Chris Jay Hoofnagle of Berkeley has written FTC Regulation of Cybersecurity and Surveillance, in The Cambridge Handbook of Surveillance Law (David Gray and Stephen Henderson, eds)(Cambridge University Press 2017). Here's the abstract:
The Federal Trade Commission (FTC) is the United States’ chief consumer protection agency. Through its mandate to prevent unfair and deceptive trade practices, it both regulates surveillance and creates cybersecurity law. This chapter details how the FTC regulates private-sector surveillance and elucidates several emergent properties of the agency’s activities. First, private-sector surveillance shapes individuals’ reasonable expectations of privacy, and thus regulation of the private-sector has effects on the government as surveillant. The FTC’s activities not only serve dignity interests in avoiding commercial inference in one’s life, they also affect citizens’ civil liberties posture with the state. Second, surveillance can make companies directly liable (for intrusive web monitoring, for tracking people offline, and for installing malware) or indirectly liable (for creating insecure systems, for using deception to investigate, and for mediating the surveillance of others) under the FTC Act. Third, the FTC’s actions substitute plaintiffs’ litigation for privacy, as the class action is burdened in novel ways. Fourth, the FTC’s actions increase the quality of consent necessary to engage in surveillance, and in so doing, the FTC has made some kinds of surveillance practically impossible to implement legally. Finally, the FTC’s actions make companies more responsible for their surveillance technologies in several ways—by making software vendors liable for users’ activities, by imposing substantive security duties, and by narrowing internet intermediary immunity.