The FTC Released the Privacy & Data Security Update for 2016
January 2017
The Federal Trade Commission (“FTC”) released its 2016 Privacy and Data Security Update, highlighting key initiatives aimed at ensuring responsible handling of personal information both online and offline.
Notably, the agency has taken enforcement action against major companies such as LabMD, ASUS, Oracle, as well as smaller entities. Understanding these developments is crucial for consumers and businesses alike as we navigate the complexities of privacy in today's digital age.
Privacy Enforcement Actions
The FTC has taken significant enforcement actions to tackle various privacy concerns, addressing issues such as spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and mobile privacy. Notably, the agency announced it has handled over 130 cases related to spam and spyware, alongside more than 40 general privacy lawsuits, underscoring its commitment to protecting consumer privacy across multiple platforms. In 2016, the FTC announced the following privacy cases:
-
Ashley Madison: The FTC revealed that, until August 2014, the operators of Ashley Madison misled customers by creating fake profiles of women to entice them into becoming paid members, impacting around 19 million Americans. Despite assuring users that their personal information was secure, the FTC alleged that the site's security measures were inadequate. This was highlighted by a major data breach in July 2015, which led to hackers exposing sensitive data from over 36 million users, including information from those who paid for a “Full Delete” service that claimed to erase their data. The FTC's complaint accused the defendants of falsely representing their security practices, including their supposed “Trusted Security Award,” and of misrepresenting the nature of communications on the platform. The FTC collaborated with a coalition of 13 states and the District of Columbia, as well as Canadian and Australian privacy authorities, to reach a settlement regarding these practices.
-
Turn Inc.: Reached a settlement with the FTC over charges of deceiving consumers regarding their tracking options. The FTC's complaint indicated that Turn misled users into believing they could limit tracking by deleting cookies or adjusting device settings. However, in 2013, the company participated in a Verizon Wireless program that allowed it to add unique identifiers to users’ mobile traffic, enabling tracking even after cookies were deleted or identifiers reset. Additionally, the FTC highlighted that Turn's opt-out mechanism only applied to mobile browsers and did not prevent targeted ads from appearing in mobile applications.
-
Gigats.com: The FTC initiated an enforcement action against Gigats.com, an education lead generator, settling charges that the company misrepresented its practices. Gigats claimed to be “pre-screening” job applicants for employers, but instead was collecting personal information for other purposes, primarily lead generation for post-secondary schools and career training programs. According to the FTC's complaint, Gigats did not forward the information gathered to employers. Instead, consumers who submitted personal data were directed to contact the company's “employment specialists,” who then guided them toward enrolling in educational programs that compensated Gigats for the leads.
-
Practice Fusion: Practice Fusion, a cloud-based electronic health record company, settled charges for misleading consumers about soliciting doctor reviews without properly disclosing that these reviews would be made publicly available online. This oversight led to the exposure of sensitive patient information, including full names, medications, health conditions, and treatments received, raising serious privacy concerns.
-
InMobi: In a proposed settlement, Singapore-based mobile advertising company InMobi agreed to pay $950,000 in civil penalties and implement a comprehensive privacy program to resolve charges of deceptive location tracking. The FTC alleged that InMobi tracked the locations of hundreds of millions of consumers, including children, without their knowledge or consent for the purpose of delivering geo-targeted ads. Despite claiming that its advertising software would only track locations with user opt-in and in line with device privacy settings, InMobi was actually monitoring consumers regardless of whether apps sought permission, even when users explicitly denied access to their location information.
-
Vulcun: Technology company Vulcun reached a settlement with the FTC over charges of unfairly replacing a popular web browser game with a program that installed applications on consumers' mobile devices without their consent. The FTC's complaint revealed that Vulcun purchased the Running Fred game, a Google Chrome extension used by over 200,000 consumers, and replaced it with its own extension, which falsely claimed to provide unbiased recommendations for popular Android apps. In reality, Vulcun's extension installed apps directly onto users' Android devices while circumventing the required permissions process, violating consumer trust and privacy.
-
Tachht, Inc.: The FTC has charged Florida-based affiliate marketing operation Tachht, Inc. with flooding consumers with illegal spam emails in an effort to sell fraudulent weight-loss products using fake celebrity endorsements. According to the FTC’s complaint, the defendants sent emails from hacked accounts, making it seem as though the messages originated from the consumers' family, friends, or contacts. These deceptive emails enticed recipients to click on links that directed them to websites promoting the defendants' unverified weight-loss products.
