The FTC Released the Privacy & Data Security Update for 2019
February 2020
The Federal Trade Commission (“FTC”) released its 2018 Privacy and Data Security Update, highlighting key initiatives aimed at ensuring responsible handling of personal information both online and offline.
The update highlights the FTC's commitment to protecting consumer privacy through proactive enforcement, regulatory actions, and fostering dialogue among stakeholders.
Privacy Enforcement Actions
In 2019, the FTC took significant actions to protect consumer privacy across various sectors, including social media, ad tech, and mobile apps. Key cases included:
-
Facebook Settlement: The FTC settled with Facebook over allegations of privacy violations, resulting in a historic $5 billion penalty. Facebook was accused of misleading users about their control over personal information and misusing phone numbers provided for security purposes.
-
Cambridge Analytica: The FTC pursued legal action against Cambridge Analytica for deceptive practices in harvesting personal data from millions of Facebook users without consent, impacting voter profiling.
-
Retina-X: The FTC addressed the sale of stalking apps by Retina-X, alleging violations in app usage for unauthorized tracking, leading to restrictions on their future operations.
-
Unrollme: The FTC settled with Unrollme for deceiving consumers about their email management practices, including sharing personal email data for market research without proper disclosure.
-
Effen Ads: The FTC obtained orders against Effen Ads for misleading spam emails promoting false work-from-home opportunities, imposing substantial penalties.
-
Global Asset Financial Services: The FTC shut down a phantom debt collection scheme, charging defendants for fabricating debts and mishandling consumer information.
-
Hylan Asset Management and Worldwide Processing Group: Defendants were charged for fraudulent debt collection practices and mishandling consumer data, leading to bans and penalties.
-
ACDI Group: Defendants were charged for illegal payday loan debt collection practices, including unauthorized use of consumer information.
-
Grand Teton Professionals: Defendants were charged for operating an illegal credit repair scheme, collecting upfront fees and misusing sensitive consumer data.
-
Mission Hills Federal: The FTC halted a student loan debt relief scheme that misused consumer personal information to pocket funds instead of providing promised relief.
-
Career Education Corporation: Defendants were penalized for deceptive lead generation tactics, misleading consumers about how their information would be used.
The FTC said that these cases underscore the FTC's ongoing efforts to enforce consumer protection laws and ensure companies handle personal data responsibly.
FTC's Efforts in Data Security and Identity Theft
In 2019, the FTC took significant steps to enhance consumer data protection. They settled cases with several companies over inadequate security practices, aiming to safeguard personal information from breaches and identity theft.
-
One major case involved Equifax, where the FTC alleged negligence in securing vast amounts of personal data, resulting in a breach affecting 147 million people. Equifax agreed to a settlement between $575 million and $700 million, resolving claims from various entities.
-
Another case targeted ClixSense.com, an online rewards site accused of deceiving users about its security measures. The FTC found that personal information, including Social Security numbers, was stored without encryption, leading to a breach affecting 6.6 million users.
-
Unixiz, operating i-Dressup.com, faced FTC charges for storing user data without encryption, leading to a breach affecting 2.1 million users, including minors.
-
Retina-X, known for "stalking apps," and DealerBuilt, a provider of auto dealership software, also settled over inadequate data security practices that led to breaches affecting millions of consumers.
-
Additionally, InfoTrax Systems was charged after repeated breaches affecting over a million consumers due to inadequate security measures.
-
D-Link Systems settled allegations by agreeing to enhance its software security program, addressing vulnerabilities in its wireless routers and cameras that exposed sensitive consumer data to third parties.
These cases highlight the FTC’s efforts to enforce stronger data security standards, ensuring companies implement robust measures to protect consumer information against breaches and fraud.
FTC's Efforts in Credit Reporting & Financial Privacy
In 2019, the FTC intensified its focus on protecting consumer financial information through the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley (GLB) Act. These laws regulate how companies handle personal data for creditworthiness, insurance, employment suitability, and tenant screening.
