Data Breaches and Potemkin Privacy: How FTC Regulation Can Restore Authority and Agency to Online Users and Destroy the Data Oligarchy
The University of Arizona Law Journal of Emerging Technologies, Forthcoming
51 Pages Posted: 15 Jun 2020
Date Written: June 11, 2019
The 1990’s marked a new era for the American Economy. The internet was poised to alter the world, connect people and shape global commerce in a manner usually only achieved by war or revolution. Skeptics claimed that the internet was a bad bet and that the online economy would fail because no tangible good or service was being offered. Nearly 30 years later, the reality is that the internet is ubiquitous with economic success. Many of America’s largest and most profitable corporations are online-based services/websites and the major motivating force online, the force that pushes stock prices higher, that increases company valuations, that serves as the engine of growth and progress, is data. Data, your data, is parceled, bought, sold and traded online for the sake of economic progress. It is used to determine who you are, what you like, what you’ll spend money on, who you consider voting for and how best to advertise, motivate and persuade you. Regulation of the “data market” is almost non-existent, users lack the capacity to regulate and rarely have a choice in what data is collected from them and how it is used. Congress has failed to restrict data-mining practices, provide adequate oversight and create uniform standards for companies storing sensitive data to follow. As a result, hackers have exploited the negligent security practices in pursuit of lucrative payoffs and shady agendas.
Data breaches are the new normal and in a society reliant on internet access, data breaches have unimaginable consequences to infrastructure, businesses, the individual and democracy. The lack of federal intervention with regards to creating and enforcing a uniform set of data security protocols, has been devastating for consumers and the public. Additionally, lack of regulation in the “data market” and lack of oversight on data brokerage and analytic firms has ensured vast troves of data that can be exploited, harvested and weaponized. My note will first analyze the existing legal frameworks that have failed users; it will then brief some of the most egregious data breaches and data scandals of the past 5 years and finally, it will argue that FTC regulation is the best vehicle to reign in negligent security practices and found a new set of online norms.
More specifically, Part II of this paper will focus on the “data market” itself, the realities of our tech-driven economy, the rise of data brokers, the challenges facing consumers broadly and a brief outline of the consequences of ignoring data breaches and the potential harm from them. Part III of this paper takes an in-depth look at privacy law and the existing legal framework and remedies available for consumers. It briefs the challenges facing litigants and broadly indicts the current regime as insufficient and unresponsive. Part IV specifically briefs the failure of contract claims to compel more meaningful accountability on data-collectors and discusses persistent issues regarding notice and choice in the present regime (especially with regards to click-wrap and browse-wrap agreements). Part V addresses the failure of tort claims to assign liability to negligent companies and bad actors. It also briefs the relentless hurdle litigants face in proving Article III standing and in achieving class certification.
Part VI will then examine the regulatory and legislative failures of data security, as well as regulation issues that have arisen due to both Due Process and 1st Amendment claims against attempted data security reforms. Part VII is a comprehensive review of several recent data breaches, with an aim at briefing the motives of hackers and assessing the tangible costs of an unregulated and unsecured data market. It will review the factors in each breach that spoke to corporate negligence, liability or faulty security practices. Then in Part VIII I will evaluate the success of the Federal Trade Commission (FTC) regulation and lawsuits under 15 U.S.C. § 45 “Unfair and deceptive trade practices.” I will again review the data breaches of Part VII, but with specific focus on the remedies that FTC governance provided and the oversight they’ve created in negotiating “Consent Orders” with those companies.
I will address some of the consistent criticisms of FTC governance and will argue that FTC governance under 15 U.S.C. § 45, should not only be affirmed as a viable, responsive, existing structure to reign in un-solicited data-collection and negligent data security practices; but that its powers should be expanded and recognized in light of its successes in creating a set of protocols for data security, for its status as a check on careless corporations and for serving as an effective advocate for users. Part IX will conclude by stating that FTC governance will protect the public from unwanted intrusions and exposure from data breaches, will create a cause of action when bad actors use unfair/deceptive trade practices and will, in the long term, restore agency to the public over their own data and foster a more dynamic expectation of security.
Keywords: Data, Data Mining, Privacy, Law, FTC, Regulation, Data Breaches
Suggested Citation: Suggested Citation