-
App Developers Using “Audio Beacons”: The FTC staff sent warning letters to twelve app developers using Silverpush software, which monitors consumers' television viewing through undetectable "audio beacons" emitted by TVs. The letters cautioned developers that if their statements or user interfaces suggest that their apps do not collect and transmit television viewing data while they actually do, they may be violating Section 5 of the FTC Act.
-
Sequoia One: The FTC secured an order against an individual associated with Sequoia One, a data broker accused of acquiring personal information from individuals applying for payday loans online, only to sell it to a scam that illegally accessed consumers' bank accounts and credit cards. The order prohibits the defendant from selling or disclosing sensitive personal data, making false claims about any financial or other products, and profiting from consumers' information without proper disposal. Additionally, the defendant has been ordered to pay a $45,000 judgment, which nearly encompasses all of his assets.
FTC's Efforts in Data Security
In 2016, the FTC took steps against several companies over inadequate security practices.
-
Ashley Madison: The operators of Ashley Madison dating site settled charges from the FTC and state authorities for failing to protect the account and profile information of 36 million users after a major data breach in July 2015. The complaint highlighted significant security lapses, including no written security policy and inadequate employee training. As part of the settlement, the defendants must implement a comprehensive data security program and pay $1.6 million to resolve the allegations.
-
LabMD: The Commission determined that LabMD, a medical testing laboratory, engaged in inadequate data security practices that led to the unauthorized sharing of sensitive medical information. The Commission found that this breach constituted significant harm to consumer privacy. As a result, LabMD is required to implement a comprehensive information security program, undergo regular assessments, and notify affected consumers about the exposure of their personal information. LabMD has since appealed the Commission's decision to the Eleventh Circuit Court of Appeals.
-
ASUS: Taiwan-based ASUS has settled charges from the FTC regarding significant security vulnerabilities in its routers that endangered the home networks of hundreds of thousands of consumers. The complaint also indicated that insecure "cloud" services associated with these routers compromised connected storage devices, exposing sensitive personal information online. As part of the settlement, ASUS must inform consumers about available software updates and security measures, and it is required to implement a comprehensive security program that will undergo independent audits for the next 20 years.
-
Oracle: The FTC has accused Oracle of misleading consumers about the security enhancements offered by updates to its Java Platform, Standard Edition (Java SE) software. The complaint states that Oracle was aware of significant security vulnerabilities in older versions of Java SE that could be exploited by hackers to access sensitive information, including usernames and passwords for financial accounts. Despite assuring consumers that installing updates would make their systems "safe and secure," Oracle failed to disclose that the updates only removed the most recent version of the software, leaving older, insecure versions on users' computers. As part of the settlement, Oracle must enable consumers to easily uninstall these vulnerable older versions of Java SE.
FTC's Efforts in Credit Reporting & Financial Privacy
In 2016, the FTC intensified its focus on protecting consumer financial information through the Fair Credit Reporting Act (“FCRA”) and the Gramm-Leach-Bliley (“GLB”) Act. These laws regulate how companies handle personal data for creditworthiness, insurance, employment suitability, and tenant screening. In 2016, the FTC brought the following case:
-
Credit Protection Association: Credit Protection Association, a debt collection agency based in Texas, has agreed to pay $72,000 in civil penalties and implement new procedures to address charges of violating the FCRA’s Furnisher Rule. The FTC found that the company lacked sufficient policies to manage consumer disputes regarding the information it reported to credit agencies. Additionally, the FTC alleged that Credit Protection Association did not have a system in place to inform consumers about the outcomes of investigations related to their disputed information, often leaving them unaware of whether their concerns had been addressed.
FTC's Efforts in Global Privacy
In 2016, the FTC continued its role in overseeing and enforcing international privacy frameworks, focusing notably on the EU-U.S. Privacy Shield Framework and the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) System. During the past year, the FTC brought the following cases:
-
Very Incognito Technologies, a maker of hand-held vaporizers, has settled charges for misleading consumers about its involvement in the APEC Cross-Border Privacy Rules (CBPR) system. The FTC's complaint claimed that the company falsely stated on its website that it participated in the APEC CBPR system, which requires companies to be certified by an APEC-recognized accountability agent. However, the company was not actually certified, leading to the deceptive representation.
