Historically, the FTC's privacy enforcement actions have been slaps on the wrist. Part of the reason is that the commission can't go after privacy breaches, only cases where a business doesn't live up to the privacy protection it promises (whether there's a breach or not).
But with the FTC's first-ever attempt to actually take a chain with major privacy problems to court (Wyndham Hotels, announced in June) and its largest-ever civil penalty against Google last week, it's increasingly clear that FTC intends to push that one basis for enforcement as aggressively as the commission can.
Another potential source of blindsiding: Industry self-regulatory programs that your chain joins. If the program or group has a code of conduct for privacy-related behavior and disclosure, and your chain doesn't fulfill the requirements of that code, the FTC could go after you for misrepresentation even if the program itself doesn't take disciplinary action. "Once you advertise your adherence to an industry code, live up to its terms," Fair wrote.
That type of bending isn't something the FTC will accept any longer—in fact, the commission will specifically be looking for red flags like that. That means IT, and especially E-Commerce and M-Commerce developers, need to be watching for anything that bends the rules from the bottom up.
A $22.5 million settlement is pocket change to Google, and it may not even be a big deal for your chain. But if you end up as a target, the numbers are just going to get bigger.