One of the most common questions I am asked by potential clients is whether they really need to build a comprehensive privacy program, even if they are not subject to the European General Data Protection Regulation.

 Now there’s generally no arguing when it comes to the GDPR; accountability is enshrined as a core principle of Article 5. Companies must “be responsible for, and be able to demonstrate compliance with” the other privacy principles set forth in Article 5.  The main way to demonstrate compliance is through policies, procedures, and people.  (Oh snap, that’s your privacy program right there!)

On top of that, for years the GDPR has dominated mainstream privacy media coverage with only the CCPA nipping at its heels.  Unfortunately, that seems to have given the mistaken belief that those are the only laws that U.S. companies need to worry about.

But as you know from my prior post on evolving MLM regulation, the U.S. Federal Trade Commission casts a long shadow.  With regard to privacy and security, the FTC has broad enforcement authority under Section 5 of the FTC Act which prohibits false, deceptive or unfair consumer practices (just ask Twitter or Snapchat).  In addition, the FTC has the authority to enforce specific privacy-related statutes such as the FCRA, the GLBA, the HIPAA, the COPPA, the TCPA and the CAN-SPAM Act.  FTC enforcement actions often contain prescriptive terms that must remain in place for decades.

I will admit that I struggled with interpreting FTC enforcement actions in my early years as a privacy lawyer.  Perhaps it’s because I have never been a judicial clerk or a litigator, but I always wondered if I was reading enforcement actions the “right” way. I had thoughts like “Should I be reading the Order first or the Complaint?  Why do the Orders often seem strangely generic compared to the very specific Complaints they follow?  Should I worry about an issue that was raised in the Complaint but not ultimately addressed in the Order?”

There’s also the added ambiguity that comes from the fact that enforcement actions are against a specific company and don’t set broad legally binding precedent.  Thus, it’s not always clear which of their mandates are intended to be specific to that company vs. general to others.   

However, when you take a step back and just focus on the text of the FTC’s Complaints and Orders, there are very clear recurring high-level themes.  When you view those themes alongside U.S. State data breach notification laws, the California Consumer Privacy Act and other similar State privacy laws coming on the books, you see various privacy and security requirements that can only be met through a holistic privacy and information security program.

It also may surprise some to know that while the GDPR contains a relatively vague reasonableness standard for security measures, the FTC has gotten very specific about what they expect to see from companies in this area – namely, measures like SSL certification validation, encryption (no, data camouflage is not enough), third party risk assessments, secure product development, access controls and user authentication, privacy settings, change management protocols for material privacy changes, and secure destruction procedures.

In short, the GDPR is not the only sheriff in town when it comes to accountability!