-
The FTC sent warning letters to 28 companies for falsely claiming certified participation in the APEC Cross-Border Privacy Rules system on their websites. These companies are required to promptly remove these claims and notify FTC staff of their compliance, or provide proof of their actual certification.
FTC's Efforts in Children’s Privacy
The Children’s Online Privacy Protection Act ("COPPA"), enacted in 1998, mandates that websites and apps must obtain verifiable parental consent before collecting personal information from children under 13. The FTC said they have enforced COPPA rigorously, bringing nearly 20 cases and collecting significant civil penalties over the years. Key action in 2016:
-
InMobi, a mobile advertising company, faced allegations from the FTC for violating COPPA by collecting information from apps specifically targeted at children. The complaint stated that InMobi’s software tracked the location of users in thousands of child-directed apps without obtaining the necessary parental consent. As part of the settlement, InMobi agreed to pay a $950,000 civil penalty, delete all data collected from children, and is prohibited from future violations of COPPA.
FTC's Efforts in Telemarketing and Do Not Call
The FTC's Telemarketing Sales Rule ("TSR") includes the national Do Not Call (“DNC”) Registry, which now has over 226 million active registrations. This registry prohibits sellers and telemarketers from practices like calling numbers listed on it, contacting consumers after requests to stop, and using robocalls for sales purposes. Since its establishment in 2003, the FTC has pursued 127 enforcement cases under these provisions. Key Actions in 2016:
-
Educare Case: The FTC, alongside the Ohio Attorney General, secured temporary restraining orders, preliminary injunctions, and asset freezes against entities running fraudulent credit card rate reduction schemes. Notably, this marked the FTC’s first action against a Voice over Internet Protocol (VoIP) provider involved in illegal robocalls.
-
KFJ Marketing, LLC: The Federal Trade Commission (FTC), in partnership with the Department of Justice (DOJ), has taken legal action against KFJ Marketing, LLC, a telemarketing company accused of making unlawful robocalls. These calls promised energy savings to entice consumers, ultimately aiming to generate leads for solar panel installation firms. The complaint highlights that the company made over 1.3 million unauthorized pre-recorded calls, many targeting individuals registered on the national Do Not Call Registry.
-
USA Vacation Station: USA Vacation Station has reached a settlement over allegations of making millions of illegal robocalls, including to numbers listed on the National Do Not Call Registry, in an attempt to sell vacation packages. The low cost of these calls enabled the company to contact over 100,000 consumers for every package sold, leading to an overwhelming number of unsolicited calls. This continued despite warnings from both the Better Business Bureau and the FTC regarding their practices.
-
Feature Films: A federal jury in Utah ruled in favor of the FTC in its case against Feature Films for Families, Inc., concluding that the company conducted deceptive and unlawful telemarketing campaigns. The defendants made over 117 million illegal calls to consumers, violating the FTC’s Telemarketing Sales Rule. This landmark verdict, resulting from a lawsuit initiated by the DOJ in May 2011, marks the first jury decision in a case enforcing these rules. The court has yet to decide on the specifics of the relief to be granted.
-
Life Management Services, Inc.: The FTC, along with the Office of the Florida Attorney General, has charged Life Management Services, Inc. for making illegal robocalls to consumers, promoting fraudulent credit card interest rate reduction and debt relief services. The complaint alleges that this scheme has resulted in over $15.6 million in losses for consumers since at least January 2013.
-
Lanier Law LLC: A federal court in Florida has ruled in favor of the FTC against several defendants from Lanier Law LLC involved in a mortgage modification scheme. The court determined that these defendants violated the Telemarketing Sales Rule by making calls to consumers whose numbers were on the National Do Not Call Registry and not paying the required annual fees to access those numbers. Additionally, the remaining defendants have reached a settlement with the FTC on similar charges.
-
Advertising Strategies, LLC: The FTC secured a temporary restraining order and preliminary injunction against Advertising Strategies, LLC, a fraudulent telemarketing operation accused of scamming over $9 million from thousands of consumers, many of whom are elderly or on fixed incomes, including military veterans. The defendants face charges for violating the FTC Act and the Telemarketing Sales Rule, including making calls to numbers listed on the National Do Not Call Registry.
-
Consumer Education Group: The Consumer Education Group, a collection of entities, settled charges for making over two million calls, including pre-recorded robocalls, to consumers listed on the National Do Not Call Registry. The defendants also operated websites that collected consumer information without obtaining explicit consent to make such calls. In response, the FTC, in collaboration with the DOJ, filed a complaint leading to a settlement that includes injunctive relief and a civil penalty.
