Category: Data Security Law


FAN (First Amendment News, Special Series #3) Newseum Institute Program on Apple-FBI Encryption Controversy Scheduled for June 15th


“The government [recently] dropped a bid to force Apple to bypass a convicted Brooklyn drug dealer’s pass code so it could read data on his phone.” — Government Technology, April 27, 2016

Headline: “Department of Justice drops Apple case after FBI cracks iPhone”San Francisco Chronicle, March 28, 2016

The Newseum Institute has just announced its June 15th event concerning the Apple-FBI encryption controversy. Information concerning the upcoming event is set out below:

Date:  June 15th, 2016

Time: 3:00 p.m.

Location: Newseum: 555 Pennsylvania Ave NW, Washington, DC 20001

Register here (free but limited seating):

The event will be webcast live on the Newseum Institute’s site

Screen Shot 2016-05-18 at 1.10.36 PM


The issues involved in the Apple cell phone controversy will be argued in front of a mock U.S. Supreme Court held at the Newseum as “Pear v. the United States.”

Experts in First Amendment law, cyber security, civil liberties and national security issues will make up the eight-member High Court, and legal teams will represent “Pear” and the government. The oral argument, supported by written briefs, will focus on those issues likely to reach the actual high court, from the power of the government to “compel speech” to the privacy expectations of millions of mobile phone users.

The Justices hearing the case at the Newseum:

  • As Chief Justice: Floyd Abrams, renowned First Amendment lawyer and author; and Visiting Lecturer at the Yale Law School.
  • Harvey Rishikof, most recently dean of faculty at the National War College at the National Defense University and chair of the American Bar Association Standing Committee on Law and National Security
  • Nadine Strossen, former president of the American Civil Liberties Unionthe John Marshall Harlan II Professor of Law at New York Law School
  • Linda Greenhouse, the Knight Distinguished Journalist in Residence and Joseph Goldstein Lecturer in Law at Yale Law School; long-time U.S. Supreme Court correspondent for The New York Times
  • Lee Levine, renowned media lawyer; adjunct Professor of Law at the Georgetown University Law Center
  • Stewart Baker,national security law and policy expert and former Assistant Secretary for Policy at the U.S. Department of Homeland Security
  • Stephen Vladeck, Professor of Law at American University Washington College of Law; nationally recognized expert on the role of the federal courts in the war on terrorism
  • The Hon. Robert S. Lasnik, senior judge for the Western District of Washington at the U.S. District Court

Lawyers arguing the case:

  • For PearRobert Corn-Revere has extensive experience in First Amendment law and communications, media and information technology law.
    • Co-counsel is Nan Mooney, writer and former law clerk to Chief Judge James Baker of the U.S. Court of Appeals for the Armed Forces.
  • For the U.S. governmentJoseph DeMarco, who served from 1997 to 2007 as an Assistant United States Attorney for the Southern District of New York, specializes in issues involving information privacy and security, theft of intellectual property, computer intrusions, on-line fraud and the lawful use of new technology.
    • Co-counsel is Jeffrey Barnum, a lawyer and legal scholar specializing in criminal law and First Amendment law who argued United States v. Alaa Mohammad Ali before the U.S. Court of Appeals for the Armed Forces while in law school.

Each side will have 25 minutes to argue its position before the Court and an additional five minutes for follow-up comments. Following the session, there will be an opportunity for audience members to ask questions of the lawyers and court members.

The program is organized on behalf of the Newseum Institute by the University of Washington Law School’s Harold S. Shefelman Scholar Ronald Collins and by Nan Mooney.


FAN (First Amendment News, Special Series #2) FBI to Continue Working with Hackers to Fight Terrorism . . . & Crime?


The F.B.I. defended its hiring of a third party to break into an iPhone used by a gunman in last year’s San Bernardino, Calif., mass shooting, telling some skeptical lawmakers on Tuesday that it needed to join with partners in the rarefied world of for-profit hackers as technology companies increasingly resist their demands for consumer information. — New York Times, April 19, 2016


This is the second FAN installment concerning the ongoing controversy over national security and cell-phone privacy. As with the first installment, the legal focus here is on First Amendment issues. It is against that backdrop that the Newseum Institute in Washington, D.C. will host a public event on June 15, 2016.