The FTC enforced these regulations rigorously, bringing over 100 cases against companies for FCRA violations, resulting in more than $40 million in civil penalties. Under the GLB Act, financial institutions are required to provide privacy notices, allow customers to opt out of data sharing with third parties, and implement reasonable security measures. Since 2005, the FTC pursued approximately 35 cases for GLB Act violations.
-
Equifax Case: Equifax faced allegations of violating the GLB Safeguards Rule by failing to implement adequate security measures, leading to a massive data breach affecting millions. Alleged violation of the GLB Safeguards Rule. Failure to design and implement safeguards for internal and external risks to customer information. Lack of regular testing and monitoring of security measures. Inadequate evaluation and adjustment of the information security program.
-
DealerBuilt Case: DealerBuilt was charged for similar violations, accused of lacking a proper information security program and failing to assess and adjust safeguards effectively.Alleged violation of the Safeguards Rule. Failure to develop, implement, and maintain a written information security program. Neglect in identifying foreseeable risks to customer information security. Insufficient assessment of existing safeguards and implementation of basic security measures. Lack of regular testing and monitoring of safeguard effectiveness.
These actions show the FTC's commitment to ensuring that companies handling sensitive consumer information adhere to stringent data protection standards, thereby safeguarding individuals' financial privacy and security.
FTC's Efforts in Global Privacy
In 2019, the FTC continued its role in overseeing and enforcing international privacy frameworks, focusing notably on the EU-U.S. Privacy Shield Framework and the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) System.
-
EU-U.S. Privacy Shield Framework: The EU-U.S. Privacy Shield Framework is instrumental in facilitating the transfer of personal data from the European Union to the United States. Administered by the U.S. Department of Commerce, this framework ensures that companies adhere to a set of Privacy Shield Principles designed to protect consumer privacy and security. The FTC plays a crucial enforcement role under this framework, holding companies accountable for their commitments and actions related to consumer data protection. In 2019, the FTC participated in the third Annual Review of the Privacy Shield, highlighting increased enforcement efforts that contribute to its effective operation. The European Commission expressed ongoing support for the Privacy Shield following this review, citing improved FTC enforcement actions as a positive factor.
-
Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) System: The APEC CBPR System is a voluntary, enforceable code of conduct aimed at enhancing the privacy and security of personal information transferred among the United States and other APEC member economies. Participating companies can certify their compliance with APEC's nine data privacy principles, which are designed to harmonize data protection standards across participating economies. The FTC's role includes ensuring that certified companies uphold these principles, thereby facilitating trusted cross-border data flows in the Asia-Pacific region.
-
Enforcement Actions: Throughout 2019, the FTC initiated significant enforcement actions under these international frameworks. A total of 64 actions were undertaken, addressing various compliance issues:
-
Privacy Shield Compliance: The FTC brought charges against multiple companies for falsely claiming participation in the Privacy Shield. These cases involved companies that had initiated the certification process but failed to complete it or allowed their certifications to lapse while still misleading consumers about their Privacy Shield status. Companies such as 214 Technologies, Click Labs, DCR Workforce, and others were implicated for misrepresenting their compliance with Privacy Shield requirements.
-
Penalties and Remedies: In enforcing these actions, the FTC imposed penalties and required corrective measures. For instance, companies were prohibited from misrepresenting their participation in Privacy Shield and required to affirm their commitment to ongoing compliance with its principles.
-
Impact and Importance: The FTC's rigorous enforcement efforts underscore its commitment to upholding international privacy standards and protecting consumer rights in an increasingly globalized digital economy. By ensuring that companies honor their privacy commitments under these frameworks, the FTC promotes transparency, trust, and accountability in the handling of personal data across borders. These efforts are essential for maintaining robust data protection practices that safeguard consumer privacy and foster international cooperation on privacy matters.
In summary, the FTC's activities in 2019 demonstrate its proactive stance in international privacy enforcement, reinforcing the importance of adherence to Privacy Shield and APEC CBPR standards to preserve consumer trust and data security in global data exchanges.
