The FTC Released the Privacy & Data Security Update for 2015

The FTC Released the Privacy & Data Security Update for 2015

The Federal Trade Commission (“FTC”) released its 2015 Privacy and Data Security Update, highlighting key initiatives aimed at ensuring responsible handling of personal information both online and offline.

In the update, the FTC highlighted the launch of IdentityTheft.gov, a resource dedicated to helping individuals report and recover from identity theft. The recent enhancements include free personalized recovery plans and step-by-step guidance to expedite the recovery process for victims. The initiative underscores the FTC’s proactive approach in assisting those affected by identity theft, encouraging businesses to educate employees and customers about this vital resource.

Throughout 2015, the FTC took actions against companies that failed to secure consumers’ personal information, such as Oracle, Wyndham, and Lifelock. Additionally, enforcement efforts targeted businesses alleged to have misused consumer information or violated children’s privacy laws. The FTC also hosted workshops and released reports addressing emerging issues like the Internet of Things and online lead generation, culminating in PrivacyCon—an event focused on advancing consumer privacy and security research.

The FTC’s "Start with Security" campaign offers practical guidance for businesses, emphasizing lessons learned from over 50 data security settlements. Key principles include minimizing data collection, providing transparency about data use, offering privacy choices to consumers, and implementing robust data protection measures.

 

Privacy Enforcement Actions

• Craig Brittain’s Revenge Porn Site: The FTC addressed the deceptive practices of Craig Brittain, operator of a "revenge porn" website. Brittain was found to have acquired and posted intimate images of women, then demanded payment for their removal. Under the settlement, Brittain is prohibited from sharing such content without explicit consent and must delete collected personal information.

• Jerk.com Misrepresentation: Operators of Jerk.com misled users about the source of content, primarily harvested from Facebook profiles. The site falsely promised paid members could correct their profiles, leading to FTC action against deceptive practices.

• Nomi Technologies’ Tracking Issues: Nomi Technologies settled charges for misleading consumers regarding in-store tracking opt-outs. The company failed to provide promised opt-out mechanisms and transparency about tracking practices.

• TRUSTe’s Certification Failures: The FTC finalized an order against TRUSTe for failing to conduct required annual recertifications of privacy seals, impacting over 1,000 companies.

• PaymentsMD’s Misleading Practices: PaymentsMD and its CEO misled consumers by not disclosing the collection of detailed medical information, obtained from pharmacies and insurance companies.

• Sequoia One’s Payday Loan Data Breach: Sequoia One sold payday loan application data to scammers, resulting in fraudulent withdrawals from consumer accounts totaling $7.1 million.

• Bayview Solutions and Cornerstone’s Data Exposure: Data brokers exposed sensitive consumer information while attempting to sell debt portfolios, leading to stringent data protection requirements under FTC agreements.

• CWB Services’ Payday Lending Scheme: CWB Services engaged in unauthorized payday lending and deceptive practices, withdrawing funds from consumer accounts without permission.

• Pairsys’ Senior Fraud: Pairsys targeted seniors with unnecessary tech support services and software, leading to financial settlements and asset forfeitures.

• Click4Support’s Tech Support Scam: Click4Support scammed consumers by falsely representing major tech companies, misleading them into paying for unnecessary services.

• Prized Mobile App Malware: The FTC addressed the Prized Mobile app, which deceived users by promising rewards while secretly installing malware to mine virtual currencies on their phones.

The FTC said that these cases illustrate the FTC’s rigorous enforcement of consumer privacy laws and commitment to holding companies accountable for data security breaches and deceptive practices.

 

Credit Reporting & Financial Privacy

The FTC continued its efforts to enforce the Fair Credit Reporting Act (“FCRA”) and the Gramm-Leach-Bliley (“GLB”) Act, ensuring consumer protection in credit reporting and financial privacy.

