The FTC has authority under the Federal Trade Commission Act to bring enforcement actions to stop unfair and deceptive acts or practices. Results of enforcement actions can be harsh and long-lasting; companies should follow these basic rules to avoid becoming a target of an FTC action.
Vol. 81, No. 3, March
FTC Lessons to Avoid Unfair and Deceptive Trade Practices when
The FTC has authority under the Federal Trade Commission Act to bring
enforcement actions to stop unfair and deceptive acts or practices.
enforcement actions can be harsh and long-lasting; companies should
these basic rules to avoid becoming a target of an FTC action.
1) Do what you say. Every FTC privacy case involves an
the target company failed to do what it expressly or impliedly promised.
2) Say what you do. In a clear and conspicuous
way, a company should
say exactly what data it collects and how it uses the information.
3) Have reasonable and appropriate security
practices. Strong privacy practices are not enough; a company also
must have security practices that
are reasonable and appropriate to the nature of the data.
4) Provide training and oversight. Having the right
not enough; a company must take reasonable steps to provide training and
oversight to ensure the policy is properly implemented.
5) Do not retroactively change rules to the detriment of
collected before the new policy was in place unless the company at least
clear, conspicuous, advance notice as to what changes will occur and
6) The cost of noncompliance is
high. The FTC commonly resolves complaints by requiring a 20-year
consent decree that describes in detail
specific steps a target company must take, subject to FTC oversight.
may require substantial civil penalties and consumer redress and high
and legal fees.
7) All companies must be aware of the FTC
rules. The FTC privacy and security rules apply to
all companies, not just those specifically subject
to detailed financial services industry regulation.