FTC's Efforts in Children’s Privacy
The Children’s Online Privacy Protection Act ("COPPA"), enacted in 1998, mandates that websites and apps must obtain verifiable parental consent before collecting personal information from children under 13. The FTC has enforced COPPA rigorously, bringing nearly 30 cases and collecting significant civil penalties over the years. Key Actions in 2019:
-
Google and YouTube Settlement: The FTC, in collaboration with the New York Attorney General, settled with Google and YouTube for allegedly collecting personal data from children without parental consent, a violation of COPPA. The $170 million penalty marks the largest ever under COPPA, reflecting the seriousness of the violation.
-
Musical.ly (TikTok) Case: Formerly known as Musical.ly, TikTok paid $5.7 million to settle charges of illegally collecting personal information from children. The app was found to be directed towards children, with many users under 13 self-identifying as such.
-
Unixiz, Inc. (i-Dressup.com): The FTC alleged that i-Dressup.com violated COPPA by not obtaining parental consent before collecting personal information from children under 13. Despite offering a "Safe Mode" for under-13 users without parental consent, the website still gathered personal data, according to the complaint.
-
Retina-X Case: In another instance, the FTC accused Retina-X of failing to implement adequate security measures to protect personal information collected from children, further highlighting the importance of robust data security practices.
These actions underscore the FTC’s commitment to safeguarding children’s online privacy. By enforcing COPPA, the FTC aims to ensure that companies adhere to strict guidelines when collecting and handling personal information from young users, promoting a safer digital environment for children.
FTC's Efforts in Telemarketing and Do Not Call
The FTC's Telemarketing Sales Rule ("TSR") includes the national Do Not Call (DNC) Registry, which now has over 235 million active registrations. This registry prohibits sellers and telemarketers from practices like calling numbers listed on it, contacting consumers after requests to stop, and using robocalls for sales purposes. Since its establishment in 2003, the FTC has pursued 147 enforcement cases under these provisions. Key Actions in 2019:
-
Educare Case: The FTC, alongside the Ohio Attorney General, secured temporary restraining orders, preliminary injunctions, and asset freezes against entities running fraudulent credit card rate reduction schemes. Notably, this marked the FTC’s first action against a Voice over Internet Protocol (VoIP) provider involved in illegal robocalls.
-
Career Education Corporation: This post-secondary education provider settled for $30 million over allegations of calling numbers on the DNC Registry without consent obtained through deceptive means.
-
EduTrek Case: Lead generators hired by Career Education Corporation were accused of deceiving consumers through misleading government agency seals to collect contact information. They allegedly made millions of unsolicited calls to DNC-listed numbers.
-
Media Mix 365: The FTC settled with Media Mix 365 for $7.6 million due to their repeated calls to numbers on the DNC Registry, deemed abusive or harassing. A substantial penalty was suspended pending payment.
-
Bartoli Case: Bartoli, a repeat offender in robocall violations, faced a $2.1 million penalty for millions of illegal calls to DNC-listed numbers, alongside bans on future DNC Registry calls and caller ID spoofing.
-
8 Figure Dream Lifestyle: The FTC halted a fraudulent scheme using robocalls with false claims of high earnings potential, obtaining a temporary restraining order, asset freeze, and injunction against the defendants.
-
First Choice Horizon: Defendants in this case were stopped from operating a fraudulent credit card interest rate reduction scheme targeting seniors through illegal robocalls, with ongoing litigation to pursue consumer redress.
-
FTC v. Jasjit Gotra: The FTC secured a preliminary injunction against Gotra, prohibiting outbound telemarketing during ongoing litigation, and settled with Alliance Security for violating DNC rules, resulting in a complete telemarketing ban.
In 2019, these actions reflect the FTC’s robust efforts to enforce DNC regulations, ensuring consumers' rights are protected against intrusive and deceptive telemarketing practices. These measures aim to preserve privacy and prevent financial harm, reinforcing the importance of compliance with DNC rules in today's digital marketplace.