I am pleased to be working with Gene Policinski (the chief operating officer of the Newseum Institute) and Nan Mooney (a D.C. lawyer and former law clerk to Chief Judge James Baker of the U.S. Court of Appeals for the Armed Forces) in organizing the event.

Information concerning that upcoming event is set out below, but first a few news items.

Recent News Items

“FBI Director James Comey said the U.S. paid more than he will make in salary over the rest of his term to secure a hacking tool to break into a mobile phone used by a dead terrorist in the San Bernardino . . . . The law enforcement agency paid ‘more than I will make in the remainder of this job, which is 7 years and 4 months,’ Comey said . . . at the Aspen Security Forum in London. . . . Comey’s pay this year is $185,100, according to federal salary tables, indicating the tool cost the agency more than $1.3 million. FBI directors are appointed to 10-year terms.”

“[Ms. Amy Hess, the Federal Bureau of Investigation’s executive assistant director for science and technology,] did not answer directly when asked about whether there were ethical issues in using third-party hackers but said the bureau needed to review its operation ‘to make sure that we identify the risks and benefits.’ The F.B.I. has been unwilling to say whom it paid to demonstrate a way around the iPhone’s internal defenses, or how much, and it has not shown Apple the technique.”

“Bruce Sewell, Apple’s general counsel, told a House commerce oversight subcommittee that the company already works with law enforcement regularly and would help develop the FBI’s capability to decrypt technology itself, but won’t open ‘back doors’ to its iPhones due to the security risk that would pose to all users. . . . What the FBI wants, Hess said, is ‘that when we present an order, signed by an independent federal judge, that (tech companies) comply with that order and provide us with the information in readable form.’ How they do that is up to them, she said.”

“The leaders of the Senate Intelligence Committee have introduced a bill that would mandate those receiving a court order in an encryption case to provide “intelligible information or data” or the “technical means to get it” — in other words, a key to unlock secured data.  “I call it a ‘follow the rule of law bill,’ because that’s what it does: It says nobody’s exempt from a court order issued by a judge on the bench,’ said Committee Chairman Richard Burr, a North Carolina Republican. The top Democrat on the committee, California’s Dianne Feinstein, is a co-sponsor.”

Senate Bill Introduced

Here are a few excerpts from the proposed Senate Bill:

(1) GENERAL. Notwithstanding any other provision of law and except as provided in paragraph 7 (2), a covered entity that receives a court order from a government for information or data shall —

(A) provide such information or data to such government in an intelligible format; or

(B) provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.

(2) SCOPE OF REQUIREMENT. A covered entity that receives a court order referred to in par graph (1)(A) shall be responsible only for providing data in an intelligible format if such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.


(b) DESIGN LIMITATIONS. Nothing in this Act shall be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.

(4) DEFINITIONS . . . .

Non-Terrorist Crimes & Demands for Cell-Phone Access

Upcoming: Newseum Institute Moot Court Event Read More


FAN (First Amendment News, Special Series) Newseum Institute to Host Event on Cell Phone Privacy vs National Security Controversy


Starting today and continuing through mid-June, I will post a special series of occasional blogs related to the Apple iPhone national security controversy and the ongoing debate surrounding it, even after the FBI gained access to the phone used by the terrorist gunman in the December shooting in San Bernardino, California.

Gene Policinski

Gene Policinski

This special series is done in conjunction with the Newseum Institute and a major program the Institute will host on June 15, 2016 in Washington, D.C.

I am pleased to be working with Gene Policinski (the chief operating officer of the Newseum Institute) and Nan Mooney (a D.C. lawyer and former law clerk to Chief Judge James Baker of the U.S. Court of Appeals for the Armed Forces) in organizing the event.

The June 15th event will be a moot court with seven Supreme Court Justices and two counsel for each side. The focus will be on the First Amendment issues raised in the case. (See below re links to the relevant legal documents).

→ Save the Date: Wednesday, June 15, 2016 @ 2:00 p.m., Newseum, Washington, D.C. (more info forthcoming).

