FTC Whistleblower Act Protects Whistleblowing on Data MisconductDecember 3, 2021
Earlier this week, Representatives Jan Schakowsky and Lori Trahan (D-MA) introduced the FTC Whistleblower Act of 2021 (FTCWA), which would reward and protect disclosures about potential or suspected violations of any law, rule, or regulation enforced by the Federal Trade Commission (FTC or Commission). Modeled on the successful SEC whistleblower reward program, the FTCWA (HR 6093) could supercharge FTC enforcement of laws that prohibit fraud, deception and unfair business practices.
And an FTC whistleblower reward program could spur whistleblowers at social media and technology companies to disclose data privacy and security practices that harm consumers. As demonstrated by the success of similar laws rewarding whistleblowing about various types of fraud, offering financial incentives to encourage potential whistleblowers to take the significant risk of coming forward would substantially enhance the FTC’s ability to detect and combat deceptive trade practices.
Violations that Could Qualify for a Whistleblower Award (FTC Enforcement Authority)
The U.S. lacks comprehensive general privacy and data security legislation. In many ways this limits the FTC’s ability to address harmful practices. Nonetheless, through a patchwork of statutory authority, the Commission has surprisingly broad ability to address privacy and data security concerns. This expansive scope is good news for whistleblowers because the proposed bill’s protections and incentives would cast a correspondingly wide net.
The FTC has relied on its authority under the FTC Act and narrower specific statutes to stop and remediate privacy and data security violations. Section 5 of the FTC Act provides the primary legal authority for the Commission to regulate privacy and data security. Section 5 prohibits “deceptive” or “unfair” commercial acts or practices. A representation, omission, or practice is deceptive if it is material and likely to mislead consumers acting reasonably. An act or practice is unfair if (1) it causes or is likely to cause substantial injury, (2) consumers cannot reasonably avoid the injury, and (3) benefits to consumers or competition do not outweigh the injury.
In addition to the FTC Act, the Commission enforces a variety of laws that protect specific aspects of privacy, including the Gramm-Leach-Bliley Act (“GLB”), which protects the privacy of financial information; the CAN-SPAM Act, which allows consumers to opt out of receiving commercial email messages; the Children’s Online Privacy Protection Act (“COPPA”), which protects the online privacy of children under 13; the Fair Credit Reporting Act (“FCRA”), which protects the privacy of consumer report information; the Fair Debt Collection Practices Act, which protects consumers from harassment by debt collectors; and the Telemarketing and Consumer Fraud and Abuse Prevention Act, under which the FTC implemented the Do Not Call registry.