The FTC Released the Privacy & Data Security Update for 2018

The FTC Released the Privacy & Data Security Update for 2018

February 15, 2019

The Federal Trade Commission (“FTC”) released its 2018 Privacy and Data Security Update, highlighting its ongoing commitment to consumer privacy and data security.

Utilizing enforcement actions, the FTC ensures that companies adhere to regulations, which can involve implementing privacy programs, conducting assessments, and providing consumers with clear choices regarding their data. The agency also engages in studies, workshops, and educational initiatives to enhance awareness and promote compliance. Overall, the FTC said that their mission remains focused on protecting consumer information and fostering trust in the marketplace, enabling consumers to enjoy the benefits of modern products confidently.

 

Privacy Enforcement Actions

In 2018, the FTC took significant action on various privacy cases, highlighting its commitment to consumer protection. Here are the key cases:

• PayPal Settlement: The FTC reached a settlement with PayPal regarding deceptive privacy settings in Venmo, which misrepresented transaction privacy. The settlement requires clear disclosures about privacy practices.

• BLU Products Data Breach: The FTC charged BLU Products for allowing a third-party to access sensitive consumer data. The settlement mandates a comprehensive data security program and regular third-party assessments for 20 years.

• Deceptive Marketing Practices: Sun Key Publishing was charged for using misleading tactics to collect personal information under the guise of military recruiting. The FTC secured over $12 million in penalties.

• Mobile Money Fraud: The FTC obtained orders against a scheme that misled consumers into purchasing ineffective software. Defendants, Mobile Money Code, faced a $7 million judgment and were required to refund affected consumers.

• Fake Debt Collection Operations: The FTC shut down multiple fraudulent debt collection schemes, Alliance Law Group and Lombardo, Daniels & Moss, that used intimidation and deception to collect money. Judgments exceeded $700,000 in one case.

• Phantom Debt Collection: Hylan Asset Management was charged for collecting on fake debts and using consumers’ private information deceitfully. The defendants faced prohibitions on debt buying and selling.

• Facebook Investigation: The FTC began a nonpublic investigation into Facebook's privacy practices amid allegations of unauthorized data sharing with Cambridge Analytica.

 

FTC's Efforts in Data Security and Identity Theft

In 2018, the FTC made significant strides in addressing data security and identity theft. Here are the key actions taken:

• Uber Technologies Settlement: Uber faced additional penalties due to a failure to disclose a significant data breach during an ongoing investigation. The revised settlement now requires Uber to notify the FTC of future unauthorized access incidents.

• BLU Products Complaint: The FTC charged BLU Products for falsely claiming adequate data protection measures. Security vulnerabilities in preinstalled software left consumer devices exposed to attacks.

• Venmo Misrepresentation: The FTC alleged that Venmo misled users about the security of their financial accounts, claiming "bank-grade security" without proper safeguards. Users were not notified of unauthorized changes, leading to unauthorized fund withdrawals.

• Fake Document Sales: In a crackdown on identity theft, the FTC targeted individuals selling fake documents. The defendants were prohibited from selling such documents and required to return ill-gotten gains.

• VTech Security Failures: VTech and its U.S. subsidiary settled charges for inadequate data security measures, which allowed a hacker to access personal information, including that of children. The settlement mandates a comprehensive data security program and independent audits for 20 years.

 

FTC's Efforts in Credit Reporting & Financial Privacy

In 2018, the FTC continued its efforts to enforce compliance with credit reporting and financial privacy laws. Here are the significant cases and developments:

• RealPage Settlement: RealPage, Inc. agreed to pay $3 million for violating the Fair Credit Reporting Act (FCRA) by failing to ensure the accuracy of tenant screening information. The company was found to have linked applicants to criminal records incorrectly, impacting their housing opportunities. The settlement requires RealPage to maintain better accuracy procedures.

• Credit Bureau Center Case: A federal court ordered Credit Bureau Center to pay over $5.2 million for deceiving consumers with fake rental ads and "free" credit reports. Consumers were unknowingly enrolled in costly credit monitoring services, leading to unexpected charges.

• Lending Club Violations: The FTC filed a complaint against Lending Club for failing to provide the required privacy notices as mandated by the Gramm-Leach-Bliley Act (GLB). Customers were not adequately informed about how their financial data would be used.

