About Consent Decrees
Last Friday, Aug. 30, 2024, the Federal Trade Commission filed a stipulated lawsuit against Verkada, Inc.1 The FTC makes several allegations in its complaint that range from failure to use appropriate information security practices to protect customers’ and consumers’ personal information collected through the company’s security cameras, making false statements regarding compliance with HIPAA and Privacy Shield, failure to disclose that specific positive reviews were created by people associated with the company, and violations of the CAN-SPAM Act.2 Since I work in email deliverability and privacy/data protection, this is the perfect case for me, so let’s take a deeper look at the issues over the next few posts.
We’ll start today by looking at consent decrees. I want to consider what they are, how they happen, and why they can be problematic.
What is a “Consent Decree?”
A “consent order” (also known as a “consent decree”) is “a decree or order made by a judge with the consent of all parties. It is not strictly a judgment, but rather a settlement agreement approved by the court. The agreement is submitted to the court in writing after the parties have reached a settlement, and once approved by the judge, the agreement is binding and enforceable on both parties.”3
We often see consent decrees used to short-circuit the litigation process in cases involving governmental units (like civil rights litigation involving police forces or school districts), the FCPA,4 HIPAA,5 or the CAN-SPAM Act. In exchange for the government agreeing not to prosecute, the defendant agrees to be bound to do certain things but does not admit guilt or liability. In the case of litigation involving private businesses, this almost always includes “disgorgement” of “unlawful gain” or otherwise paying some penalty. The judge retains jurisdiction over the case for as long as the consent decree is valid (that could be indefinitely in civil rights cases where civil cases often have a period of years that was agreed to).
An excellent way to understand a consent decree is to compare it to what many people do when they get a traffic ticket. In exchange for the government dismissing the case, the person who got the ticket agrees to take a defensive driving course (and often pays some court fees) — whether they agree that they committed the offense or not. They take the agreement to the judge, who retains control over the case until proof is presented that the defensive driving course was taken and then dismisses the case.
How consent decrees happen
How a consent decree happens depends on the kind of case. I’m not a civil rights attorney, so I won’t discuss school desegregation, policing, or voting rights cases that have (or might) ended in consent decrees.
When it comes to civil cases, we often see that the government starts with an investigation. In Verkada’s case, it appears that the FTC opened an investigation after the company suffered a data breach in March 2021.6 As they investigated, they discovered other issues, including a prior breach and what they believed to be CAN-SPAM Act violations. Once these issues were uncovered, Verkada could dispute them and proceed to trial or seek to settle with the FTC.
One of the primary considerations in these cases is the cost involved. A party’s attorneys cost money, and a defendant can spend more money defending a case than they would save if they won in court. It makes little sense to pay $1,000,000 in attorney’s fees to defend against a $100,000 fine. On the other hand, if a defendant knows that they will lose anyway, it is often more cost-effective to settle and save the expense of the trial. In either case, the government saves time and money by not having to prepare for trial.
Another consideration is the onerousness of the proposed agreement. If the FTC offers to settle the case with a consent agreement that requires the defendant to do what they have already done or are planning to do anyway, then entering into the consent decree may make more sense.
Finally, publically traded companies may gain a slight advantage in future derivative litigation by not having an actual judgment to use. The allegations in an FTC complaint will almost certainly be used by shareholders looking to sue the company and its officers, but they will lose some of the strength that would have been found in pointing to a final judgment.
How consent decrees can be problematic
Consent decrees can be problematic for the industry in a couple of ways:
When a company settles, it achieves its goal of avoiding the costs and uncertainties of litigation, but that comes at the societal cost of allowing the government to win without proving its claims (which is good for the government). Repeatedly winning in this manner can encourage regulators to pursue more aggressive cases, even when they don’t have strong evidence. It also sets a precedent that the government’s interpretation of the law holds weight, even without a court decision.
Also, if many companies agree to similar consent decrees, de facto standards can be created.7 These standards are not set through legislation, formal rulemaking, or industry consensus but through finding a critical mass of individual settlements, which may not be practical in all instances or reflective of industry realities. The result is that companies might feel pressured to follow guidelines that haven’t been widely agreed upon, reshaping everything without proper input from all stakeholders. (Interestingly, the US Supreme Court’s decision in Loper Bright8 may have lessened this impact.)
Conclusion
Consent decrees are essential for regulatory enforcement, but they come with challenges. They can expedite the legal process, save costs, and bring about swift compliance changes, but they also carry risks for both the businesses involved and the industries in which they operate. In future posts, we’ll dive deeper into the allegations against Verkada and the agreement they struck with the FTC and examine the impact.
Footnotes
- FTC Takes Action Against Security Camera Firm Verkada over Charges it Failed to Secure Videos, Other Personal Data and Violated CAN-SPAM Act, Federal Trade Commission (2024), https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-takes-action-against-security-camera-firm-verkada-over-charges-it-failed-secure-videos-other (last visited Sep 3, 2024). ↩︎
- Complaint, U.S. v. Verkada, No. 3:24-cv-06153 (N.D. Cal. Aug. 30, 2024), ECF No. 1, at 2. ↩︎
- Consent order, LII / Legal Information Institute, https://www.law.cornell.edu/wex/consent_order (last visited Sep 4, 2024). ↩︎
- Federal Corrupt Practices Act. ↩︎
- Health Insurance Portability and Accountability Act of 1996. ↩︎
- Verkada, FTC Settlement: Explained, (Aug. 30, 2024), https://www.verkada.com/blog/ftc-settlement-explained/ (last visited Sep 4, 2024).. ↩︎
- See: Recent Case, FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015), 129 Harv. L. Rev. 1120, 1121 (Feb. 10, 2016) (“Although the court acknowledged the parties’ dispute over the applicable standard of review, it focused instead on the ability of the FTC’s public statements, guidance documents, and complaints and consent decrees to provide notice.“) (emphasis added). ↩︎
- Loper Bright Enters. v. Raimondo, 603 U. S. __ (2024). ↩︎
- Introducing: Arcana - 22 November 2024
- Help me see if there is a need for that I can fill - 23 September 2024
- Verkada: Data Protection Issues - 19 September 2024