Senior management and organisation
The Federal Trade Commission (FTC) is headed by five commissioners. They are:
- Joseph Simons (chair);
- Noah Phillips;
- Rohit Chopra;
- Rebecca Kelly Slaughter; and
- Christine Wilson.
When was the head of the commission appointed?
Chairman Joseph Simons was sworn in on 1 May 2018.
How long is their term of office?
Joseph Simons’ term will end in September 2024.
What is the process for nominating the head of the commission?
Chairs are nominated by the US president, subject to confirmation from the US Senate.
What was the commission’s budget for the most recently available financial year?
$312.3 million overall for the 2020 financial year, of which $140.2 million is dedicated to consumer protection.
How many data protection/privacy-focused staff does the commission employ?
1,140 overall, of which 528 are dedicated to consumer protection.
Contacting the authority
How and where should companies or their advisers contact the commission to notify a data breach?
FTC notification is only mandatory in certain healthcare data-related cases, as governed by the HIPAA. For more details, see www.ftc.gov/system/files/documents/plain-language/2017_5_2_breach_notification_form.pdf.
What other contact information should companies and their advisers be aware of?
General contact details can be found at www.ftc.gov/contact.
Legal and enforcement framework
What are the commission’s investigative powers?
Under the FTC Act, the FTC has the power to investigate persons, partnerships and companies engaged in (or whose business affects) commerce – aside from banks, savings and loan institutions; federal credit unions; and common carriers. The agency can order the above to answer questions in writing, providing the required information about themselves or other companies. Statements can be made under oath and must be filed within a specified reasonable period; additional time can be granted. If the FTC obtains evidence that individuals or companies have engaged in conduct that could violate federal criminal law, it can send that evidence to the US Attorney General.
The FTC’s Bureau of Competition can use subpoenas to require witness testimony and the production of documentary evidence – but the Bureau of Consumer Protection, which handles privacy and cybersecurity cases, can only use civil investigative demands to investigate the “unfair or deceptive acts or practices” which give it jurisdiction over such cases through section 5 of the FTC Act. Civil investigative demands allow the commission to obtain documents or oral testimony, and force recipients to file written reports or answers to questions. These demands can have extraterritorial effect. They apply not only to the subjects of investigations, but also to those who are not but may have information relevant to investigations. Demands must be issued by commission investigators – lawyers or investigators employed by the commission who are charged with enforcing against unfair or deceptive acts or practices.
The FTC has two ways of enforcing: through its internal administrative court, or by suing in federal district court. Many cases end in settlements.
If a company contests an administrative FTC complaint, an FTC administrative law judge will rule on the case. The judge can recommend a cease-and-desist order or dismiss the complaint. Appeals are possible to the full commission. If an appeal takes place, the full commission will issue its own final decision and order, which can also be appealed against in US federal courts of appeal and, ultimately, the Supreme Court. If the FTC wins its case in its administrative tribunal, obtaining a finding that a practice is illegal, it still needs to approach courts to obtain punitive civil penalties, or equitable monetary relief to be distributed to affected consumers.
The FTC can otherwise approach US federal courts to challenge practices. The commission can seek injunctions whenever it has reason to believe any party is violating or about to violate laws it enforces. The commission can seek preliminary injunctions pending completion of administrative cases, or permanent injunctions.
The FTC cannot obtain penalties – as opposed to relief, including monetary relief, for consumers – against first-time offenders that violate section 5 of the FTC Act.
Can you search premises or force the disclosure of information without having to approach the courts?
The FTC’s civil investigative demands can force the disclosure of information without court intervention, but the agency has no power to seek search warrants or conduct dawn raids.
What fines can the commission impose on companies that breach data protection rules?
Violating rules that the FTC has issued under its rule-making authority allows the FTC to collect civil penalties. But the FTC does not have powers to generally obtain civil penalties – as distinct from consumer redress – under section 5 of the FTC Act, which it uses to enforce data privacy and cybersecurity.
The commission can, however, seek civil penalties for breaches of previous settlements. Section 5(l) of the FTC Act provides that violating FTC orders is punishable by civil penalties of no more than $10,000 per violation, with each separate violation considered a separate offence. Penalties can become steep: in 2019, Facebook agreed to pay $5 billion for breaching a 2012 settlement order.
What emergency or interim measures can the commission take pending the full conclusion of investigations?
The FTC can approach courts to obtain preliminary injunctions and ex parte temporary restraining orders.
Priorities and the future
What data protection/privacy-related guidelines has the commission issued to date?
The FTC has issued informal guidelines and has rulemaking authority that allow it to lay down binding regulations.
Areas in which the FTC has issued privacy and data security-related rules include:
- the Children’s Online Privacy Protection (COPPA) Act;
- the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM);
- disposing of consumer report information and records;
- the Fair Credit Reporting Act (FCRA);
- financial privacy; and
- health data breach notification.
The FTC has issued multiple items of privacy and data-security-related plain-language guidance, which can be accessed on its website.