By Caleb Skeath
At a recent IAPP privacy event, officials from the FTC and CFPB offered insight into their respective agencies’ future enforcement plans, as well as the shifting landscape of privacy enforcement actions. Although such enforcement actions have historically been the domain of the FTC, the FCC recently entered the privacy enforcement arena, announcing a $10 million fine against two telecommunications carriers on October 24 for failing to protect customer data. While the FTC has broad authority under Section 5 to police unfair and deceptive acts and practices, the FCC relied on its authority under Section 201(b) to prohibit “unjust or unreasonable” practices to support its recent enforcement action. The FCC also announced on October 28 that it joined the Global Privacy Enforcement Network, an organization dedicated to fostering cross-border cooperation among privacy authorities. Prior to the FCC’s joining the Network, the FTC was the only U.S. member.
At the event, Maneesha Mithal, the associate director of the FTC’s Division of Privacy and Identity Protection, dismissed concerns about conflicts and overlaps between the FTC and FCC when it comes to enforcement. Mithal applauded the FCC’s foray into privacy enforcement, citing the importance of having “multiple cops on the beat.” Mithal also noted that the two agencies are committed to working “very closely” to avoid the risk of creating “overlapping, duplicative or conflicting requirements.” As part of this effort, Mithal told the audience that she meets “fairly frequently” with Travis LeBlanc, the Chief of the FCC’s Enforcement Bureau.
On a separate panel, CFPB Senior Counsel Pavneet Singh offered a summary of the CFPB’s enforcement powers, as well as guidance for what to expect from the agency’s future plans for enforcement. Singh noted that the CFPB’s enforcement jurisdiction, like the FTC’s Section 5 authority, encompasses unfair or deceptive acts or practices, and stated that the FTC’s actions “generally inform the Bureau’s views on unfairness and deception.” When questioned about the CFPB’s future plans for privacy enforcement, she declined to offer details but stated that the Bureau “look[s] for violations of consumer financial laws through enforcement and examination, and a lot of what priorities are made is based on what we find.”
While the FCC has just begun to explore its ability to enforce privacy regulations, the CFPB has yet to exercise the privacy enforcement authority granted to it under the Dodd-Frank Act. Under the Act, as codified in 12 U.S.C. Section 5531, the CFPB has the power to punish any “unfair, deceptive, or abusive act or practice . . . in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.” Singh also noted that future publications of the Bureau’s unified agenda, which is released bi-annually, may offer some insight into the CFPB’s future plans for enforcement.