Those who follow FTC privacy activities are already aware of the hype that surrounds the FTC’s enforcement actions. For years, American businesses and the Department of Commerce have loudly touted the FTC as a privacy enforcer equivalent to EU Data Protection Authorities. The Commission is routinely cited as providing the enforcement mechanism for commercial privacy self-regulatory activities, for the EU-US Safe Harbor Framework, and for the Department of Commerce sponsored Multistakeholder process. American business and the Commerce Department have exhausted themselves in international privacy forums promoting the virtues of FTC privacy enforcement.
I want to put FTC privacy activities into a perspective by comparing the FTC with the Office of Civil Rights (OCR), Department of Health and Human Services. OCR enforces health privacy and security standards based on the Health Insurance Portability and Accountability Act (HIPAA).
Let’s begin with the FTC’s statistics. The Commission maintains a webpage with information on all of its cases since 1997. The FTC’s website is http://business.ftc.gov/legal-resources/8/35. I’ve found that the link provided does not work consistently or properly at times. I can’t reach some pages to confirm everything I would like to, but I am sure enough of the basics to be able to make these comments.
The Commission reports 153 cases from 1997 through February 2013. That’s roughly 15 years, with an average of about ten cases a year. The number of cases for 2012, the last full year, was 24, much higher than the fifteen-year average. The Commission clearly stepped up its privacy and security enforcement activities of late. I haven’t reviewed the quality or significance of the cases brought, just the number.