The Apple-FBI clash was the first significant skirmish — and probably not much more than that — of the Digital Age conflicts we’re going to see in this century around First Amendment freedoms, privacy, data aggregation and use, and even the extent of religious liberty. As much as the eventual outcome, we need to get the tone right, from the start — freedom over simple fear. –Gene Policinski

Newseum Institute Moot Court Event

It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety, either with cooperation from relevant parties, or through the court system when cooperation fails.Melanie Newman (spokeswoman for Justice Department, 3-28-16)

As of this date, the following people have kindly agreed to participate as Justices for a seven-member Court:

The following two lawyers have kindly agreed to serve as the counsel (2 of 4) who will argue the matter:

→ Two additional Counsel to be selected.  

Nan Mooney and I will say more about both the controversy and the upcoming event in the weeks ahead in a series of special editions of FAN. Meanwhile, below is some relevant information, which will be updated regularly.

Apple vs FBI Director James Comey

President Obama’s Statement

Congressional Hearing


Screen Shot 2016-03-17 at 10.46.11 PM

Last Court Hearing: 22 March 2016, before Judge Sheri Pym



News Stories & Op-Eds


  1. Pierre Thomas & Mike Levine, “How the FBI Cracked the iPhone Encryption and Averted a Legal Showdown With Apple,” ABC News, March 29, 2016
  2. Bruce Schneier, “Your iPhone just got less secure. Blame the FBI,” Washington Post, March 29, 2016
  3. Katie Benner & Eric Lichtblau, “U.S. Says It Has Unlocked Phone Without Help From Apple,” New York Times, March 8, 2016
  4. John Markoff, Katie Benner & Brian Chen, “Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist,” New York Times, March 17, 2016
  5. Jesse Jackson, “Apple Is on the Side of Civil Rights,” Time, March 17, 2016
  6. Katie Benner & Eric Lichtblau, “Apple and Justice Dept. Trade Barbs in iPhone Privacy Case,” New York Times, March 15, 2016
  7. Kim Zetter, “Apple and Justice Dept. Trade Barbs in iPhone Privacy Case,” Wired, March 15, 2016
  8. Alina Selyukh, “Apple On FBI iPhone Request: ‘The Founders Would Be Appalled,‘” NPR, March 15, 2016
  9. Howard Mintz, “Apple takes last shot at FBI’s case in iPhone battle,” San Jose Mercury News, March 15, 2016
  10. Russell Brandom & Colin Lecher, “Apple says the Justice Department is using the law as an ‘all-powerful magic wand‘,” The Verge, March 15, 2016
  11. Adam Segal & Alex Grigsby, “3 ways to break the Apple-FBI encryption deadlock,” Washington Post, March 14, 2016
  12. Seung Lee, “Former White House Official Says NSA Could Have Cracked Apple-FBI iPhone Already,” Newsweek, March 14, 2016
  13. Tim Bajarin, “The FBI’s Fight With Apple Could Backfire,” PC, March 14, 2016
  14. Alina Selyukh, “U.S. Attorneys Respond To Apple In Court, Call Privacy Concerns ‘A Diversion’,” NPR, March 10, 2016
  15. Dan Levine, “San Bernardino victims to oppose Apple on iPhone encryption,” Reuters, Feb. 22, 2016
  16. Apple, The FBI And iPhone Encryption: A Look At What’s At Stake,” NPR, Feb. 17, 2016
FTC Boston Pub Library Washington News Co 1930-45 postcard 03

The 5 Things Every Privacy Lawyer Needs to Know about the FTC: An Interview with Chris Hoofnagle

The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score.

To many, the FTC remains opaque and somewhat enigmatic. The reason, ironically, might not be because there is too little information about the FTC but because there is so much. The FTC has been around for 100 years!

In a landmark new book, Professor Chris Hoofnagle of Berkeley Law School synthesizes an enormous volume of information about the FTC and sheds tremendous light on the FTC’s privacy activities. His book is called Federal Trade Commission Privacy Law and Policy (Cambridge University Press, Feb. 2016).

This is a book that all privacy and cybersecurity lawyers should have on their shelves. The book is the most comprehensive scholarly discussion of the FTC’s activities in these areas, and it also delves deep in the FTC’s history and activities in other areas to provide much-needed context to understand how it functions and reasons in privacy and security cases.

