On September 18th, 2023 the Federal Trade Commission (FTC) sent a letter to five tax preparation companies over possible unfair and deceptive practices. These letters state that data collection for marketing and advertising purposes, when gathered in a confidential context, could be a violation that could subject the company to a fine. An overview of this action can be found in the press release.
We can see from the Recipients of the Notice that this includes:
- H&R Block
- Intuit
- TaxAct
- TaxSlayer
- The Lampo Group, LLC d/b/a Ramsey Solutions
Note: Just because a company got a letter, does not mean they (at this point) have done anything wrong.
However the letter also put those companies on notice.
Receipt of this notice of penalty offenses puts you and your company on notice that engaging in the conduct described therein could subject you and your company to civil penalties of up to $50,120 per violation.
We are aware of information suggesting that you have engaged in or are engaging in deceptive or unfair conduct. You should take prompt action, including by reviewing all your practices, to ensure any deceptive or unlawful claims cease and are removed or corrected, as appropriate, and any other required disclosures are made.
https://www.ftc.gov/system/files/ftc_gov/pdf/NPO-Misuse-Information-Collected-Confidential-Contexts-Cover-Letter_0.pdf
At the same time, the FTC published a blog post about the what it expects. It states that at minimum, companies which get confidential data need to get a consumers affirmative express consent prior to using that data for any purpose other what the consumer explicitly requested. The following paragraph has some examples worth noting:
[T]he Commission considers it an unfair or deceptive act or practice to use tracking technologies such as pixels, cookies, APIs, or SDKs to amass, analyze, infer, and transfer information collected in a Confidential Context for the purposes described in the prior paragraph without first obtaining affirmative express consent. It is also an unfair or deceptive practice to misrepresent or omit material facts regarding the use or confidentiality of information collected in a Confidential Context through tracking technologies such as pixels, cookies, or SDKs.
https://www.ftc.gov/business-guidance/blog/2023/09/companies-warned-about-consequences-loose-use-consumers-confidential-data
The blog is also quick to call out that:
Spoiler alert: burying something in your Privacy Policy or Terms of Service doesn’t meet the “clear and conspicuous” standard.
https://www.ftc.gov/business-guidance/blog/2023/09/companies-warned-about-consequences-loose-use-consumers-confidential-data
So it could be reasoned that the FTC is likely expecting some sort of overt banner, widget, dialog, or popup to be shown to the user prior to the collection taking place. It may also be a good idea to have a consent system of record – so it can be shown that a specific user actually did consent to the data usage.
Next Steps
Any company dealing with confidential contexts will want to take note of this warning. They’ll need to evaluate their data collection, determine if consent is needed and either build in systems to request such consent, or remove the offending technology. By the look of the letter, the FTC expects quick action, and there will be no further warnings.