National Academies Press: OpenBook

Legal Implications of Data Collection at Airports (2021)

Chapter: VI. FEDERAL ENFORCEMENT ACTIVITIES AND OTHER FEDERAL INITIATIVES

« Previous: V. SURVEY OF FEDERAL STATUTORY PROVISIONS AND FEDERAL AGENCY ACTIONS
Page 35
Suggested Citation:"VI. FEDERAL ENFORCEMENT ACTIVITIES AND OTHER FEDERAL INITIATIVES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 35
Page 36
Suggested Citation:"VI. FEDERAL ENFORCEMENT ACTIVITIES AND OTHER FEDERAL INITIATIVES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 36
Page 37
Suggested Citation:"VI. FEDERAL ENFORCEMENT ACTIVITIES AND OTHER FEDERAL INITIATIVES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 37
Page 38
Suggested Citation:"VI. FEDERAL ENFORCEMENT ACTIVITIES AND OTHER FEDERAL INITIATIVES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 38
Page 39
Suggested Citation:"VI. FEDERAL ENFORCEMENT ACTIVITIES AND OTHER FEDERAL INITIATIVES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 39
Page 40
Suggested Citation:"VI. FEDERAL ENFORCEMENT ACTIVITIES AND OTHER FEDERAL INITIATIVES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 40

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42 35 nature of regulatory agencies to accept, and in some cases even direct, that collection. Both nationally and internationally, gov- ernment authorities are grappling with health privacy concerns on one hand and public health and economic realities on the other. Collection of health data by airports or airport stake- holders that would have once been unimaginable is now on the cusp of routine. Of course, this evolution does not mean that privacy concerns regarding data are no longer relevant, but that other interests weigh in favor of mitigating those concerns and reducing protections. VI. FEDERAL ENFORCEMENT ACTIVITIES AND OTHER FEDERAL INITIATIVES In addition to actual legislation, airports must consider other government activities that implicate the legal framework asso- ciated with privacy protections. These other activities include executive branch actions and the activities of Congress in devel- oping future legislation. A. FTC Enforcement Activity and the Creation of “Privacy Common Law” The FTC is empowered to address challenges to competition in the marketplace through Section 5 of the Federal Trade Com- mission Act (FTCA).273 The agency pursues Section 5 enforce- ment actions under theories of deceptive or unfair practices. Through this authority, the agency has taken many enforcement actions to protect privacy in the United States to include cases involving failures to implement reasonable data security prac- tices or general privacy concerns.274 In 2020, FTC enforcement focused on privacy and data security cases and targeted social media companies, mobile app developers, data brokers, ad tech industry participants, retailers, and companies operating in the internet of things environment. Most often, this process in- volves the initiation of a complaint by the FTC and the respon- dent company entering into a settlement with a consent order. Over the years, the FTC has cataloged many enforcement actions. Solove and Hartzog argue this compilation of agency actions has created a form of privacy common law.275 As the FTC publishes complaints and settlements and adheres to them in its subsequent enforcement actions, practitioners in the field use those settlements to advise their clients. Thus, a kind of con- trolling law develops.276 273 15 USC § 45(a). 274 See, e.g., Privacy and Data Security Update: 2019, F.T.C. (Feb. 2020), at 8, https://www.ftc.gov/reports/privacy-data-security- update-2019. The FTC publishes annual updates with respect to its activities regarding data privacy and security. 275 Daniel Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia L. Rev. 583, 620-25 (2014). 