-
In June, the FTC spearheaded a multinational initiative targeting illegal robocalls, resulting in significant actions against operations believed to be responsible for billions of such calls. This extensive effort included 39 coordinated actions involving the FTC, the Canadian Radio-television and Telecommunications Commission (CRTC), the UK's Information Commissioner’s Office (ICO), the DOJ, the Federal Communications Commission (FCC), and the attorneys general from various states, including Colorado, Florida, Indiana, Kansas, Mississippi, Missouri, North Carolina, Ohio, and Washington, as well as the Tennessee Regulatory Authority.
Advocacy Efforts by the FTC
The FTC actively advocates for consumer protection and competition when courts, government agencies, and other organizations make policy decisions. In 2016, the FTC provided comments on several important privacy issues, including:
-
The FTC commented to the FCC on proposed rules for expanding the availability of television set-top boxes, suggesting that manufacturers should disclose their compliance with privacy protections to facilitate enforcement under the FTC Act.
-
The FTC submitted feedback to the FCC regarding proposed privacy regulations for broadband internet providers, offering insights based on its experience in safeguarding consumer data and recommending changes to definitions, privacy notice structures, and data security protocols.
-
In response to proposed amendments that would allow robocalls to collect federal debt without prior consent, the FTC urged caution. Their comment emphasized the need for standards that align with the Fair Debt Collection Practices Act and the Telemarketing Sales Rule, recommending restrictions on when and how these calls can be made.
-
The FTC also filed comments with the NTIA about the Internet of Things, discussing its benefits and risks while proposing best practices for data security and consumer protections.
-
Regarding highly automated vehicles, the FTC praised the NHTSA's proposed guidelines for addressing privacy and security throughout the vehicle lifecycle.
-
The Commission provided testimony to the Senate about FCC privacy rules for broadband services, emphasizing its long-standing work in privacy and collaboration with the FCC.
-
Additionally, the FTC testified before Congress on its initiatives to protect the privacy and security of consumer health information, highlighting its enforcement actions and educational efforts related to health technology.
FTC Workshops on Consumer Privacy and Security
Since 1996, the FTC has hosted over 35 workshops, town halls, and roundtables to address emerging issues in consumer privacy and security. In 2016, the FTC organized several key events focused on these topics:
-
PrivacyCon: The FTC held its inaugural PrivacyCon in January, featuring discussions on cutting-edge research and trends in consumer privacy. The event brought together researchers, industry experts, federal policymakers, and consumer advocates.
-
Fall Tech Series: This three-part series explored new technologies and their implications for consumer protection:
-
The first session addressed the rising threat of ransomware, discussing prevention strategies and how to mitigate its impact.
-
The second event focused on the benefits and privacy concerns of drones, particularly around transparency and consumer choice.
-
The third session examined how smart TVs might track viewing habits and shared best practices for protecting consumer privacy.
-
-
Putting Disclosures to the Test Workshop: This workshop gathered industry leaders, academics, and policymakers to assess the effectiveness of consumer disclosures regarding advertising claims and privacy practices.
FTC Reports and Surveys on Consumer Privacy and Data Security
The FTC outlined that they play a crucial role in shaping policies related to consumer privacy and data security, having published over 50 reports based on independent research and discussions from workshops. The following key reports were released by the FTC:
-
Big Data Report: Following an earlier workshop, this report examined the implications of Big Data, discussing relevant laws like the Fair Credit Reporting Act and the Equal Credit Opportunity Act. It also posed questions for businesses to consider, aiming to ensure that the benefits of big data analytics do not lead to exclusionary or discriminatory outcomes.
-
Mobile Security Study: The FTC announced a study on security within the mobile ecosystem, issuing orders to eight mobile device manufacturers for information on how they manage security updates for smartphones and tablets.
-
Lead Generation Report: A staff perspective paper titled "Follow the Lead" explored the mechanics of lead generation, highlighting its benefits while also addressing associated consumer protection issues.
-
Data Security Auditing in Credit Cards: The FTC planned a study on data security auditing practices in the credit card industry, requiring nine companies to provide information on their compliance assessments with the Payment Card Industry Data Security Standards.
-
Sharing Economy Report: In November, the FTC released a report focusing on the sharing economy, discussing privacy concerns, and emphasizing the need to balance these issues with the flow of transaction-specific information critical to its success.