FTC's Efforts in Global Privacy Advocacy
Enforcement Cooperation:
-
The FTC collaborates with foreign privacy authorities and international organizations to enhance mutual enforcement cooperation on privacy and data security investigations.
-
Through mechanisms under the U.S. SAFE WEB Act, the FTC shares information and provides investigative assistance to foreign law enforcement authorities in appropriate cases.
-
Significant developments in 2019 included cooperation with the UK’s Information Commissioner’s Office in actions against Cambridge Analytica, leveraging provisions allowing information sharing to combat deceptive practices.
Policy Advocacy:
-
The FTC advocates for robust policies ensuring strong privacy protections for consumer data globally and promotes interoperability among privacy regimes.
-
It participates actively in international forums like the Global Privacy Enforcement Network (GPEN), organizing workshops and calls on accountability and enforcement.
-
In 2019, the FTC contributed to policy deliberations at the EU-U.S. Privacy Shield Framework’s third Annual Review and engaged in discussions with APEC, OECD, and other international bodies on diverse privacy issues.
Direct Engagement:
-
The FTC held bilateral discussions and hosted delegations from countries including Chile, Japan, South Korea, Vietnam, and the UK, as well as the European Commission and Parliament.
-
Technical cooperation missions on privacy and cross-border data transfers were conducted in India and Brazil, furthering international collaboration on these critical issues.
FTC's Efforts in Rules and Regulations
Congress grants the FTC authority to establish rules that govern specific aspects of consumer privacy and security. Over the years, the FTC has implemented rules in various key areas:
-
Health Breach Notification Rule: Mandates web-based businesses to notify consumers in case of breaches involving their electronic health information.
-
Red Flags Rule: Requires financial institutions and certain creditors to maintain identity theft prevention programs, identifying and responding to signs of identity theft. The FTC conducted a review in 2018 to potentially update this rule in response to market developments, with evaluations ongoing.
-
COPPA Rule: Ensures websites and apps obtain parental consent before collecting personal information from children under 13. The FTC sought feedback in 2019 on the effectiveness of 2013 amendments to this rule, assessing the need for further updates.
-
GLB Privacy and Safeguards Rules: Requires car dealerships to disclose privacy policies and allows consumers to opt out of certain information disclosures. Financial institutions under FTC jurisdiction must maintain comprehensive information security programs. In 2019, the FTC sought comments on proposed updates to these rules, with evaluations continuing.
-
Telemarketing Sales Rule (TSR): Requires telemarketers to disclose key information, prevents misrepresentations, limits calling hours, and restricts robocalls without consumer consent.
-
CAN-SPAM Rule: Protects consumers from deceptive commercial emails and mandates opt-out mechanisms for recipients. Following review, the FTC confirmed the CAN-SPAM Rule without changes in 2019.
-
Disposal Rule (FACTA): Requires secure disposal of credit reports and related information by companies.
-
Pre-screen Opt-out Rule (FACTA): Mandates companies sending prescreened credit or insurance offers to inform consumers about opting out of future offers.
-
Military Credit Monitoring Rule: Finalized in June 2019, mandates free electronic credit monitoring for active duty military consumers by nationwide consumer reporting agencies. It includes rapid notification of changes to credit files and restricts secondary use and disclosures of monitored information.
The FTC said these rules reflect the FTC’s commitment to safeguarding consumer interests in an evolving digital landscape. By setting clear standards and seeking public input, the FTC aims to ensure that businesses uphold privacy protections and maintain secure practices when handling consumer information.
For more information, see here: https://www.ftc.gov/reports/privacy-data-security-update-2019
These materials were obtained directly from the Federal Government public website and are posted here for your review and reference only. No Claim to Original U.S. Government Works. This may not be the most recent version. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.
PDF Download:
Attachment | Size |
---|---|
privacy_and_data_security_update_2019.pdf | 1.13 MB |