FTC Section 5: Unfair & Deceptive Practices and Consent Decrees

We open the federal sectoral domain not with a sector but with the law that sits across all of them: F-T-C Section five. Domain two is about the specific limits on private-sector collection and use of data, health, financial, education, children, marketing, but the F-T-C's general authority is the connective tissue, reaching companies that fall between the sectoral statutes. Recall the two prongs.

Deceptive practices are material representations or omissions likely to mislead a reasonable consumer. Unfair practices cause substantial, unavoidable consumer injury not outweighed by benefits. Both prongs reach privacy promises and data-security failures, which is why a single Section five case can govern a social network, a retailer, or an app maker alike.

Here's the mechanism the exam loves. A company publishes a privacy policy, then does something the policy didn't allow, sharing data it said it wouldn't, or quietly changing how it uses data already collected. That mismatch is the deception.

It doesn't take an outright lie. Calling data anonymous when it's re-identifiable, or a service secure when its security is plainly inadequate, can be a deceptive claim. And omissions count: staying silent about a material practice a consumer would want to know can itself deceive.

The practical lesson, and the program lesson from the last lecture, is that the privacy notice is a binding promise. The fix isn't fancier language; it's making sure the notice matches reality and that material changes get fresh notice or consent.

The unfairness prong is the F-T-C's data-security workhorse, and it doesn't depend on a broken promise. When a company collects sensitive personal data and then secures it so poorly that consumers are exposed to substantial harm, like identity theft, the F-T-C can call the conduct unfair even if the company never promised much. Through years of enforcement, the agency has built up a working benchmark of reasonable security: things like patching known vulnerabilities, encrypting sensitive data, limiting access on a need-to-know basis, and monitoring for intrusions.

There's no single statute listing these; they emerge from the cases. When a scenario describes obviously careless security and real consumer harm with no specific promise in sight, unfairness is your answer.

Now the part that makes Section five so powerful in practice: the consent decree. The F-T-C usually resolves a matter not with an immediate fine but with a settlement order that binds the company for years, commonly twenty. That order typically forces the company to build a comprehensive privacy or information-security program, fix the specific failures, and submit to independent third-party assessments on a recurring schedule.

The teeth come later: if the company violates the order, then the F-T-C can seek civil penalties for each violation. So the exam answer to what does the F-T-C do first is generally a consent order with a mandated program and assessments, and penalties arrive on the second offense, not the first.

Don't pigeonhole the F-T-C as only a Section-five agency, because the exam tests its wider portfolio. The F-T-C is the lead enforcer of COPPA, the children's online privacy law we'll cover later, and it enforces the GLBA Safeguards Rule for the many financial-adjacent businesses under its jurisdiction, like mortgage brokers and auto dealers. Beyond enforcement, the agency shapes the whole market through rulemaking, guidance, workshops, and influential reports, its privacy reports have effectively set expectations for notice, choice, and data security across industries.

And on major matters it frequently coordinates with state attorneys general, producing joint actions and large combined settlements. So when a scenario involves children's data, a non-bank financial business's security, or a sweeping data-practice problem, the F-T-C is often in the picture under one of these other authorities, not only its general Section-five power.

Let's lock in the reasoning. The F-T-C is your default answer when a privacy or security problem doesn't fit a named sectoral statute, and it's also the lead enforcer of some statutes we'll meet, including COPPA and the financial Safeguards Rule. To pick the prong: a broken or misleading promise points to deceptive; harm from bad conduct with no promise points to unfair.

And remember the remedy sequence, consent order and mandated program first, civil penalties if the order is later breached, so a distractor that jumps straight to a first-offense fine is usually wrong. Recap: Section five is the cross-sector backstop, deception versus unfairness, and the twenty-year consent decree is the real lever. Now go test yourself, then we enter health-data privacy under HIPAA.