Read More

Green Bag Article 02

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Professor Woodrow Hartzog and I have just published our new article, The Ultimate Unifying Approach to Complying with All Laws and Regulations19 Green Bag 2d 223 (2016)  Our article took years of research and analysis, intensive writing, countless drafts, and endless laboring over every word. But we hope we achieved a monumental breakthrough in the law.  Here’s the abstract:

There are countless laws and regulations that must be complied with, and the task of figuring out what to do to satisfy all of them seems nearly impossible. In this article, Professors Daniel Solove and Woodrow Hartzog develop a unified approach to doing so. This approach (patent pending) was developed over the course of several decades of extensive analysis of every relevant law and regulation.



MLAT – Not a Muscle Group Nonetheless Potentially Powerful

MLAT. I encountered this somewhat obscure thing (Mutual Legal Assistance Treaty) when I was in practice and needed to serve someone in Europe. I recall it was a cumbersome process and thinking that I was happy we did not seem to have to use it often (in fact the one time). Today, however, as my colleagues Peter Swire and Justin Hemmings argue in their paper, Stakeholders in Reform of the Global System for Mutual Legal Assistance, the MLAT process is quite important.

In simplest terms, if a criminal investigation in say France needs an email and it is stored in the U.S.A., the French authorities ask the U.S. ones for aid. If the U.S. agency that processes the request agrees there is a legal basis for the request, it and other groups seek a court order. If that is granted, the order would be presented to the company. Once records are obtained, there is further review to ensure “compliance U.S. law.” Then the records would go to France. As Swire and Hemmings note, the process averages 10 months. For a civil case that is long, but for criminal cases that is not workable. And as the authors put it, “the once-unusual need for an MLAT request becomes routine for records that are stored in the cloud and are encrypted in transit.”

Believe it or not, this issue touches on major Internet governance issues. The slowness and the new needs are fueling calls for having the ITU govern the Internet and access to evidence issues (a model according to the paper favored by Russia and others). Simpler but important ideas such as increased calls for data localization also flow from the difficulties the paper identifies. As the paper details, the players–non-U.S. governments, the U.S. government, tech companies, and civil society groups–each have goals and perspectives on the issue.

So for those interested in Internet governance, privacy, law enforcement, and multi-stakeholder processes, the MLAT process and this paper on it offer a great high-level view of the many factors at play in those issues for both a specific topic and larger, related ones as well.


China, the Internet, and Sovereignty

China’s World Internet Conference is, according to its organizers, about:

“An Interconnected World Shared and Governed by All—Building a Cyberspace Community of Shared Destiny”. This year’s Conference will further facilitate strategic-level discussions on global Internet governance, cyber security, the Internet industry as the engine of economic growth and social development, technological innovation and philosophy of the Internet. It is expected that 1200 leading figures from governments, international organizations, enterprises, science & technology communities, and civil societies all around the world will participate the Conference.

As the Economist points out, “The grand title is misleading: the gathering will not celebrate the joys of a borderless internet but promote “internet sovereignty”, a web made up of sovereign fiefs, gagged by official censors. Political leaders attending are from such bastions of freedom as Russia, Pakistan, Kazakhstan, Kyrgyzstan and Tajikistan.”

One of the great things about being at GA Tech is the community of scholars from a wide range of backgrounds. This year colleagues in Public Policy hired Milton Mueller, a leader in telecommunication and Internet policy. I have known his work for some time, but it has been great getting to hang out and talk with Milton. Not surprising, but Milton has a take on the idea of sovereignty and the Internet. I can’t share it, as it is in the works. But as a teaser, keep your eye out for it.

As a general matter, it seems to me that sovereignty will be a keyword in coming Internet governance debates across all sectors. Whether the term works from a political science perspective or others should be interesting. Thinking of jurisdiction, privacy, surveillance, telecommunication, cyberwar, and intellectual property, I can see sovereignty being asserted, perverted, and converted to serve a range of interests. Revisiting the core international relations theories to be clear about what sovereignty is and should be seems a good project for a law scholar or student as these areas evolve.


