Module Privacy Risk Trust

To learn about the key issues of how consumer data is regulated in the US, to understand the sectoral regulatory approach, to learn about the various definitions of personally identifiable information, to understand how state common law protects consumer privacy, and to learn about the major role that the Federal Trade Commission (FTC) plays in regulating privacy and about the substance of its cases.


Length: Approximately 1 hour

Written by: Professors Daniel J. Solove and Paul M. Schwartz

Instructor: Professor Daniel J. Solove


This course provides an overview of the how consumer data is regulated in the US.  The course begins with essential background about the US sectoral approach to privacy law.   The course then discusses the various definitions of personally identifiable information, standing, and how state common law (tort and contract) protects consumer privacy.  The main portion of the course involves an extensive overview of the FTC – its Section 5 jurisdiction, deception and unfairness, other sources of FTC privacy and security jurisdiction, penalties and consent decrees, and more.  The course discusses key FTC cases and the important principles and lessons that can be gleaned from the many FTC enforcement actions pertaining to privacy and security.

Although this course can stand alone, it is recommended that this course be taken along with its companion course: Consumer Data and US Regulation Part II: Statutory Law. 

To obtain a broad overview of privacy law, to understand the key issues involved, to learn how privacy law works, and to understand the differences and similarities between various privacy laws. Please note that certificates for the Consumer Data and US Regulation courses will only be provided for people who successfully complete both Parts I and II.


About this Course
The US System of Privacy Law Regulation


The Sectoral Approach
Federal and State Laws

The Chief Privacy Officer

Personally Identifiable Information
Injury and Standing
Tort Law

Creating Marketing Lists of Names
Sponsored Stories
Limitations of the Privacy Torts

Contract Law

Opt Out vs. Opt In
Are Privacy Policies Contracts?
Promissory Estoppel
Privacy Settings and Other Statements About Privacy


FTC Section 5 Enforcement

The Scope of Section 5
FTC Enforcement Powers
FTC Enforcement Process
FTC Consent Decrees

Prohibitions on Wrongful Activities
Fines and Other Monetary Penalties
Deleting Data or Refraining from Using It
Making Changes in Privacy Policies
Establishing Comprehensive Programs
Assessments by Independent Professionals
Recordkeeping and Compliance Reports
Notification of Material Changes Affecting Compliance

FTC Jurisprudence

Broken Promises
Retroactive Policy Changes
Inadequate Notice
Deceptive Data Collection
Inadequate Security
Security Gaffes and Failure to Train
Transfer of Data in Bankruptcy
Violating the Privacy Policies of Others
Inadequate Vendor Management
Some Takeaways

FTC Beyond Section 5


Course Outline PDF


Required Readings
Article: Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 584 (2014)
Article: Paul M. Schwartz & Daniel J. Solove, The PII Problem: Privacy and a New Concept of Personally Identifiable Information,  86 NYU L. Rev. 1814 (2011)


Recommended Readings
Book: Daniel J. Solove & Paul M. Schwartz, Consumer Privacy and Data Protection (Aspen 2nd edition 2018)