• Fair Credit Reporting Act (“FCRA”) Enforcement: The FCRA governs how companies use consumer data to assess creditworthiness, insurance eligibility, employment suitability, and tenant screening. The FTC has pursued over 100 FCRA cases, resulting in more than $30 million in civil penalties. In 2015, notable cases included:

• Sprint’s Risk-Based Pricing Violation: Sprint settled allegations by paying $2.95 million in civil penalties. The company was accused of failing to properly notify consumers placed in a program for customers with lower credit scores, which incurred additional monthly fees. Sprint allegedly omitted crucial disclosures required by the Risk-Based Pricing Rule, preventing consumers from understanding their credit reports fully and potentially rectifying errors. This failure to provide timely disclosures left consumers unable to switch to more favorable terms with other carriers.

• Tricolor Auto Acceptance, LLC’s FCRA Violation: Tricolor Auto Acceptance, LLC agreed to pay over $82,000 in civil penalties for violating the FCRA’s Furnisher Rule. This rule mandates that companies reporting consumer information to credit reporting agencies (“CRAs”) maintain accurate reporting practices and provide avenues for consumers to dispute inaccurate information. The FTC found that Tricolor failed to establish written policies ensuring data accuracy when reporting to CRAs. Moreover, when consumers disputed information, Tricolor allegedly redirected them back to the CRA without conducting the required investigation.

• Gramm-Leach-Bliley (“GLB”) Act Compliance: The GLB Act requires financial institutions to issue annual privacy notices, offer opt-out mechanisms for sharing consumer information with third parties, and implement reasonable security measures. Since 2005, the FTC has initiated nearly 30 cases related to GLB Act violations, emphasizing the importance of safeguarding consumer financial data.

 

FTC Enforcement of U.S.-EU Safe Harbor Framework

The U.S.-EU Safe Harbor Framework, established in 2000 to streamline personal data transfers from Europe to the U.S., has been vigorously enforced by the FTC to ensure compliance and consumer protection. In recent actions, the FTC focused on companies misrepresenting their adherence to Safe Harbor standards, utilizing Section 5 of the FTC Act to bring cases against violators.

• Final Orders Against Misrepresentation: The FTC issued final orders against TES Franchising, LLC, and American International Mailing, Inc., for falsely claiming current certification under the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks. These companies misrepresented their status on their websites despite their certifications having lapsed years earlier.

• Settlements with Misleading Claims: Thirteen companies settled charges for misleading consumers about their Safe Harbor certification. Seven companies falsely claimed current certification despite their certifications having lapsed. Another six companies falsely claimed certification without ever applying for membership in the programs.

• TRUSTe’s Compliance: TRUSTe, Inc., under an FTC final order, must refrain from misrepresenting its certification processes, including its involvement in the U.S.-EU Safe Harbor certification. This order ensures TRUSTe’s adherence to accurate representation practices across all certification programs.

The FTC said that despite the challenges such as the European Court of Justice invalidating the Safe Harbor Framework in October 2015, U.S. and EU officials are actively collaborating on new privacy protection mechanisms and alternative methods for transatlantic data transfers. These efforts underscore the FTC’s commitment to safeguarding consumer data privacy and maintaining transparency in international data transfer frameworks.

 

Children’s Online Privacy Protection Act (“COPPA”) Update

COPPA, enacted in 1998, requires websites and apps to obtain parental consent before collecting personal information from children under 13. The FTC has been vigilant in enforcing COPPA, bringing over 20 cases and imposing significant civil penalties since 2000. In response to evolving technologies like social networking and smartphone apps, the FTC updated its COPPA Rule in 2013 to enhance children’s privacy protections.

• Innovative Consent Method: Riyo Inc. received FTC approval for a new COPPA parental consent method using "face match to verified photo identification." This two-step process ensures that the person providing consent is the child’s parent. It involves verifying a parent’s photo identification and comparing it to a live image of the parent, utilizing facial recognition technology. Riyo incorporates privacy safeguards such as encryption and prompt deletion of personal data.

• Enforcement Actions: The FTC took action against LAI Systems and Retro Dreamer for COPPA violations. LAI Systems failed to prevent third-party advertisers from collecting children’s personal information without parental consent through its apps. As part of the settlement, LAI Systems agreed to comply with COPPA requirements and pay a $60,000 civil penalty. Retro Dreamer allowed similar violations and agreed to a $300,000 civil penalty, despite being warned by an advertising network about their apps’ targeting of children.

The FTC said that these actions highlight the FTC’s commitment to protecting children’s privacy online. Businesses must adhere to COPPA regulations, ensuring parental consent is obtained before collecting any personal information from children under 13.