276 Solove and Hartzog devote significant attention to the issue of the paucity of federal court decisions in this area, and the importance of FTC settlement (or cease and desist) orders. While not precedent like a judicial decision, given the circumstances these decisions are viewed in the privacy practice community as having precedential value. See id. at 620-25. sures should be adapted to the unique air travel environment.”263 While the Guidance Document addresses a range of operational issues; it contains principles directly related to a range of data collection activities. The first of the principles relating to data collection concerns airline collection of complete and current passenger and crew contact information prior to international flight departures. That information is to be provided in an electronic format to the U.S. government for further dissemination to destination U.S. health authorities before departure.264 This principle is consis- tent with a February 20, 2020, HHS interim final rule requiring any airline with a flight arriving in the United States to collect passenger and crew contact information and provide it to the U.S. government within 24 hours of an order by the Centers for Disease Control and Prevention (CDC) Director.265 The second principle related to data collection states that air- lines should implement health attestations from passengers to reinforce the expectation that passengers will not travel when ill or when they are at a higher risk of developing and/or spread- ing COVID-19.266 The Guidance recommends this principle but does not require it.267 The third principle related to data collection states that air- lines and airports may need to consider the use of temperature screening to meet destination requirements or requirements of local health authorities.268 This principle cautions that some per- sons with chronic, non-COVID related health issues may have an elevated body temperature and that policies should be im- plemented to ensure that such persons are not unfairly blocked from travel if their illness does not threaten public health.269 This principle also notes that pre-travel temperature screening of passengers should be done in accordance with the protocols of the relevant health authorities.270 It further instructs that if an airport, airline, or other authority271 makes the decision that it will bar those with temperatures over a certain threshold from flying, the policy should be transparent, posted in advance, and all passengers should be directly notified of the policy before making a decision on whether to fly.272 Considering these prin- ciples is important when developing a policy for pre-travel tem- perature testing of passengers. The development of these principles demonstrates both the fluid nature of data collection in the airport context and the fluid 263 Id. at 4. 264 Id. at 15. 265 Id. at 15-16. 266 Id. at 20. 267 Id. 268 Id. at 21. 269 Id. at 21-22. 270 Id. at 22. 271 It is noteworthy that the Guidance Document leaves open the possibility that a temperature check of passengers may be conducted by an “other authority” without identifying that authority any further. It is an open question as to whether the TSA has such authority under the broad terms of 49 U.S.C. §§ 114 (f)(4) and (16). 272 Id.

36 ACRP LRD 42 are courts to determine when a practice is ‘deceptive’” and “the Commission’s judgment is to be given great weight by reviewing courts.”285 The court expressly rejected an assertion by Fanning that misrepresentations were not actionable because they were not contained in company advertisements. The court noted “[w]e see no reason why it would not be a deceptive act or practice to place misrepresentations on websites if those misrepresenta- tions affect[ed] [consumers’] choice of, or conduct regarding the website.”286 This ruling in Fanning should cause airports and airport stakeholders to examine the content of their websites very care- fully to ensure the accuracy of the information, particularly with respect to representations about user data. b. United States v. Facebook287 While the FTC has very limited ability under Section 5 of the FTCA to assess fines and penalties, 2019 saw a major settlement with Facebook, resulting in remedial measures and the imposi- tion of $5 billion in fines and penalties. The Facebook settlement resolves issues that stretch back almost a decade to a 2012 settle- ment between Facebook and the FTC. The initial complaint concerned Facebook’s privacy settings and the operation of the “Privacy Wizard.” The FTC found that Facebook’s practices allowed third parties access to personal data about Facebook users. Facebook agreed to remedy those deficiencies, but it ultimately failed to do so. In the wake of revelations about data access through Facebook by Cambridge Analytica,288 the FTC issued a new complaint alleging violation of the 2012 order. The new com- plaint made additional allegations of deceptive conduct through the use of consumer phone numbers gathered in connection with two-factor authentication practices. In the settlement announced in July 2019, the FTC contended that that “[t]he magnitude of this penalty resets the baseline for privacy cases— including for any future violation by Facebook—and sends a strong message to every company in America that collects con- sumers’ data: where the FTC has the authority to seek penalties, it will use that authority aggressively.”289 In addition to the fine and penalty, Facebook agreed to the acceptance of substantial remedial measures. Those measures included: 285 871 F.3d. at 170. 286 Id. at 170 (citing Kraft, Inc. v. FTC, 970 F.2d 311, 322 (7th. Cir. 1992). 287 No. 19-2184 (TJK), 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. 23, 2020). 288 A related complaint against Cambridge Analytica was resolved in 2019. In the Matter of Cambridge Analytica, LLC, Compl., No. 9383 (Dec. 5, 2018), https://www.ftc.gov/system/files/documents/cases/ d09389_comm_final_opinionpublic.pdf. 289 Statement of Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson In re Facebook, Inc., F.T.C., (July 24, 2019), at 2, https://www.ftc.gov/system/files/documents/public_ statements/1536946/092_3184_facebook_majority_statement_7-24-19. pdf. 1. Deceptive Practice Cases FTC characterizes deceptive practices as actions likely to mislead consumers acting reasonably under the circumstances and that are material to consumers.277 Deceptive practices have resulted in enforcement actions for failure to meet several types of promises to include, failing to maintain confidentiality or refrain from disclosing information to third parties; collecting data inconsistent with company privacy policies; failing to pro- vide adequate security for personal data; and disclosing identi- fication information.278 Inadequate notice has also resulted in deception-based actions.279 Enforcement actions have involved failures to dis- close the complete nature of tracking activities: • Failure to disclose the complete nature of activity track- ing: In re Sears Holdings Management Corp.;280 • Failure to disclose full sharing features and defaults of file sharing software: FTC v. Frostwire;281 and • Failure to disclose the existence of “man in the middle” software on preloaded on laptop computers capable of accessing sensitive personal information: In the matter of Lenovo (United States) Inc.282 Additionally, deception cases have included allegations of failure to provide adequate data security. Those allegations have also been coupled with data security claims. a. Fanning v. FTC283 In Fanning, the First Circuit affirmed an FTC action for decep tion against the founder of jerk.com, a website offering reputation management series. The FTC concluded that repre- sentations on the website concerning the number of people as- sisted by jerk.com was deceptive. With respect to the standard of review of FTC decisions, the Fanning Court cited FTC v. Colgate Palmolive,284 to con- clude that “the Commission is often in a better position than 277 Id. at 1-2. Material means it would likely affect the consumer’s conduct or decisions about a product or service. 278 Id. at 629. 279 For a detailed discussion of inadequate notice cases, see, Daniel Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia L. Rev. 583, 634-636 (2014). 280 Id. at 634 n. 243; In re Sears Holdings Management Corp., Compl., No. C-4264, at 1 (F.T.C. Aug. 31, 2009) (“Sears Complaint”), http://www. ftc.gov/sites/default/files/documents/cases/2009/09/090604searscmpt. pdf. 281 Solove & Hartzog, supra n. 279, at p. 634 n.250, FTC v. Frostwire, LLC, Compl., No. 1:11-cv-23643, at 19 (S.D. Fla. Oct. 12, 2011) (“ Frostwire Complaint”), http:/www.ftc.gov/sites/default/files/ documents/cases/2011/10/111011 frostwirecmpt.pdf. 282 See Statement of Acting Chairman Maureen K. Ohlhausen, In the matter of Lenovo (United States) Inc., F.T.C. (Sept. 5, 2017), https://www. ftc.gov/system/files/documents/public_statements/1250833/ 1523134lenovomkostatement.pdf. 283 821 F.3d 164 (1st Cir. 2016). 284 360 U.S. 374 (1965).

ACRP LRD 42 37 garding data security. During the FTC investigation, a second breach occurred in 2016. That breach involved driver and pas- senger data and was not disclosed to the FTC. Uber allegedly paid the hackers $100,000 in connection with the data breach. A tentative settlement was reached in 2017, but when the 2016 data breach was revealed to the FTC, it insisted on a revised order.294 This revised order was entered in October, 2018. It required Uber take the following measures: • Stop misrepresentation with respect to data privacy and data security measures • Establish a privacy program with the following features: o Designated employee(s) responsible for the privacy program o Identification of privacy risks o Design and implementation of control measures o Reasonable steps to select and retain service providers to implement the program o Establishment of measures to evaluate and adjust the privacy program. • Initiate initial and biennial privacy assessments iden- tifying privacy control measures and certifying their effectiveness • Third-Party Privacy Assessment for a period of 20 years. • Required reporting for subsequent breaches.295 2. Unfair Practice Cases Enforcement of unfair practices requires a showing that the action causes or is likely to cause substantial injury that is not reasonably avoidable by consumers and said injury is not out- weighed by benefits to consumers or competition.296 The unfair practice theory was derived from industry standard practices. Two Circuit Courts of Appeal have addressed the FTC’s exercise of jurisdiction under an unfair practice theory. Those decisions seem to generally affirm the FTC practice. Examin- ing both cases offers an understanding of areas examined by the FTC in its data security investigations and limitations on FTC efforts. a. FTC v. Wyndham Worldwide Corp297 In Wyndham, the Third Circuit directly addressed a chal- lenge298 to the FTC enforcement authority for cybersecurity failures on the part of Wyndham, a worldwide hotel chain. The 294 In the Matter of Uber Techs, Inc., Compl., No. C-4662 (Oct. 25, 2018), https://www.ftc.gov/system/files/documents/cases/152_3054_c-4662_ uber_technologies_revised_complaint.pdf. 295 In the Matter of Uber Techs, Inc., F.T.C., No. C-4662 (Oct. 25, 2018), https://www.ftc.gov/system/files/documents/cases/1523054_ uber_technologies_revised_decision_and_order.pdf. 296 15 U.S.C. § 45(n). 297 799 F.3d 236 (3d Cir. 2015). 298 The FTC in Wyndham alleged that the company’s failure to pro- vide for proper data security was actionable as both an unfair practice as well as a deceptive practice. However, only the issue of unfair practice was brought before the Third Circuit. Id. at 240. • Ceasing misrepresentation on several privacy matters; • Greater privacy and data security controls over third- party applications; • Enforcement of platform terms against application developers; • Deletion or deidentification of user data after account closure; • Extension of privacy protections to other Facebook owned products and services (e.g., WhatsApp and Instagram); • Limits on collection and use of biometric information; • Development of a comprehensive data security program with obligations for authentication access control and encryption; and • Several measures for enhancing privacy governance within Facebook; o Appointment of an independent board of director- level committee to address privacy issues; o Appointment of a corporate officer responsible for privacy who can only be removed by majority vote of the ne privacy committee; o Regular independent assessments of privacy practices submitted to the FTC; o Reporting of violations and certain data breaches to the FTC; and o Reporting and recordkeeping obligations to the FTC certified by the Privacy Officer and CEO.290 In its public statement announcing settlement with Face- book, the FTC confidently noted: This penalty raises the bar for civil penalties in future matters involv- ing privacy violations. Moreover, the Commission designed the Or- der’s sweeping injunctive relief not only to punish future violations, but more importantly to implement dramatic privacy transparency and oversight changes at Facebook, thereby decreasing the likelihood that those violations will occur in the first place.291 The U.S. District Court for the District of Columbia entered the order settling the case on April 23, 2020.292 c. In the Matter of Uber Technologies293 In the context of a case related to transportation services, the FTC entered an opinion and order against Uber Technologies for misrepresentations regarding data security in connection with the company’s delivery of ride share services. The action was brought after a 2014 data breach involving access to Uber driver information. The action noted misrepresentations re- 290 U.S. v. Facebook, No. 19-2184 (TJK), 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. 23, 2020). 291 Statement of Chairman Joe Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson In re Facebook, Inc., F.T.C., (July 24, 2019), at 8, https://www.ftc.gov/system/files/documents/public_ statements/1536946/092_3184_facebook_majority_ statement_7-24-19. pdf. 292 U.S. v. Facebook, No. 19-2184 (TJK), 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. 23, 2020). 293 In the Matter of Uber Techs, Inc., F.T.C., No. C-4662 (Oct. 25, 2018), https://www.ftc.gov/system/files/documents/cases/1523054_ uber_technologies_revised_decision_and_order.pdf.

