The FTC and Privacy and Security Duties for the Cloud

6 Pages Posted: 15 Apr 2014 Last revised: 30 Aug 2014

See all articles by Daniel J. Solove

Daniel J. Solove

George Washington University Law School

Woodrow Hartzog

Boston University School of Law; Stanford Law School Center for Internet and Society

Date Written: April 14, 2014


Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider. In many cases, however, these contracts fail to contain key protections of data. Because the consumer is not a direct party to these contracts and often cannot even have access to these contracts, the consumer is often powerless, and the consumer’s interests are often not adequately represented.

In this short essay, we argue that there is a remedy in Section 5 of the Federal Trade Commission (FTC) Act that prohibits unfair and deceptive trade practices. Certain key cases from the emerging body of FTC enforcement actions on data protection issues can be read together to create a double-edged set of duties – both on the organizations contracting with cloud service providers and on the cloud service providers themselves. Not only does an organization owe a duty to consumers to appropriately represent their privacy and data security interests in the negotiation, but cloud service providers have an obligation to the consumer as well, and cannot enter into contracts that lack adequate protections and controls.

Keywords: privacy, data security, cloud, contract, FTC, Federal Trade Commission, consumer protection law

Suggested Citation

Solove, Daniel J. and Hartzog, Woodrow, The FTC and Privacy and Security Duties for the Cloud (April 14, 2014). 13 BNA Privacy & Security Law Report 577 (2014), GWU Law School Public Law Research Paper No. 2014-28, GWU Legal Studies Research Paper No. 2014-28, Available at SSRN:

Daniel J. Solove (Contact Author)

George Washington University Law School ( email )

2000 H Street, N.W.
Washington, DC 20052
United States
202-994-9514 (Phone)


Woodrow Hartzog

Boston University School of Law ( email )

765 Commonwealth Avenue
Boston, MA 02215
United States

HOME PAGE: http://

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States


Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics