Daniel J. Solove and Woodrow Hartzog, The FTC and the New Common Law of Privacy

Daniel J. Solove and Woodrow Hartzog, The FTC and the New Common Law of Privacy

Comment by: Gerald Stegmaier & Chris Jay Hoofnagle

PLSC 2013

Published version available here:

Workshop draft comment:

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States is not really law and has barely been studied in a scholarly way.  Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices.  Despite over fifteen years of FTC enforcement, there is no meaningful body of case law to show for it.  The cases have nearly all resulted in settlement agreements.  Nevertheless, companies look to these agreements to guide their decisions regarding privacy practices.  Those involved with helping businesses comply with privacy law – from chief privacy officers to inside counsel to outside counsel – parse and analyze the FTC’s settlement agreements, reports, and activities as if they were pronouncements by the High Court.

In this article, we contend that the FTC’s privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such.  The FTC has said quite a lot through its actions and settlement agreements. And FTC privacy jurisprudence is the broadest and most influential regulating force on information privacy in United States – more so than nearly any privacy statute and any common law tort.  The statutory law regulating privacy is diffuse and discordant, and the common law torts fail to regulate the majority of activities concerning privacy.  Despite the central governing role of the FTC’s privacy activity, it has not received much scholarly attention.

In Part I of this article, we discuss how the FTC’s actions function practically as a body of common law for privacy.   In the late 1990s, it was far from clear that the body of law regulating privacy policies would come from the FTC and not from traditional contract and promissory estoppel.  Though privacy policies often have all the indicia of enforceable promises, they have rarely been utilized as contracts.  On the few occasions when contract law is invoked for privacy policies, it usually fails. We explore how and why the current state of affairs developed.  In Part II, we examine the principles that emerge from this body of law.  These principles extend far beyond merely honoring promises.   We discuss how these principles compare to principles in other legal domains, such as contract law. In Part III, we explore the implications of these developments and the ways that this body of law could develop.