38 ACRP LRD 42 velops and issues cease and desist orders. A review of the deci- sion should provide an understanding of FTC expectations for proper data security. With respect to its facts, the LabMD case involved an FTC action under Section 5 of the FTCA alleging a failure of a medi- cal testing laboratory to implement sufficient measures to safe- guard data. The FTC recognized that LabMD did maintain a data security program that included “a compliance program, training, firewalls, network monitoring, password controls, access controls, antivirus, and security-related inspections.”302 Despite those measures, however, the billing manager at LabMD, apparently in violation of the policy, downloaded a peer-to-peer file sharing application. Use of that application re- sulted in a public exposure of the personal and health informa- tion of 9,300 patients.303 The information was discovered by a third-party security company that hoped to get business from LabMD to fix this problem. After LabMD rejected the security company’s repeated work proposals, the security company turned information over to a research partner at Dartmouth who published an article on data security in health care. The company also turned the ex- posed records over to the FTC.304 In 2013, after an extensive investigation, the FTC issued a complaint against LabMD alleging inadequate security. Some of the deficiencies noted by the FTC included: • Absence of a comprehensive security plan; • Absence of measures to identify commonly known or reasonably foreseeable threats; • In adequate measures to prevent unnecessary employee access; • Failure to train staff on the importance of safeguarding information; • Failure to require security measures for employee remote access to data; • Failure to maintain and update operating systems; and • Failure to employ available measures to prevent or detect unauthorized access (including the installation of un- authorized applications).305 While the Eleventh Circuit assumed for purposes of its deci- sion in LabMD that the deficiencies in LabMD’s data security program constituted an unfair practice, it was not persuaded that the cease and desist order had sufficient specificity to guide the actions of LabMD to compliance. In response, the FTC has changed its practice with respect to consent agreements to settle such actions. In a statement issued on January 6, 2020, the Director of the FTC’s Bureau of Consumer Protection announced new policies on settlements that provided more specific guidance for compa- 302 Id. at 1224 n.4. (quotations omitted). 303 Id. at 1224. 304 Id. at 1225. 305 Id. at 1226 n.8. Wyndham chain suffered data breaches in 2008 and 2009 when personal and financial information about customers was stolen resulting in over $10.6 million in fraudulent charges. The FTC Complaint alleged that “at least since April 2008, Wyndham engaged in unfair cybersecurity practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”299 The FTC specifically noted that the following deficiencies in Wyndham’s data security practices evidenced an unfair practice violation: • Storing payment card information in clear readable text; • Use of easily guessed passwords; • Failure to use available security measures (like firewalls limiting access between properties); • Allowing network connections without adequate security (with outdated operating systems and network connec- tions using default passwords); • Inadequate restriction of third-party vendor access to network systems; • Failure to take reasonable measures to prevent or detect unauthorized access; and • Failure to follow proper incident response procedures.300 Moving to dismiss the FTC Complaint, Wyndham claimed that it did not have sufficient notice that the alleged deficiencies formed the basis of an unfair practice claim under Section 5 of the FTCA. The Third Circuit concluded that the FTC had stated suf- ficient basis to maintain an unfair practice in with respect to Wyndham’s data handling practices. The Court concluded that sufficient notice of Section 5’s coverage of cybersecurity could have been gleaned from the FTC’s prior enforcement actions. Those actions constituted sufficient notice to Wyndham of the potential application of unfair practice jurisdiction for poor cyber security practices. The Wyndham decision demonstrates the potential liability for failing to properly manage data security. Airports looking to develop these types of programs should look at the grow- ing body of FTC enforcement actions to understand what types of measures are reasonably expected to ensure that col- lections of personal data are properly protected. Failure to do so may result in liability for unfair practices under the FTC’s enforcement of Section 5 of the FTCA. b. LabMD, Inc. v. FTC301 The LabMD case offers some interesting insights into the workings of the FTC with respect to unfair practice claims. In that case, the Eleventh Circuit concluded that provisions of the FTC’s cease and desist order with respect to an administrative finding of inadequate security were unenforceable because they lacked specificity. This case caused the FTC to revise how it de- 299 Id. (quotations omitted). 300 Id. at 240-41. 301 894 F. 3d 1221 (11th Cir. 2018).