Consumer Education and Business Guidance by the FTC
The FTC emphasized they are dedicated to educating both businesses and consumers about privacy and data security issues, distributing millions of educational materials to address ongoing threats. In 2016, the FTC released several important resources:
-
Health App Tool: The FTC developed a web-based tool for health-related mobile app developers to help them understand applicable federal laws and regulations, in collaboration with the Department of Health and Human Services.
-
Identity Theft Resource: The enhanced IdentityTheft.gov, available in Spanish as robodeidentidad.gov, serves as a free resource for individuals to report and recover from identity theft. Over 305,000 people have created accounts to manage their recovery plans, with outreach efforts during Tax Identity Theft Awareness Week providing valuable information on prevention and response.
-
Guidance for Background Screening Companies: The FTC issued new guidance to assist employment background screening companies in complying with the Fair Credit Reporting Act.
-
Data Breach Response Guide: The FTC published "Data Breach Response: A Guide for Business," which includes steps to take during a data breach and a model notification letter.
-
Consumer Blog: The FTC’s consumer blog shares tips to protect personal information and addresses potential privacy and security threats. Notable topics in 2016 included hacks of wireless routers and issues related to caller ID spoofing.
-
Business Blog: This blog focuses on recent enforcement actions and provides guidance on various privacy and data security issues, including cybersecurity frameworks and consumer privacy in connected devices.
-
Technology Blog: The FTC’s Technology Blog discusses technical aspects of its work, including efforts by mobile operating systems to address location tracking concerns.
International Engagement by the FTC
The FTC said they prioritize international collaboration in its efforts to enhance privacy and security. The agency works with foreign privacy authorities, international organizations, and global networks to strengthen enforcement cooperation regarding privacy and data security investigations. Key initiatives include:
-
Enforcement Cooperation: The FTC collaborates with international counterparts through consultations, memoranda of understanding, and information-sharing mechanisms established under the U.S. SAFE WEB Act. This allows the FTC to share information and provide investigative assistance to foreign law enforcement when appropriate.
-
EU-U.S. Privacy Shield Framework: In 2016, the FTC enhanced privacy enforcement cooperation under this framework, promoting robust protections for consumers.
-
MOU with the CRTC: The FTC signed a memorandum of understanding with the Canadian Radio-television and Telecommunications Commission to improve cross-border cooperation on Do Not Call and anti-spam enforcement. This agreement facilitates information exchange and joint enforcement efforts.
-
Global Partnership Against Unsolicited Communications: The FTC, along with 10 international partners, signed a memorandum of understanding to enhance information sharing and cooperation in combating unsolicited messages and calls. This partnership involves members of the Unsolicited Communications Enforcement Network and addresses issues like spam, online fraud, and phishing.
FTC Policy Initiatives on Global Privacy Protection
The FTC is dedicated to promoting robust privacy policies that protect consumer data transferred internationally. Its efforts focus on enhancing global interoperability among privacy frameworks and holding businesses accountable for data handling practices. In the past year, the FTC has been active in several key initiatives:
-
EU-U.S. Privacy Shield Framework: The FTC collaborated with the Department of Commerce and other U.S. agencies to develop this framework, facilitating safe transatlantic data transfers.
-
OECD E-Commerce Guidelines: The FTC contributed to the revision of guidelines aimed at improving consumer protection in e-commerce. These guidelines emphasize transparency, fairness in data collection and use, and the implementation of effective security measures. The agency also participated in discussions on emerging privacy issues in the Internet of Things and the sharing economy.
-
Policy Advice to Canadian Authorities: The FTC provided technical input to the Office of the Privacy Commissioner of Canada during its consultation on new privacy challenges. Recommendations included enhancing enforcement powers to better protect consumer privacy and improve coordination with the FTC.
-
Support for International Privacy Networks: The FTC engaged with the Asia-Pacific Privacy Authorities Forum and the Global Privacy Enforcement Network. It also participated in international conferences and consultations with privacy authorities from countries including China, Colombia, Ireland, Singapore, and the U.K.
For more information, see here: https://www.ftc.gov/reports/privacy-data-security-update-2016
These materials were obtained directly from the Federal Government public website and are posted here for your review and reference only. No Claim to Original U.S. Government Works. This may not be the most recent version. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.
PDF Download:
Attachment | Size |
---|---|
privacy_and_data_security_update_2016.pdf | 1.83 MB |