 

Robocalls and Telemarketing Scams

Since establishing the national Do Not Call Registry in 2003, the FTC has been relentless in safeguarding consumers from intrusive telemarketing practices. The registry now boasts over 222 million active registrations, protecting individuals from unsolicited calls and robocalls that infringe on their privacy rights.

• Legal Actions Against Violators: The FTC pursued multiple cases against companies violating Do Not Call provisions. Lifewatch Inc. faced allegations of using deceptive robocalls to sell medical alert systems to elderly consumers, a case currently in litigation.

• Halting Illegal Robocalls: All Us Marketing LLC, now All Us Marketing, previously known as Payless Solutions, LLC, faced legal action for deceptive robocall schemes targeting seniors with fake credit card interest rate reduction programs. The court order halted their illegal activities.

• Enforcement Against Fraudulent Schemes: Caribbean Cruise Line, Inc. and others were sued for sending deceptive political survey robocalls to sell cruise vacations. Settlements totaling over $13 million await court approval.

• Protecting Vulnerable Consumers: Money Now Funding, LLC defrauded American and Canadian consumers with business opportunity scams, resulting in court judgments banning them from similar activities.

• Penalties for Misleading Practices: Jason Abraham and Instant Response Systems were fined $3.4 million for pressuring elderly consumers into purchasing medical alert systems through illegal telemarketing.

• Cracking Down on Debt Collection Scams: Centro Natural Corp. and Sun Bright Ventures LLC were stopped from deceptive practices like threatening consumers with legal action and misleading them into disclosing bank account information.

• Innovative Solutions: The FTC awarded Robokiller $25,000 for developing an app that blocks and reports robocalls, enhancing consumer protection against these invasive practices.

The FTC said that these actions underscore the FTC’s commitment to enforcing Do Not Call regulations and protecting consumers from fraudulent telemarketing schemes.

 

Understanding FTC Rules for Consumer Privacy and Security

The FTC says they play a crucial role in protecting consumer privacy and security through various rules established by Congress. These rules cover a wide range of areas to ensure fair practices and safeguard sensitive information:

• Health Breach Notification Rule: Mandates web-based businesses to inform consumers in case of breaches involving their electronic health information.

• Red Flags Rule: Requires financial institutions and certain creditors to implement identity theft prevention programs, identifying and responding to potential identity theft indicators.

• COPPA Rule: Ensures websites and apps obtain parental consent before collecting personal information from children under 13, enhancing children’s online privacy protections.

• GLB Privacy Rule: Sets guidelines for car dealerships on disclosing privacy practices and allowing consumers to opt out of certain information disclosures to third parties.

• GLB Safeguards Rule: Demands financial institutions under FTC jurisdiction to maintain robust information security programs encompassing administrative, technical, and physical safeguards.

• Telemarketing Sales Rule (“TSR”): Requires telemarketers to disclose vital information, prohibits misrepresentations, limits calling hours, and restricts payment methods. It also enforces Do Not Call provisions, barring calls to registered numbers and robocalls without consumer consent. In 2015, the FTC proposed amendments to the TSR, targeting payment methods favored by scammers, enhancing consumer protection against fraudulent telemarketing practices.

• CAN-SPAM Rule: Protects consumers from deceptive commercial emails, necessitating companies to include opt-out options.

• Disposal Rule (“FACTA”): Requires secure disposal of consumer credit reports and related information to prevent unauthorized access.

• Pre-screen Opt-out Rule (“FACTA”): Compels companies sending prescreened credit or insurance offers to provide consumers with opt-out choices.

The FTC outlined that these rules reflect the FTC’s commitment to upholding consumer rights and ensuring businesses adhere to fair and transparent practices in handling personal information.

The FTC stated that as technologies evolve, they remain dedicated to collaborating with businesses to uphold fundamental privacy principles. By adhering to these guidelines, companies can mitigate data security risks and foster consumer trust in an increasingly digital world.

 

For more information, see here:  https://www.ftc.gov/reports/privacy-data-security-update-2015

 

These materials were obtained directly from the Federal Government public website and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  This may not be the most recent version.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.