ACRP LRD 42 39 Shield in 2020, it is unclear what enforcement authority FTC will have concerning those previously certified agreements form registered organizations. d. Joint State and Federal Deceptive and Unfair Practice Enforcement. The FTC has acted in coordinated efforts with some state attorneys general. Two settlements in 2017 demonstrate those joint activities. A particularly good example is In the Matter of Lenovo (United States) Inc.310 This case involved settlement of an action taken in conjunction with actions brought by 32 state Attorneys General. Similarly, in the settlement in FTC v. Vizio, Inc.,311 the FTC in conjunction with the Attorney General /of New Jersey alleging that software in Vizio televisions that moni- tored viewing habits was problematic. The matter was settled with a district court entry of a consent decree and a $2.2 million dollar fine.312 e. Additional FTC Privacy Enforcement Activity and Rulemaking Authority In addition to its enforcement authority under Section 5 of the FTCA, the FTC has authority for enforcement of several other acts313 including the GLBA314 and the Children Online Pri- vacy Protection Act of 1998 (COPPA).315 While GLBA generally would not apply to airports or their stakeholders, some of the FTC’s enforcement is in conjunction with these statutes. For air- ports, COPPA enforcement would be relevant only in circum- stances where the airport or airport stakeholders seek to gather information without parental consent from children under the age of 13. f. In re Equifax Inc. Customer Data Sec. Breach Litigation316 This case demonstrates the FTC’s authority under both Sec- tion 5 of the FTCA and the provisions of the GLBA. 310 See FTC, Lenovo Settles FTC Charges It Harmed Consumers with Preinstalled Software on Its Laptops that Harmed Consumers, F.T.C. (Sept. 5, 2017), https://www.ftc.gov/news-events/press-releases/2017/09/lenovo- settles-ftc-charges-it-harmed-consumers-preinstalled. 311 FTC v. Vizio, Inc., Compl., No. 2-17-cv-00758, 2017 U.D. LEXIS 219381, (D.N.J. Feb. 6, 2017), https://www.ftc.gov/system/files/docu- ments/cases/170206_vizio_2017.02.06_complaint.pdf. 312 VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions with- out Users’ Consent, F.T.C. (Feb. 6, 2017), https://www.ftc.gov/news-events/ press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle- charges-it. 313 As an example, the FTC has enforcement authority over the FCRA (section IV, Supra) bringing over 100 cases with $40 million in penalties. See, FTC Use of Its Authorities to Protect Consumer Privacy and Security F.T.C. (2020), at p. 7, https://www.ftc.gov/system/files/documents/reports/ reports-response-senate-appropriations-committee-report-116-111-ftcs- use-its-authorities-resources/ p065404reportprivacydatasecurity.pdf. 314 15 U.S.C. § 6801 et seq. 315 15 U.S.C. §§ 6501-6506. 316 No. 1:17-md-2800-TWT, 2020 U.S. Dist. LEXIS 7841 (N.D. Ga. Jan. 13, 2020). nies.306 The guidance was developed in response to the LabMD decision with information gathered in public hearings held in December 2018. Improved orders should provide greater specificity. They continue to require that the company implement a compre- hensive, process-based data security program, and they require the company to implement specific safeguards to address the problems alleged in the complaint. Examples have included yearly employee training, access controls, monitoring systems for data security inci- dents, patch management systems, and encryption. These require- ments not only make the FTC’s expectations clearer to companies, but also improve order enforceability.307 In addition to providing more specific guidance, the FTC is also seeking to strengthen governance by requiring third- party assessors in its orders to evaluate compliance. This external assess ment is thought to enhance accountability. Additionally, the new orders will seek to raise the issue of data protection to the Board and C-Suite level of organizations.308 Review of the FTC guidance and consent orders informs air- ports and airport stakeholders of the measures the FTC views as critical to adequate data security programs. Consideration of and compliance with these measures is necessary to avoid costly