• Alliance Security Inc.: The FTC alleged that Alliance Security and its founder obtained numerous consumer credit reports without consent, violating the FCRA.

• Venmo Privacy Issues: The settlement with Venmo also highlighted violations of the GLB Privacy Rule and Safeguards Rule. Venmo failed to deliver annual privacy notices and did not implement adequate security measures for customer information.

 

FTC's Efforts in International Enforcement

The FTC is responsible for enforcing major international privacy frameworks, including the EU-U.S. Privacy Shield Framework and the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system. The EU-U.S. Privacy Shield facilitates the transfer of personal data from the European Union to the U.S., ensuring consumer privacy through established principles.

In the APEC CBPR system, which is a voluntary and enforceable code aimed at enhancing data privacy for consumers, the FTC also acts as an enforcement authority. To date, the agency has taken action in 51 cases related to these international frameworks, including 39 under the former U.S.-EU Safe Harbor program, 4 under APEC CBPR, and 8 under the current Privacy Shield.

In the past year, the FTC addressed misleading claims by five U.S. companies regarding their participation in the EU-U.S. Privacy Shield Framework. The agency found that ReadyTech and IDmission falsely asserted compliance with the Framework, while SmartStart, VenPath, and mResource inaccurately stated that they were participants, despite allowing their certifications to lapse.

 

FTC's Efforts in Children’s Privacy

The Children’s Online Privacy Protection Act (COPPA) of 1998 requires websites and apps to obtain verifiable parental consent before collecting personal information from children under 13. The FTC has enforced this law since its inception and has brought 25 cases, collecting millions in penalties. Recent actions include:

• VTech Electronics Case: The FTC alleged that VTech collected personal information from hundreds of thousands of children without proper notice or parental consent, resulting in a $650,000 civil penalty.

• Explore Talent Complaint: The company was accused of knowingly collecting information from over 100,000 children under 13 without notifying parents or obtaining consent, leading to a $235,000 civil penalty.

• Warning Letters: The FTC sent notices to Gator Group Co., Ltd. and Tinitell, Inc., reminding them that their smartwatches marketed to U.S. children must comply with COPPA. The companies were found to lack necessary notices and consent mechanisms for data collection, including geolocation.

• ESRB Safe Harbor Program: The FTC approved modifications to the Entertainment Software Ratings Board's safe harbor program, which allows industry groups to create self-regulatory guidelines that meet or exceed COPPA protections. Participants will be subject to the program's review processes instead of formal investigations.

 

FTC's Efforts in Do Not Call Enforcement

The FTC's efforts to enforce the Do Not Call (DNC) Registry continue to protect consumers from unwanted telemarketing calls. Established in 2003, the DNC Registry now has over 235 million active registrations. Here are some key recent developments:

• Robocall Violations: The FTC sued Redwood Scientific Technologies for using illegal robocalls to promote deceptive dietary supplements. The court has temporarily halted their marketing activities while litigation continues.

• Imposter Military Recruitment: In a case against Sunkey Publishing, the defendants operated fake military recruitment websites and made numerous illegal telemarketing calls to numbers on the DNC Registry. They agreed to settle the charges.

• Charity Scams: Travis Deloy Peterson was charged for using fake veterans’ charities and illegal robocalls to solicit valuable donations, which he then sold for profit. A federal court issued a temporary restraining order against him.

• Robocall Scheme: The FTC obtained orders against Pointbreak Media for deceiving small business owners with false claims related to Google listings, including illegal calls to DNC Registry numbers.

• Widespread Robocalling: In a significant case, the FTC targeted two operations allegedly responsible for billions of illegal robocalls, claiming to sell various services. One set of defendants has reached a settlement.

• Alliance Security: The FTC filed against Alliance Security Inc. for making millions of calls to numbers on the DNC Registry. Settlements with telemarketers involved resulted in over $5.5 million in judgments.

• Credit Card Scams: A temporary restraining order was issued against Higher Goals Marketing LLC for running a credit card interest-rate reduction scam, similar to a previously shut-down operation.

• Student Loan Relief Fraud: A1 DocPrep was charged for soliciting unlawful student loan and mortgage assistance via illegal calls to DNC numbers. They settled with a judgment of over $9.1 million.

• Deceptive Practices: M&T Financial Group and their principal were charged for defrauding student loan borrowers, collecting illegal fees while making false claims about government programs. They agreed to a settlement exceeding $11.6 million.

• Timeshare Reselling Scheme: J. William Enterprises was charged for scamming timeshare owners out of at least $15 million by making false promises about sales or rentals. They reached a settlement totaling over $18.7 million.

 

Advocacy Efforts by the FTC

The FTC actively advocates for consumer rights and competition by providing expertise to courts and government agencies on relevant cases and policy decisions. In 2018, the Commission highlighted its efforts in several key areas related to privacy:

• Response to Consumer Product Safety Commission: The FTC emphasized the risks associated with poor security in Internet of Things (IoT) devices, noting potential hazards like malfunctioning braking systems in cars or non-functional safety detectors. The Commission highlighted its ongoing educational and enforcement initiatives aimed at improving device and information security.

• Comments to NTIA on Privacy: The FTC called for a balanced approach that safeguards consumer privacy while encouraging innovation. It underscored the importance of accurate privacy disclosures and expressed its support for federal privacy legislation that the Commission could enforce.

• Testimony on Data Security: In testimony before Congressional committees, the FTC reaffirmed its commitment to consumer privacy and urged the enactment of comprehensive data security legislation, emphasizing the need for a unified enforcement framework.

• Focus on FCRA Enforcement: The Commission reiterated that enforcing the Fair Credit Reporting Act (FCRA) remains a top priority, detailing its educational efforts and its active role in addressing violations within the consumer reporting ecosystem.

 

FTC Workshops on Consumer Privacy and Security

Since 1996, the FTC has conducted over 70 workshops, town halls, and roundtables to address emerging issues in consumer privacy and security. In 2018, the Commission hosted several significant events:

• PrivacyCon 2018: This annual conference focused on the latest research and trends in consumer privacy. It featured discussions on the implications of technologies like the Internet of Things, artificial intelligence, and virtual reality. The event also explored how to assess the economic impacts of privacy failures and the benefits of privacy-enhancing technologies.

• Decrypting Cryptocurrency Scams: The FTC's first workshop dedicated to cryptocurrency fraud brought together various stakeholders, including consumer groups and law enforcement, to examine fraudulent practices in this evolving sector.

• Hearings on Big Data and Competition: In November, the FTC held a hearing to discuss how big data affects competition and innovation. Participants shared insights on how personal information influences competition and offered policy recommendations.

• Ethics of Algorithms and AI: Another November hearing focused on the use of algorithms and artificial intelligence in business. The discussions centered on ethical considerations, consumer protection, and the impact of these technologies on competitive dynamics.

• Data Security Hearing: In December, the FTC hosted a session on data security threats and breaches. This hearing evaluated incentives for investing in data security, consumer expectations, and the agency's enforcement strategies.

 

FTC Reports and Surveys on Consumer Privacy and Data Security

The FTC is at the forefront of shaping policies on consumer privacy and data security, having published over 60 reports based on research, workshops, and discussions. In 2018, the following key reports and perspectives were released:

• Mobile Security Updates: This report examines the challenges of mobile operating system patching, drawing on data from eight device manufacturers. It offers recommendations for improving the update process, enhancing consumer awareness of the importance of updates, and ensuring timely updates across devices.

• Connected Cars Workshop Insights: Following a workshop with the National Highway Traffic Safety Administration, FTC staff outlined the benefits and data privacy concerns related to connected cars. The report highlights the various types of data collected and emphasizes the need for best practices in cybersecurity to mitigate risks.

• Informational Injuries: This perspective reviews consumer harm from privacy breaches, including issues like medical identity theft and erosion of trust. It discusses the importance of weighing potential risks against the benefits of data collection.

• Cybersecurity Education for Small Businesses: The FTC plans to create accessible educational resources for small businesses to address cybersecurity challenges. This initiative stems from discussions with small business owners and organizations about their experiences with cyber threats.

 

Consumer Education and Business Guidance by the FTC

The FTC prioritizes educating both consumers and businesses about privacy and data security, distributing millions of resources in English and Spanish. In 2018, several key initiatives and materials were released:

• National Education Campaign: In collaboration with the Department of Homeland Security, NIST, and the Small Business Administration, the FTC launched a campaign aimed at small business owners to help them understand common cyber threats. The campaign includes fact sheets, videos, and quizzes on topics like cybersecurity basics and vendor security.

• Tax Identity Theft Awareness Week: The FTC hosted webinars and social media outreach to inform consumers and businesses about minimizing risks related to tax identity theft. This initiative involved partnerships with organizations such as the IRS and the AARP Fraud Watch Network.

• Virtual Private Network Apps Education: New online resources were introduced to help consumers understand how VPNs work and what to consider before downloading related apps.

• Small Business Scam Guide: The FTC published a concise guide for small business owners detailing how to identify and respond to various scams, including phishing and ransomware.

• Credit Freeze and Fraud Alerts: Following amendments to the Fair Credit Reporting Act, the FTC released resources to help consumers understand their new rights related to credit freezes and fraud alerts, including FAQs and blogs targeting specific audiences.

• Consumer Blog: The FTC's consumer blog provided tips on protecting personal information, with popular posts covering how to block unwanted calls and avoid scams.

• Business Blog: The FTC's Business Blog featured 38 posts on data security and privacy issues, highlighting enforcement actions and important compliance guidance related to consumer protection laws.

 

International Engagement by the FTC

The FTC actively collaborates with global partners to enhance privacy and data security efforts worldwide. Here are some key initiatives from 2018:

• Cooperation with Foreign Authorities: The FTC engages in enforcement cooperation through informal consultations, memoranda of understanding, and information sharing, facilitated by the U.S. SAFE WEB Act.

• Collaboration on Connected Toys: The FTC worked with Canada’s Office of the Privacy Commissioner on an enforcement action against VTech, a toy manufacturer. This joint effort highlighted failures in protecting children's personal information.

• Asia Pacific Privacy Authorities Forum: The FTC hosted this forum in San Francisco, where representatives from 18 agencies across 13 countries discussed privacy investigations, artificial intelligence challenges, and cross-border enforcement strategies.

• Global Privacy Enforcement Network (GPEN): The FTC contributed to organizing teleconferences and enforcement workshops for GPEN, which expanded to include 69 privacy authorities from 50 countries, fostering international collaboration on privacy issues.

 

FTC Policy Initiatives on Global Privacy Protection

The FTC is dedicated to establishing robust privacy protections for consumer data exchanged internationally. Here are the highlights from the past year:

• Global Privacy Advocacy: The FTC promotes strong privacy policies and interoperability among various data protection frameworks.

• EU-U.S. Privacy Shield Review: The FTC participated in the second Annual Review of the Privacy Shield Framework alongside the Department of Commerce and other U.S. agencies.

• International Engagement: The Commission took part in meetings with the APEC Electronic Commerce Steering Group, the International Working Group on Data Protection in Telecommunications, and the OECD, focusing on issues like children's privacy and health-related data protection.

• Bilateral Discussions: The FTC hosted delegations and engaged in discussions with officials from Brazil, Costa Rica, France, Japan, South Korea, the UK, and members of the European Parliament, addressing key privacy and data security matters.

• Technical Cooperation Missions: The FTC conducted missions in India and Mexico to discuss privacy and cross-border data transfer issues.

 

In conclusion, the FTC's 2018 report underscores its ongoing dedication to safeguarding consumer privacy and data security across various sectors. The agency's actions—including significant enforcement against companies like MyEx.com, Venmo, Uber, and RealPage—demonstrate a robust commitment to holding businesses accountable for their privacy practices. With a focus on protecting vulnerable populations, such as children, and a proactive approach to addressing emerging technological challenges, the FTC said they continue to play a vital role in shaping a safer online environment. As we move forward, it's essential for businesses to stay informed and engaged in discussions around privacy and data security to ensure a collaborative approach to these critical issues.

 

For more information, see here:  https://www.ftc.gov/news-events/press-releases/2019/03/ftc-releases-2018-privacy-data-security-update

 

These materials were obtained directly from the Federal Government public website and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  This may not be the most recent version.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.