America doesn’t have a comprehensive data privacy law. However the Federal Trade Commission warned in its blog post on Monday, July 11th, that it does have several other laws it can use against businesses which play fast and loose with data and that it won’t hesitate to use them.
Since the fall of Roe vs Wade, health data and data privacy have become a prime topics in Washington as the public media cast light on the data collection practices of popular health websites and mobile applications.
In light of this increased visibility and in response to court verdict, President Biden signed an executive order increasing the privacy and safety of patients on July 8th (a Friday). The blog post from the FTC, comes a mere 3 days later appearing on the following Monday.
In particular, the FTC calls out the ad-tech / data broker ecosystem, and makes it clear that it takes a very dim view to the sharing of location or sensitive information illegally and puts brands on notice it will work to use the full array of existing federal and state laws to crack down on improper data use. They state they will “vigorously enforce the law” should they find illegal conduct that “exploits location, health or other sensitive data”.
The FTC calls out several key methods they will leverage going forward:
Section 5 of the FTC Act – Which governs Deceptive Trade Practices. The FTC has used this in the past to crack down on brands which state data is private in their privacy policy, while also sharing personal data behind the scenes. For example, the FTC recently reached a settlement with Flo, the popular Women’s Fertility-Tracking App. The compliant states that Flo promised to keep health data private, while also sending it to Facebook, Google Analytics, Google’s Fabric Service, AppsFlyer and Flurry. Brands would be well served to ensure what they are telling consumers, is actually what they are doing.
The Safeguard Rule – which broadly covers the safety of data in financial related markets. The Rule imposes requirements on data storage, transfer, retention and security practices.
The Health Breach Notification Rule – which broadly covers how vendors of personal health records and related entities must notified consumers following a breach
Children’s Online Privacy Protection Rule (COPPA) – which imposes requirements on websites and services directed to children under 13 of age, and to websites and services which have actual knowledge they are interacting with someone under 13 years of age.
The FTC notes that claims that data is ‘anonymous’ or ‘has been anonymized’ are often deceptive. Firms that make these claims should be aware they are violating the FTC Act when the claims are found to be untrue. They warn that companies that make false claims about anonymization can expect to hear from the FTC in the future.
Enforcement and Fines
It should be noted that the FTC has in fact increased enforcement in recent times.
In December of 2021, the FTC reached a settlement with OpenX for violating COPPA. Part of that settlement resulted in OpenX paying a $2 Million dollar fine.
Flo (as previously mentioned) was ordered to review the brands privacy practices and prohibited from making false claims about Information Privacy. They were also subject to consent requirements, compliance reviews and other activities deemed required by the FTC.
WeightWatchers found themselves subject to an FTC investigation in March, 2022 over COPPA, and was ordered as part of its settlement to pay a $1.5 million penalty.
CafePress was hit with a finalized order in late June, and ordered as part of the findings to pay $500k in damages for covering up a data breach and having lax computer security.
Bottom Line
American Businesses have been put on notice that the FTC will no longer wait for Congress to pass a data privacy law to aggressively enforce data privacy claims. For any brand that operates online, they would be well served in understanding their specific risks, and preparing via a robust data governance program for any possible inquiry from the FTC or other relevant data authority (such as California’s new Privacy Protection Agency).
The critical thing to remember is the laws that the FTC references, are already on the books and can be enforced at any time. There is no grace period and that per the FTC – you have already been warned.