The FTC’s Strong Hand in Cyber-Privacy Cases

The authors briefly review the FTC’s enforcement authority against unfair or deceptive acts and practices, and examine pre-and post-settlement enforcement actions in the area of cyber-privacy.

In Practice Fusion, Inc. the FTC alleged failure to disclose that consumer responses to a satisfaction survey would be published on Practice Fusion’s website. Without admitting or denying the allegations, Practice Fusion agreed to a 20-year consent order.

In 2012, the DOJ initiated a civil action against Google to enforce a consent order settling FTC allegations that Google misled consumers about its social networking tool, Google Buzz. Among other things, the order prohibited Google from misrepresenting the extent to which it protected certain user information. Google agreed to pay a $22.5 million fine without admitting liability.

In 2015, the FTC initiated a contempt action against Lifelock for violation of a permanent injunction enjoining it from misrepresenting the nature of its identity theft protection service, or the extent to which it protected consumers’ personal information. Without admitting or denying the allegations, Lifelock agreed to settle through a modified permanent injunction that included a $100 million judgment for equitable monetary relief. That gave the FTC the largest monetary award it has obtained to date in an order enforcement action.

As illustrated by the FTC’s proceedings against Google and Lifelock, entry of a consent order or stipulated judgment does not end the FTC’s enforcement proceedings. Rather, it begins a new phase.