Blog

Takeaways From the FTC’s Annual Privacy and Data Security Update

By Antonia M. Dumas, an Associate at XPAN Law Group, LLC

On March 15, 2019, the Federal Trade Commission (“FTC”) released its 2018 Privacy and Data Security Update (“Update”), an annual report summarizing its role and activity as the nation’s primary privacy and data security enforcer. For businesses, a key takeaway from the Update is that the FTC is taking real action in enforcing the implementation and management of privacy and security safeguards. Therefore, businesses should create, implement and maintain strong privacy and security programs to ensure clear information regarding general privacy practices, transparency on how consumers’ information is being used (and whether or not, and to what extent, that information is shared with third parties), and comprehensive data security.

The Update highlights seven focus areas that were central to the FTC’s approach in 2018: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance and international engagement. However, the FTC states that its principal tool to protect consumers’ privacy and personal information “is to bring enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior.”

FTC’s Priority: Enforcement

The Update covers various privacy and data security enforcement actions taken by the FTC in the past year regarding general privacy, data security and identity theft, credit reporting and financial privacy, international enforcement, children’s privacy, and telemarketing do not call. A “hot area” of enforcement for the FTC in 2018 included actions against misleading or inadequate privacy and security safeguards (including third-party access to data). These enforcement actions resulted in settlements requiring development and implementation of security and privacy safeguards and charges imposing injunctions and civil penalties. Below are some key enforcement actions worth highlighting in more detail.

Privacy and Security Safeguards

PayPal, Inc. entered into a settlement agreement with the FTC requiring its peer-to-peer payment application, Venmo, to make affirmative disclosures about its privacy practices. The FTC claimed that Venmo misled consumers about the privacy of their transactions, including the level of security safeguards to protect financial accounts and the ability to make transactions public retroactively). Venmo also failed to notify users of account changes to passwords, email addresses, or the addition of a new device, thereby allowing unauthorized users to withdraw funds from consumer accounts.

The FTC also settled with VTech Electronics Limited and its U.S. subsidiary (“VTech”) requiring it to implement a comprehensive security program and have a third party audit the program every two years for a period of 20 years. The FTC alleged that VTech had failed to use reasonable and appropriate data security measures to protect personal information (such as a lack of an intrusion detection or prevention system for its Kid Connect mobile app). The inadequate safeguards resulted in a hacker’s ability to access VTech’s computer network and the personal information of its users, including children. The FTC also alleged that VTech that most personal information submitted by users through its VTech platforms would be encrypted.

Sharing Data With Third Parties  

The FTC settled its case against mobile phone manufacturer BLU Products, Inc. and co-owner (“BLU”), also requiring the implementation of a comprehensive data security program and third party security assessments of its program every two years for 20 years. The FTC alleged that BLU falsely claimed that they limited third-party access to users’ data to only information needed to perform requested services but BLU allowed a third-party service provider to collect unauthorized personal information, including text message contents. BLU also failed to implement appropriate security procedures to oversee the security practices of their service providers.

The FTC obtained orders shutting down and imposing civil penalties on copycat military sites, Sunkey Publishing, Inc. and Fanmail.com. The FTC claimed that the sites used deceptive tactics to obtain personal information of consumers to sell for marketing purposes and falsely promised to use consumer information for limited purposes and not to share data with third parties. Regarding Facebook’s highly discussed unauthorized sharing of consumer information with Cambridge Analytica, the FTC announced nonpublic investigations into possible privacy practices in violation of its consent decree.     

Other Enforcement

The Update also includes a summary of enforcement actions in other specific areas including identity theft, credit reporting and financial privacy, children’s privacy and do not call. Additionally, the FTC enforces key international frameworks in connection with cross-border transfers of data. In particular, the FTC carried out enforcement actions against false claims of compliance with the EU-U.S. Privacy Shield Framework (legal mechanism for transfers of personal data between the European Union to the United States).

The FTC Has Rules Of Its Own

The FTC continued its enforcement actions seeking civil penalties for violations of certain privacy statutes and rules, including the Children’s Online Privacy Protection Act,  Fair Credit Reporting Act, among others. The FTC also continues to maintain its own rules that regulate specific areas related to privacy and security (for which it was granted authority by Congress).  Some of the FTC’s rules cover privacy areas such as breach notification of health information, consent for collecting minors’ data, comprehensive security programs for financial institutions, and privacy notices and opt-out options by car dealerships. There was little activity in 2018, but the FTC did call for public comment on updating its rule regarding identity theft prevention programs.   

FTC’s Advocacy & International Engagement  

The Update shows that the FTC advocates for strong privacy protections both at the domestic and international level. FTC provided comments regarding the risks of poor security in Internet of Things devices, and the importance of companies making accurate privacy disclosures. The FTC also provided testimony to committees of the Senate and House regarding potential federal data privacy legislation emphasizing the importance of consumer privacy and data security enforcement. (For more information check out our previous blog post here).

At the international level, the FTC advocates for strong privacy protections by engaging with international partners for enforcement cooperation of privacy and data security. In 2018, the FTC collaborated with a Canadian privacy agency in the VTech case (discussed above), hosted a forum to exchange ideas about enforcement activities across the Asia Pacific region, and helped organize events for the Global Privacy Enforcement Network (an informal network of Privacy Enforcement Authorities).

FTC Resources For Consumers & Businesses

The other sections of the Update address FTC’s intention to provide resources to consumers and business to help promote privacy and security. In 2018, the FTC hosted some big events including its annual PrivacyCon, a conference pertaining to the privacy and security implications of emerging technologies. The FTC also added additional resources for consumer education and business guidance (including cybersecurity for small business) on the FTC’s website and in its consumer and business blogs.

Takeaway And Action Item

We may not yet have a federal regulation regarding privacy and security here in the U.S., but there are clearly other ways that businesses can be held liable for a lack for appropriate privacy and security action from the emerging state privacy regulations across the country to the enforcement actions spearheaded by the FTC.  Businesses should not blindfold themselves by continuing business as usual and deciding not to make privacy a priority now, hoping to escape accountability. The FTC appears to be committed to keeping privacy a high priority and a hot topic for discussion, and businesses should follow suit. As a first step, we often suggest that businesses perform a legal and regulatory assessment so they can better understand their potential risks and vulnerabilities from a legal perspective, and develop a cohesive plan to mitigate the legal risks associated with privacy and security. For more info, check out XPAN’s short video here.

***

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.