How CalECPA Improves on its Federal Namesake

Last week, Governor Brown signed the landmark California Electronic Communications Privacy Act[1] (CalECPA) into law and updated California privacy law for modern communications. Compared to ECPA, CalECPA requires warrants, which are more restricted, for more investigations; provides more notice to targets; and furnishes as a remedy both court-ordered data deletion and statutory suppression.  Moreover, CalECPA’s approach is comprehensive and uniform, eschewing the often irrational distinctions that have made ECPA one of the most confusing and under-protective privacy statutes in the Internet era.

Extended Scope, Enhanced Protections, and Simplified Provisions

CalECPA regulates investigative methods that ECPA did not anticipate. Under CalECPA, government entities in California must obtain a warrant based on probable cause before they may access electronic communications contents and metadata from service providers or from devices.  ECPA makes no mention of device-stored data, even though law enforcement agents increasingly use StingRays to obtain information directly from cell phones. CalECPA subjects such techniques to its warrant requirement. While the Supreme Court’s recent decision in United States v. Riley required that agents either obtain a warrant or rely on an exception to the warrant requirement to search a cell phone incident to arrest, CalECPA requires a warrant for physical access to any device, not just a cell phone, which “stores, generates, or transmits electronic information in electronic form.” CalECPA clearly defines the exceptions to the warrant requirement by specifying what counts as an emergency, who can give consent to the search of a device, and related questions.

ECPA’s 1986-drafted text only arguably covers the compelled disclosure of location data stored by a service provider, and does not clearly require a warrant for such investigations. CalECPA explicitly includes location data in the “electronic communication information” that is subject to the warrant requirement when a government entity accesses it from either a device or a service provider (broadly defined).  ECPA makes no mention of location data gathered in real-time or prospectively, but CalECPA requires a warrant both for those investigations and for stored data investigations. Whenever a government entity compels the “the production of or access to” location information, including GPS data, from a service provider or from a device, CalECPA requires a warrant.

Read More

FTC 01

Should the FTC Be Regulating Privacy and Data Security?

This post was co-authored with Professor Woodrow Hartzog.

This past Tuesday the Federal Trade Commission (FTC) filed a complaint against AT&T for allegedly throttling the Internet of its customers even though they paid for unlimited data plans. This complaint was surprising for many, who thought the Federal Communications Commission (FCC) was the agency that handled such telecommunications issues. Is the FTC supposed to be involved here?

This is a question that has recently been posed in the privacy and data security arenas, where the FTC has been involved since the late 1990s. Today, the FTC is the most active federal agency enforcing privacy and data security, and it has the broadest reach. Its fingers seem to be everywhere, in all industries, even those regulated by other agencies, such as in the AT&T case. Is the FTC going too far? Is it even the FTC’s role to police privacy and data security?

The Fount of FTC Authority

The FTC’s source of authority for privacy and data security comes from some specific statutes that give the FTC regulatory power. Examples include the Children’s Online Privacy Protection Act (COPPA) where the FTC regulates online websites collecting data about children under 13 and the Gramm-Leach-Bliley Act (GLBA) which governs financial institutions.

But the biggest source of the FTC’s authority comes from Section 5 of the FTC Act, where the FTC can regulate “unfair or deceptive acts or practices in or affecting commerce.” This is how the FTC has achieved its dominant position.

Enter the Drama

Until recently, the FTC built its privacy and security platform with little pushback. All of the complaints brought by the FTC for unfair data security practices quickly settled. However, recently, two companies have put on their armor, drawn their swords, and raised the battle cry. Wyndham Hotels and LabMD have challenged the FTC’s authority to regulate data security. These are more than just case-specific challenges that the FTC got the facts wrong or that the FTC is wrong about certain data security practices. Instead, these challenges go to whether the FTC should be regulating data security under Section 5 in the first place. And the logic of these challenges could also potentially extend to privacy as well.

The first dispute involving Wyndham Hotels has already resulted in a district court opinion affirming the FTC’s data protection jurisprudence. The second dispute over FTC regulatory authority involving LabMD is awaiting trial.

In the LabMD case, LabMD is contending that the U.S. Department of Health and Human Services (HHS) — not the FTC — has the authority to regulate data security practices affecting patient data regulated by HIPAA.