liability. c. Enforcement of International Privacy Frameworks: EU-U.S. Privacy Shield (formerly Safe Harbor), Swiss-U.S. Privacy Shield and the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR). Section 5 of the FTCA is also used as a basis for enforce- ment of certain international agreements with respect to privacy protections. The provisions of those agreements are more fully outlined in Section XII of this paper. Privacy Shield and APC CBPR agreements involve self-certification by companies in the United States looking to avail themselves of data protected in foreign jurisdictions. The companies agree to follow privacy principles established in those agreements. Those provisions are frequently more stringent that those required by U.S. law. By virtue of the company’s self-certification and representation to follow privacy principles established by those frameworks, the FTC can enforce those provisions to address misrepresen- tations under Section 5 of the FTCA. As of 2019. The FTC re- ported initiating 75 actions for violations of these international agreements.309 A number of those actions were for companies that falsely indicated that they had self-certified participation. Considering the discontinuation of EU participation of Privacy 306 See Andrew Smith, New and Improved FTC Data Security Orders: Better Guidance for Companies, Better Protection for Consumers, FTC (2020), https://www.ftc.gov/news-events/blogs/business-blog/2020/01/ new-improved-ftc-data-security-orders-better-guidance (the statement includes links to seven orders issued in 2019 utilizing the new format). 307 Id. 308 Id. 309 FTC Use of Its Authorities to Protect Consumer Privacy and Security, F.T.C. (2020) at 2, https://www.ftc.gov/system/files/documents/reports/ reports-response-senate-appropriations-committee-report-116-111-ftcs- use-its-authorities-resources/p065404reportprivacydatasecurity.pdf.

40 ACRP LRD 42 B. Rulemaking Authority The FTC has rulemaking authority under COPPA and GLBA to address privacy concerns. The Administrative Pro- cedures Act governs this rulemaking authority.321 The FTC also has limited rulemaking authority to regulate deceptive and un- fair trade practices under the provision of the Magnuson-Moss Warranty-FTC Improvement Act.322 Thus far, however, the FTC has declined to exercise that rulemaking authority to address privacy protections.323 C. Advocacy and Education In addition to the statutory and regulatory enforcement ac- tivities outlined above, the FTC engages in several activities that are designed to strengthen consumer rights and privacy protec- tions. These activities include • Annual Privacy Updates: These updates provide sum- maries of FTC enforcement activities and other actions taken to meet FTC mission requirements. • Business Blog: This blog includes discussions of current privacy topics.324 • Publication of Settlements: This listing of FTC settle- ments includes complaint and settlement documents as well as statements FTC and press releases.325 • Reports and Guides on a range of outreach subjects.326 • Open Hearings and Outreach: The FTC website includes information about both upcoming and past outreach events together with relevant information about the out- comes of those outreach events. 321 See, e.g.16 C.F.R. § 313 (Privacy of Consumer Financial Informa- tion Rule); 16 C.F.R. § 312 (Children’s Online Privacy Protection Rule). 322 15 U.S.C. § 57a. 323 FTC Use of Its Authorities to Protect Consumer Privacy and Security, F.T.C. (2020), at 5, https://www.ftc.gov/system/files/documents/reports/ reports-response-senate-appropriations-committee-report-116-111-ftcs- use-its-authorities-resources/p065404reportprivacydatasecurity.pdf. 324 FTC Business Blog, https://www.ftc.gov/news-events/blogs/ business-blog (last visited Aug. 4, 2020). 325 See, e.g., Cases Tagged with Privacy and Security= Consumer Pri- vacy + Data Security + Identity Theft, F.T.C. (2020), https://www.ftc.gov/ enforcement/cases-proceedings/terms/245%2B247%2B249%2B262. 