FTC v. Wyndham Worldwide Corporation

Third Circuit to Wyndham (Part II): “Deceptive” is also “Unfair” in the Cybersecurity Context

In Part I, we discussed the Third Circuit’s finding that the “unfair” prong of the FTC Act does not require the agency to provide specific cybersecurity standards with “ascertainable certainty” to which companies must conform.  In Part II, we discuss the interplay between the FTC’s prohibition on “deceptive” acts and unfair cybersecurity practices.

The FTC has long applied its “deceptive acts” enforcement power to police representations, omissions or practices that are likely to mislead consumers acting reasonably under the circumstances, [1] and its “unfair acts” enforcement power to police acts that likely injure consumers, but which are not reasonably avoidable by the consumers themselves. [2] In the cybersecurity context, the Third Circuit’s landmark decision in FTC v. Wyndham Worldwide Corporation illustrates the “frequent overlap” between deception and unfairness by explicitly linking alleged overstatements in privacy policies to the question of whether security practices are unfair.  Accordingly, companies should exercise serious care in crafting representations in their privacy policies, terms of use, and other consumer-facing statements to validate that those statements closely conform to actual, internal business practices.

READ MORE