Supreme Court ruling impacts how FTC can prosecute privacy cases
The Supreme Court recently dealt a potential blow to the FTC’s enforcement toolbox. In particular, the ruling affects his ability to seek monetary relief under a theory he has used in a wide variety of cases, including those relating to privacy and security, according to which l he monetary relief is a “permanent injunction” on behalf of consumers. In AMG Capital Management, LLC v. Federal Trade Commission, the Supreme Court ruled that while the FTC should be able to obtain an injunction to end unfair practices, that power does not extend to seeking monetary redress for aggrieved consumers. The dispute before the Supreme Court concerned the interpretation of Section 13 (b) of the FTC Act, which allows the Commission to seek “permanent injunctions”. Historically, the FTC has interpreted this provision to also allow it to seek monetary remedies to return money to aggrieved consumers. The Supreme Court disagreed. In the AMG case, there were allegations of a deceptive payday loan (unfair practices under the FTC law). The FTC had sought not only an injunction, but the payment of $ 1.27 billion in restitution. While the Ninth Circuit authorized the payment, the Court rejected it.
Shortly after the publication of this notice, the FTC reported its intention to continue to pursue monetary penalties by other means, and encouraged Congress to “restore and strengthen the powers of the agency.” In the meantime, the agency said it plans to develop partnerships with state attorneys general, who can seek financial penalties under state laws. The ruling also does not affect the agency’s ability to seek civil penalties for violating an FTC order (Offenses under subsection 5 (l)), nor its ability to obtain consumer redress through the (arguably cumbersome) Section 19 process. These two avenues are not, however, as immediate as the permanent injunction the FTC used prior to the court ruling.
Putting it into practice: This decision suggests that the FTC could be more active in implementing joint applications in a wide variety of cases – including privacy and security cases – with state MAs. Businesses should keep this in mind when planning data privacy and security programs, and would be well served considering the fairness expectations not only reported by the FTC, but also by state MAs.