Enforcement actions relating to data privacy often get enforced by administrative agencies under State and Federal Unfair Competition Laws. Enforcement actions against companies that fail to meet their commitments to consumers are a common occurrence.
Comcast’s recent $33,000,000 settlement with the California Attorney General is a good example of how state agencies will take administrative action against companies who tell customers one thing and then do something else. Between 2010 and 2012, Comcast mistakenly published the directory information of VoIP customers that had paid Comcast not to list them. The first cause of action in the complaint against Comcast was for a violation of California’s unfair competition law: Comcast broke its promise to its customers that it would not publish directory listing information.
The Federal Trade Commission often uses its enforcement authority over unfair and deceptive business practices to pursue companies that do not fulfill their privacy commitments. A recent example of this is the Commissions complaint against Nomi Technologies. Nomi Technologies tracked mobile devices in participating retail locations, which could generate data on the duration and frequency of customers entering the location and their shopping habits. The FTC’s complaint alleged that Nomi failed to meet two commitments: (1) that customers would be informed as to which retail locations used Nomi’s service, and (2) that customers would be able to opt out of the tracking at the participating retail locations. The FTC obtained a 20-year monitoring agreement over Nomi.
A recent FTC update shows a group of thirteen companies caught claiming that they were certified under the US-EU Safe Harbor in their privacy policies when, in fact, their certifications had lapsed or they were not certified at all. Another group of six companies faced similar charges in 2009.
Intentional wrongdoing is not the centerpiece of these charges. The Comcast complaint alleges that the disclosures were the result of a technical mistake, and the Nomi Complaint does not claim that the company was intentionally deceiving consumers. Regardless, these agencies have made it clear that companies will be held responsible for failing to keep commitments they make to the public.