326 See, e.g., Protecting Personal Information: A Guide for Business, F.T.C. (Oct. 2016), https://www.bulkorder.ftc.gov/publications/protecting- personal-information-guide-business; Data Breach Response: A Guide for Business, F.T.C. (May 2019), https://www.bulkorder.ftc.gov/publications/ data-breach-response-guide-business; Start with Security: A Guide for Business F.T.C. (June 2015), https://www.bulkorder.ftc.gov/publications/ start-security-guide-business; Protecting Consumer Privacy in an Era of Rapid Change, F.T.C. (Mar. 2012), https://www.ftc.gov/sites/default/files/ documents/reports/federal-trade-commission-report-protecting- consumer-pr ivac y-era-rapid-change-recommendat ions/ 120326privacyreport.pdf; Facing Facts: Best Practices for Common Use of Facial Recognition Technologies, F.T.C. (Oct. 2012) https://www.ftc.gov/ sites/default/files/documents/reports/facing-facts-best-practices- common-uses-facial-recognition-technologies/121022facialtechrpt.pdf. The FTC’s complaint against Equifax alleged that the company failed to secure the massive amount of personal information stored on its network. Among other things, the company allegedly failed to patch well-known software vulnerabilities, failed to segment its database servers, and stored Social Security numbers in unencrypted, plain text. According to the complaint, these failures led to a breach that af- fected more than 147 million people, and exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud. The settlement, which totals between $575 million and $700 million, was part of a global resolution where Equifax settled matters with a consumer class action, the Consumer Financial Protection Bureau, and 50 states and territories.317 In addition to maintaining the action against Equifax under the provisions of Section 5 of the FTCA, the FTC also alleged violations of GLBA provisions that required firms to assess and address foreseeable risks to the protection of personal data.318 While the GLBA protections only extend to financial institu- tions, the data protection failures also punishable under Section 5 of the FTCA offer examples of data protection failures that can impose liability. g. FTC and The People of the State of New York v. Google, LLC and YouTube, LLC319 In this case, the FTC in conjunction with the Attorney Gen- eral of New York brought an action against YouTube and its parent corporation Google in connection with YouTube’s col- lection of personal information from children under the age of 13 without parental notification and consent in violation of the provisions of COPPA. The case resulted in the imposition of $170 million in fines and penalties against YouTube and Google ($136 Million to the FTC and $36 Million to the State of New York) and the entry of injunctive relief. That injunctive relief included measures to ensure that content providers self-certify the existence of content directed to children. It also requires that Google and YouTube provide notice of their data collection practices with respect to children and acquire requisite parental consents in accordance with the provisions of COPPA.320 This case should serve as a reminder to airports and airport stakeholders that where data collection programs are designed to target children under the age of 13, special rules apply. The collection of data regarding these children using internet tools is something that requires additional analysis. In fact, any use of data regarding children, such the use of video images and the like, is likely worthy of special scrutiny. 317 FTC Use of Its Authorities to Protect Consumer Privacy and Security, F.T.C. (2020), at 6, https://www.ftc.gov/system/files/documents/reports/ reports-response-senate-appropriations-committee-report-116-111-ftcs- use-its-authorities-resources/p065404reportprivacydatasecurity.pdf. 318 Id. at 7. 319 No. 1:19-cv-02642, (D.D.C. Sept. 10, 2019), https://www.ftc.gov/ system/files/documents/cases/172_3083_youtube_coppa_consent_ order_signed.pdf. 320 Id.

Next: VII. OVERVIEW OF STATE CONSTITUTIONAL PRIVACY PROTECTIONS »
Legal Implications of Data Collection at Airports Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, marketing, understanding passenger preferences, and enhancing the travel experience.

The TRB Airport Cooperative Research Program's ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports provides a survey of applicable law; considerations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!