevent telemarketing calls to numbers on the no-call registry, but something went wrong. Either Primus or Spanco or both screwed up. Whatever happened, Primus deserves some credit for stopping the calls the minute it heard of the FCC investigation.

The FCC has specific statutory authority to establish rules governing unwanted telephone solicitations, and the violation was clear. The investigation, which took at least nine months, resulted in the usual consent decree, announced in September. Primus did not admit any wrongdoing, agreed not to do it again and made a “voluntary” contribution of $400,000 to the Treasury. Consumers got nothing.

Now let’s turn to the FTC. In July, the FTC entered into a consent decree with Gateway Learning Corp., the company that sells products under the “Hooked on Phonics” brand name. Gateway’s original privacy policy did not allow sharing of personally identifiable consumer information without explicit consent.

Gateway eventually changed its policy to allow disclosure to “reputable companies” whose products or services consumers might find of interest.

I always laugh at that incredibly misleading statement. Lists are for sale to just about anyone willing to pay the price.

Gateway sold some customer information collected under the first policy as well as information collected under the amended policy. The violation of the original policy was clear enough so that even the FTC could recognize it. In the consent decree, Gateway admitted to no wrongdoing and promised not to do it again. Gateway also agreed to give the Treasury the $4,608 it earned from renting consumers’ information. Consumers got nothing.

It’s time to compare and contrast these actions. I’ll wait a minute for you to form your own conclusions before I offer my own.

First, the FCC took its action to enforce a rule issued under express statutory direction. It is useful for everyone to know what the rules are. The no-call rule may be full of loopholes, but it does mostly tell people what they can and can’t do.

In the FTC case, the statutory authority is vaguer. The FTC can take action against unfair and deceptive practices. Failing to comply with a stated privacy policy can be unfair or deceptive, but the FTC issued no rule drawing substantive lines.

The FTC effectively encourages companies not to have a privacy policy so that they can’t be found in violation. In the alternative, the FTC invites vague or weasel-worded privacy promises that can’t be readily enforced.

The agency with clear statutory authority and a specific rule (FCC) extracted a substantial penalty. The agency with a weak statute and no rule at all (FTC) has only a popgun, and it is afraid or unwilling to really penalize anyone.

Second, I don’t know how long the FTC case took, but the FCC took at least nine months. I am going to guess that the FTC action took a long time as well. Both cases involved clear violations. How long would it take either agency to complete an investigation if the violation were not so stark? Both agencies have lots to do, and neither is likely to pursue privacy cases that promise a tough fight.

Third, I can’t fully assess the FCC fine because the consent decree did not explain it. I want to know how many improper calls were made and how much business Primus received as a result of the campaign. Primus paid a substantial but not overwhelming price for its violation. Still, it was enough to have hurt, and the amount seems punitive.

The FTC fine is easier to assess. The FTC made Gateway disgorge the revenue it got from selling consumer information, less than $5,000. Gateway suffered no loss by violating its privacy policy. It just had to give up the extra money that it had made. The FCC’s fine was larger by almost two orders of magnitude.

What is the lesson? The chance that any violator will be caught is remote, as is the chance of being prosecuted. At least the FCC imposed a real penalty when it acted. For the FTC, the violator suffered only a loss of revenue that resulted from the violation. Gateway was no worse off for violating its privacy policy than if it had complied.

This type of FTC privacy enforcement is a joke because it has no teeth. If the rare enforcement action doesn’t hurt, then the deterrent effect is zilch and little has been accomplished. It’s as if a bank robber’s only penalty was that he had to give back the money he stole. Fourth, consumers got nothing in both cases.

Consumers rarely get anything from federal administrative privacy actions. However, both agencies issued press releases patting themselves on the back.

I won’t ask whether you reached the same conclusions that I did. If you made it all the way to the end of the column, you deserve a passing grade in this exam.

Robert Gellman is a Washington DC based information law consultant. rgellman@netacc.net