Consumer Privacy: Can the FTC Enforce a Voluntary Code of Conduct?

The Administration launched the initiative to craft the Privacy Bill last February 23. A section of its Framework document entitled “Protecting Privacy Through Effective Enforcement” (complete PDF document available here) reads as follows: “The Administration also takes enforcing statutory privacy rights seriously. Federal agencies with law enforcement authority have taken action against those who violate privacy rights.”

Insert Statute Here

The key word there is “statutory,” meaning a part of the law – typically meaning, not something a citizen or a corporation adheres to voluntarily. On Wednesday, NTIA launched a public comments period, calling upon stakeholders in systems that may exchange personally identifiable data to volunteer their ideas on the creation of codes of conduct that may then be legally enforceable. The comments period closes on March 26.

“The privacy multi-stakeholder process is voluntary. A code of conduct will not be binding on a company unless and until that company affirmatively commits to follow it,” reads the call for comments as printed in the Federal Register (PDF available here). “NTIA expects that a company’s public commitment to follow a code of conduct will be legally enforceable, provided the company is subject to the Federal Trade Commission’s jurisdiction.”

The Washington, D.C. law firm of Mintz Levin contributed to the National Law Review a document which attempts to condense the White House’s 52-page explanation into fewer words. In it, three of the firm’s attorneys make the case that any company that makes a public commitment to its customers without the intention of keeping that commitment, may be subject to a fraud indictment.

“Once a code of conduct is complete, companies to which the code is relevant may choose to adopt it,” the attorneys write. “The Administration expects that a company’s public commitment to adhere to a code of conduct will be enforceable under the FTC’s authority to prevent deceptive acts or practices, just as a company is bound today to follow its privacy statements.”

The Administration’s document is vague, perhaps intentionally, with regard to the question of how Congress can be expected to “codify” language in such a way that it may or may not apply to businesses that choose to participate. One naturally assumes that entry by a company into the stakeholder process would be a kind of covenant that one could not then opt out of. But this may be uncharted waters for the Administration, which is trying to craft a regulation that calls itself not a regulation, and a set of rights which may be void where inapplicable.

privacy-photo.jpg

Pull This Switch to Opt Out

After the publication of the Framework, the worldwide law firm of Gibson Dunn published its interpretation, suggesting that companies that do not adopt the so-called “statutory” code of conduct may yet be upheld to other principles, perhaps of their own choosing. While stating that the Administration will attempt to hold parties accountable under Section 5 of the FTC Act, the attorney’s present this curious alternative: “The Administration recommends giving the FTC authority to grant a ‘safe harbor’ (forbearance from enforcement of the statutory Bill of Rights) if the company complies with a Code of Conduct that the FTC has reviewed and approved.”

This alternative, according to the Framework, would give a company the option to submit an alternative code of conduct to the FTC for its approval, which should take no longer than 180 days. However, the Framework goes on, that period should be open for public inspection and comments, during which time stakeholders in the statutory code of conduct would be allowed to submit its opinions on the matter.

Thus theoretically, if a search engine that exchanges personal data with an advertising provider were to opt out of the process and submit its own guidelines instead, for it to obtain safe harbor from an FTC indictment, it would effectively have to submit its alternative for inspection by its competitors – which may include a major social network. Or vice versa. While those competitors would not be granted rights of approval, they may be able to make public claims against their competitor for – again, theoretically – attempting to bypass the regulatory process. This while the company may claim legitimate exceptions to the public process – perhaps, for any number of technical reasons, the statutory code could not apply to it specifically.

But then the Gibson Dunn attorneys add this: “Companies that choose not to adopt an applicable Code of Conduct would be subject to the general obligations of the Bill of Rights.” Whether this means a company whose submitted alternative code is rejected by the FTC must then be forced to follow guidelines established by its competitors, is unclear and perhaps, as yet, undetermined. What’s more, the reference to “general obligations” implies that even the statutory code may include exceptions or exemptions.

As attorneys from the New York law firm of White Case wrote last week, “This is an important balance because a number of online industries have flourished as the government chose to not legislate in this area and what is proposed, while not usual to citizens of other countries, would represent a significant change in the law for American citizens and businesses. Businesses would simply need, and should receive, adequate time to adapt.”