Section 5 and the FTC’s Proper Role in Privacy and Data Security Regulation
Commissioner Brill and a few academics have described the FTC’s data security settlements as developing a “common law” of data security. It is not readily apparent, however, that the over 50 independent complaints and settlement agreements between the FTC and particular companies amounts to what is traditionally understood as the common law. Moreover, because the FTC’s enforcement and adjudication process differs so substantially from traditional civil adjudication, even if the FTC’s data security settlements have certain common law characteris- tics, it is likely that the content of the FTC’s data security law differs substantially from what would emerge from – and what would be desirable in – in a traditional common law process.
As it happens, however, we do have an actual common law of data security — that is, data secu- rity cases adjudicated in civil courts — with which to compare the FTC’s process and settle- ments.
Those who defend the notion of an FTC data security common law identify the shortcomings of common law in civil courts—alleging, in essence, a sort of “market failure”—and they suggest that the FTC’s common law approach can and should correct this market failure, in part be- cause the FTC does have a common law process. These claims are often largely descriptive, but, as suggested, there must be a normative preference inherent in the “common law” conclusion – or else, who cares?