The Federal Trade Commission has broadly relied on Section 5 of the Federal Trade Commission Act (FTC Act) to investigate and enforce against consumer protection violations, including in the context of data privacy and security. Specifically, Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. With respect to data privacy and security, the FTC has repeatedly taken the position that under Section 5 of the FTC Act, a company’s failure to implement and maintain appropriate measures to protect consumers’ information may constitute an unfair practice. Likewise, making false or misleading representations (including omissions) about a company’s data privacy and security practices – notably in consumer-facing privacy notices – has been deemed by the FTC to constitute a deceptive trade practice. In its enforcement actions for data privacy and security violations, the FTC has sought – and obtained – both injunctive and equitable monetary relief (e.g., restitution or disgorgement) against companies whose practices violated Section 5 of the FTC Act. But how the FTC obtains equitable monetary relief – and whether it may even continue to do so under Section 13(b) of the FTC Act – is now before the Supreme Court.
FTC Authority, Very Briefly
By way of background, Section 13(b) of the FTC Act authorizes the FTC to seek injunctions to remedy “any provision of law enforced by the Federal Trade Commission” (including Section 5 of the FTC Act): whenever the FTC has “reason to believe” that any party is violating, or is about to violate, a provision of law enforced by the FTC, it may bring actions in federal court to enjoin the conduct, pending completion of an FTC administrative proceeding to determine whether the conduct is unlawful. Moreover, “in proper cases” the FTC may seek a permanent injunction. The FTC Act also contains other provisions that explicitly permit the FTC to seek monetary relief for violation, but under certain restrictive circumstances, which are both administratively and procedurally burdensome and provide limited relief. Because of these limitations, the FTC has increasingly relied on Section 13(b) to obtain monetary relief for violations of the FTC Act. In fact, the FTC’s own website notes that it makes “widespread” use of the permanent injunction proviso of Section 13(b) in its consumer protection program, and as such may seek not only permanent injunctions, but also monetary equitable relief in order to remedy past violations. By and large, the courts have played along.
Upcoming SCOTUS Review
This may soon change. The US Supreme Court recently agreed to consider two consolidated cases – neither relating to privacy or cybersecurity – on the FTC’s authority to obtain equitable monetary relief in consumer protection enforcement actions. The two cases are FTC v. Credit Bureau Center, LLC and AMG Capital Management, LLC v. FTC. The outcome of this decision may have broad implications in the area of consumer protection, including privacy and cybersecurity. In both cases now pending before the Supreme Court, the 7th and 9th Circuits, respectively, either rejected the FTC’s position that Section 13(b) authorizes monetary relief or expressed serious doubts as to whether this expansive interpretation of Section 13(b) was appropriate.
At issue before the Supreme Court is the FTC’s broad interpretation of Section 13(b) to recover equitable monetary relief (i.e., ill-gotten gains) – the plain text of which does not permit the FTC do so. Both Credit Bureau Center, LLC (Credit Bureau) and AMG Capital Management (AMG) have submitted their briefs, in which they each argue that the FTC’s judicially-tolerated assertion that Section 13(b) implicitly grants it authority to seek monetary relief is supported by neither the text of Section 13(b) nor the structure of the FTC Act. Credit Bureau further argues that where Congress intended to grant the FTC authority to seek “other and further equitable relief,” or the “refund of money or return of property,” it did so explicitly in the text of the statute, as a result of which the FTC should be precluded from circumventing those limits. AMG echoes this in its own brief, stating that “[o]ver time… the [FTC] came to disregard § 13(b)’s text, improperly using it to extract billions of dollars in monetary payments, when § 13(b) by its terms authorizes only injunctions.” Credit Bureau’s brief is available here, AMG’s here.
Other cases focusing on the disgorgement of ill-gotten gains have come before the Supreme Court just recently. In the very recent Liu v. SEC case decided on June 22 and pertaining to the SEC’s enforcement authority, the defendants argued before the Court that the SEC was not explicitly authorized to obtain disgorgement under 15 U.S. Code § 78u(d)(5) (which addresses the SEC’s enforcement powers) because it only enables the SEC to obtain “equitable relief.” The Court disagreed and affirmed the SEC’s disgorgement authority, but did hold that disgorgement should not be used to “test the bounds of equity practice” such as “by ordering the proceeds of fraud to be deposited in Treasury funds instead of disbursing them to victims, imposing joint-and-several disgorgement liability, and declining to deduct even legitimate expenses from the receipts fraud.” Liu may provide some indication as to how the Supreme Court will address the FTC’s authority under Section 13(b) in Credit Bureau and AMG in that, Section 13(b), like Section 78u(d)(5), does not explicitly authorize monetary relief, although the language of Section 13(b) is in fact more restrictive. Liu already serves as an indicator of the limits that the Court may be willing and possibly eager to place on agencies’ ability to obtain equitable monetary relief, but whether the Court will altogether eliminate the FTC’s ability to obtain such relief in reliance on Section 13(b) will be clearer this month, as the case is set to be heard in October.
Effect on FTC’s Enforcement of Data Privacy and Security
The FTC has obtained significant monetary relief in the context of data privacy and security enforcement in reliance on Section 13(b), as reported, for instance, in its Privacy and Security Update (2019). In this specific context of data privacy, a consequence of its “expanded” authority is that the potential for monetary relief does in fact put additional pressure on companies to comply with Section 5 of the FTC Act by providing transparent data privacy and security disclosures (in addition to those specifically required by other applicable statutes such as the CCPA). In the corporate world, the fear of monetary sanctions is by all measures a much greater deterrent than that of an injunction. This is particularly true when it comes to data privacy and security, where companies already tend to take a risk-based approach versus full compliance. The largely unfulfilled promise of exorbitant fines before the GDPR came into effect in 2018 is but one example of how the fear of monetary sanctions of any type leads to greater compliance. Likewise, the significant monetary sums obtained by the FTC against high-profile companies for violations in the data privacy and security context never fail to be highly publicized, and serve as cautionary tales to companies handling the personal information of consumers.
Although neither of the two cases pending before the Supreme Court directly relate to privacy or security violations, the outcome is very relevant to compliance and enforcement in the consumer data privacy and security context. If the Court rejects the FTC’s broad interpretation of Section 13(b) and constricts its ability to obtain equitable monetary relief, this could have an impact on some companies’ “motivation” to provide consumers with transparent, fair and non-deceptive disclosures. That said, such a ruling may ultimately result in some action to otherwise expand the FTC’s enforcement authority, and in the context of consumer privacy, in light of the many egregious corporate data privacy and security fails of the last few years, bring us closer to a US federal privacy law. In addition, concerns around State Attorney General enforcement activity and risks, as well as individual class actions for data privacy and security violations (especially in California) remain high.