The Scope and Potential of FTC Data Protection

71 Pages Posted: 1 Jul 2014 Last revised: 12 Jan 2016

See all articles by Woodrow Hartzog

Woodrow Hartzog

Boston University School of Law; Stanford Law School Center for Internet and Society

Daniel J. Solove

George Washington University Law School

Date Written: November 1, 2015


For more than fifteen years, the FTC has regulated privacy and data security through its authority to police deceptive and unfair trade practices as well as through powers conferred by specific statutes and international agreements. Recently, the FTC’s powers for data protection have been challenged by Wyndham Worldwide Corp. and LabMD. These recent cases raise a fundamental issue, and one that has surprisingly not been well explored: How broad are the FTC’s privacy and data security regulatory powers? How broad should they be?

In this Article, we address the issue of the scope of FTC authority in the areas of privacy and data security, which together we will refer to as “data protection.” We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.

Thus far, the FTC has been quite modest in its enforcement, focusing on the most egregious offenders and enforcing the most widespread industry norms. Yet the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss steps the FTC should take to change the way it exercises its power, such as with greater transparency and more nuanced sanctioning and auditing.

Keywords: FTC, Federal Trade Commission, privacy, data security, Wyndham, LabMD, FTCA, Section 5, deception, unfairness

Suggested Citation

Hartzog, Woodrow and Solove, Daniel J., The Scope and Potential of FTC Data Protection (November 1, 2015). 83 George Washington Law Review 2230 (2015), GWU Law School Public Law Research Paper No. 2014-40, GWU Legal Studies Research Paper No. 2014-40, Available at SSRN:

Woodrow Hartzog

Boston University School of Law ( email )

765 Commonwealth Avenue
Boston, MA 02215
United States

HOME PAGE: http://

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States


Daniel J. Solove (Contact Author)

George Washington University Law School ( email )

2000 H Street, N.W.
Washington, DC 20052
United States
202-994-9514 (Phone)


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics