A recent U.S. Federal Trade Commission (FTC) blog post gives a clear indication of the regulator’s strict requirements for data collection and sharing.
- So far in 2024 (after a very busy 2023), the FTC has already announced three important orders against companies that allegedly illegally collected and shared personal information.
- In a blog post titled “FTC Cracks Down on Mass Data Collectors,” the agency analyzes these cases and sends a clear message about its robust approach to privacy enforcement.
- In the current regulatory environment, businesses should consider reviewing how they handle personal information. The FTC states it will continue to “use all of its tools to continue to protect Americans.”
What’s going on with the FTC’s privacy crackdown?
The U.S. privacy landscape is transforming at the state level, with around one-third of states passing strong new privacy legislation in the past few years. But privacy enforcement is heating up at the federal level, too.
Under Chair Lina Khan, the FTC has been rigorously pursuing companies engaged in what it calls “commercial surveillance” and “data abuse.” Those terms might sound extreme, but they include activities that have become relatively widespread across the country.
In the first two months of 2024, the FTC enforced the law against three companies for how they treated personal information:
- X-Mode (now known as Outlogic): An order announced on January 9 requires X-Mode to destroy all sensitive location data collected without consent, among other steps.
- InMarket: On January 18, the FTC announced a settlement requiring Inmarket to overhaul its business model substantially.
- Avast: The FTC’s settlement with UK-based antivirus firm Avast, announced on February 22, requires the company to pay $16.5 million and delete algorithms trained on its customers’ web browsing data.
But the U.S. doesn’t have a federal privacy law…
Although the U.S. has yet to pass a federal privacy law, this year’s FTC cases invoked a consumer protection law: The FTC Act. In 2023, the agency also used other laws at its disposal, such as the Health Breach Notification Rule (HBNR) and the Children’s Online Privacy Protection Act (COPPA).
The FTC Act prohibits certain “unfair or deceptive acts or practices”, which the FTC interprets to include violating people’s privacy.
For example, in its complaint against Avast, the FTC says the following things are “unfair acts or practices” when done without “adequate notice” or consent.
- Collecting consumers’ browsing information
- Storing the information indefinitely “in granular (individual) form”
- Selling the information to third parties
In its InMarket complaint, the agency effectively said businesses cannot collect location data without telling consumers why. In its X-Mode settlement, the FTC stated that collecting sensitive location data risked causing “substantial injury to consumers”.
But those cases sound quite serious…
The three privacy cases that the FTC has enforced this year (together with around ten such cases from 2023) have all been serious. But the lessons learned from these cases are broadly applicable—even in less sensitive contexts.
In this blog post, the FTC provided the following warnings to all companies operating across the U.S.:
- “Browsing and location data are sensitive. Full stop.”
- Businesses do not have “free license” to “market, sell, and monetize” people’s information “beyond purposes to provide their requested product or service.”
- A company’s “bottom line” does not “outweigh the need for meaningful privacy safeguards.”
The agency’s privacy crackdown shows no signs of abating—and the FTC’s strong privacy focus we’re seeing a much more tightly regulated environment develop even at the federal level. Businesses must develop clear and comprehensive oversight of their data collection practices.
FTC’s Privacy Crackdown: What You Can Do
- Map your data. Make sure you know what personal information you’re collecting (including from apps, websites, and online services) and which other entities can access the data. Look at your website’s cookies, any Software Development Kits (SDKs) integrated into your apps, and any service providers with which you share data.
- Determine whether you’re collecting sensitive personal information. The FTC says browsing and location data are sensitive. These types of data can provide information about people’s visits to sensitive websites and locations—but the FTC states that they’re sensitive “full stop”.
- Consider your purposes. For every type of data you collect, ask yourself, “why?” You might need consent to collect and use personal information for purposes beyond what’s necessary to provide your services.
- Be transparent. In your privacy notice—and, where necessary, other notices like cookie pop-ups—disclose each type of personal information you collect, what you use it for, who else might receive it, and why.