With Wyndham, and especially LabMD, the drama surrounding the FTC’s activities in data protection has gone from 2 to 11. The LabMD case has involved the probable shuttering of business, a controversial commissioner recusal, a defamation lawsuit, a House Oversight committee investigation into the FTC’s actions, and an entire book written by the LabMD’s CEO chronicling his view of the conflict. And the case hasn’t even been tried yet!

The FTC Becomes a Centenarian

And so, it couldn’t be more appropriate that this year, the FTC celebrates its 100th birthday.

To commemorate the event, the George Washington Law Review is hosting a symposium titled “The FTC at 100: Centennial Commemorations and Proposals for Progress,” which will be held on Saturday, November 8, 2014, in Washington, DC.

The lineup for this event is really terrific, including U.S. Supreme Court Justice Steven Breyer, FTC Chairwoman Edith Ramirez, FTC Commissioner Joshua Wright, FTC Commissioner Maureen Ohlhausen, as well as many former FTC officials.


Some of the participating professors include Richard Pierce, William Kovacic, David Vladeck, Howard Beales, Timothy Muris, and Tim Wu, just to name a few.

At the event, we will be presenting our forthcoming article:

The Scope and Potential of FTC Data Protection
83 George Washington Law Review (forthcoming 2015)

So Is the FTC Overreaching?

Short answer: No. In our paper, The Scope and Potential of FTC Data Protection, we argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but it also has the authority to expand its reach much more. Here are some of our key points:

* The FTC has a lot of power. Congress gave the FTC very broad and general regulatory authority by design to allow for a more nimble and evolutionary approach to the regulation of consumer protection.

* Overlap in agency authority is inevitable. The FTC’s regulation of data protection will inevitably overlap with other agencies and state law given the very broad jurisdiction in Section 5, which spans nearly all industries. If the FTC’s Section 5 power were to stop at any overlapping regulatory domain, the result would be a confusing, contentious, and unworkable regulatory system with boundaries constantly in dispute.

* The FTC’s use of a “reasonable” standard for data security is quite reasonable. Critics of the FTC have attacked its data security jurisprudence as being too vague and open-ended; the FTC should create a specific list of requirements. However, there is a benefit to mandating reasonable data security instead of a specific, itemized checklist. When determining what is reasonable, the FTC has often looked to industry standards. Such an approach allows for greater flexibility in the face of technological change than a set of rigid rules.

* The FTC performs an essential role in US data protection. The FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced. The FTC’s regulation of data protection gives the U.S. system of privacy law needed legitimacy and heft. Without the FTC’s data protection enforcement authority, the E.U. Safe Harbor agreement and other arrangements that govern the international exchange of personal information would be in jeopardy. The FTC can also harmonize discordant privacy-related laws and obviate the need for new laws.

* Contrary to the critics, the FTC has used its powers very conservatively. Thus far, the FTC has been quite modest in its enforcement, focusing on the most egregious offenders and enforcing the most widespread industry norms. The FTC should push the development of the norms a little more (though not in an extreme or aggressive way).

* The FTC can and should expand its enforcement, and there are areas in need of improvement. The FTC now sits atop an impressive body of jurisprudence. We applaud its efforts and believe it can and should do even more. But as it grows into this role of being the data protection authority for the United States, some gaps in its power need to be addressed and it can improve its processes and transparency.

The FTC currently plays the role as the primary regulator of privacy and data security in the United States. It reached this position in part because Congress never enacted comprehensive privacy regulation and because some kind of regulator was greatly needed to fill the void. The FTC has done a lot so far, and we believe it can and should do more.

If you want more detail, please see our paper, The Scope and Potential of FTC Data Protection. And with all the drama about the FTC these days, please contact us if you want to option the movie rights.

Cross-posted on LinkedIn


The FTC and the New Common Law of Privacy

I’m pleased to announce that my article with Professor Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), is now out in print.  You can download the final published version at SSRN.  Here’s the abstract:

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States — more so than nearly any privacy statute or any common law tort.

In this Article, we contend that the FTC’s privacy jurisprudence is functionally equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC’s privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, extends far beyond privacy policies, and involves a full suite of substantive rules that exist independently from a company’s privacy representations.