FTC’s 2023 Privacy and Data Security Update and Key Actions and Initiatives
Last month, the Federal Trade Commission (“FTC”) released its Privacy and Data Security Update (“Update”) for 2023. The Update outlines the enforcement actions, guidance, reports, workshops, policy initiatives, consumer and business education, and rules from 2021-2023 to for consumer data and privacy.
The Update discusses the efforts by the FTC to protect consumers in areas such as health privacy, geolocation tracking, children’s privacy, data security, credit reporting, financial privacy, AI, sensitive data, and spam calls and email. The FTC has used law enforcement to challenge alleged illegal conduct against companies like GoodRx, BetterHelp, CRI Genetics, Epic Games, Microsoft, Drizly, CafePress, TransUnion Rental Screening Solutions, Experian Consumer Services, Publishers Clearing House, and more.
Samuel Levine, Bureau of Consumer Protection Director, said, “We have worked vigorously to ensure that the law has equal force across the digital ecosystem, rising to the challenges presented by new technologies and seeking meaningful remedies that establish critical standards for protecting consumers’ information, rather than placing the burden on consumers to protect themselves. This is an area that demands an all-hands-on-deck response, and as the examples in the report show, the Commission is using every tool it has to safeguard consumers’ rights.”
The FTC also initiated rulemaking to establish sensible consumer protection baselines, ensuring fair competition and requiring better data breach notifications and clearer regulations for health apps. Overall, this update highlights the FTC’s proactive efforts to enhance consumer privacy and hold businesses accountable.
A synopsis of the main focus included in the Update is provided below:
Artificial Intelligence
The FTC has been actively involved in consumer protection issues related to artificial intelligence (AI), algorithms, and automated tools. In enforcement actions, the FTC has alleged companies violated the FTC Act or other laws by collecting, retaining, or using consumers’ personal information for machine learning or similar algorithms. The FTC has emphasized that there is no AI exception to the law. The FTC is working to safeguard consumers by prohibiting the use of unlawfully obtained or retained data for algorithm development or machine learning. In addition to these law enforcement actions, the Commission has engaged in numerous other actions – settlements, reports, policy statements, workshops, related to artificial intelligence since January 2021. In March 2023, the FTC issued orders (Section 6(b)) to eight social media and video streaming platforms to investigate their automation and human review practices to reduce consumer exposure to paid advertising for fraudulent products and services.
Health Privacy & Security
The FTC has been prioritizing protecting consumers’ health information privacy and security since January 2021. Recent health-related orders have imposed injunctive relief, requiring businesses to stop sharing health information, obtain consent, delete improperly disclosed data, provide consumer notice, and establish privacy or data security programs. Additionally, monetary relief has been provided through civil penalties under the Health Breach Notification Rule or consumer redress. The FTC has released five new or revised publications, including: Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule; Health Breach Notification Rule: The Basics For Business; Complying With the FTC’s Health Breach Notification Rule; Mobile Health App Developers: FTC Best Practices; and Mobile Health App Interactive Tool.
Geolocation Tracking
The FTC has been focusing on preventing harm to consumers by preventing the exposure of sensitive location data, which can reveal detailed information about individuals, such as their visits to clinics or religious places, and has brought enforcement actions against data brokers for failing to adequately protect and selling such sensitive information.
Children’s Privacy
The FTC is committed to protecting children’s personal information through Section 5 of the FTC Act and the COPPA Rule, which enforces the Children’s Online Privacy Protection Act of 1998. Since 2000, the FTC has brought 42 COPPA cases and collected over $532 million in civil penalties. Since January 2021, the Commission has taken further actions to protect the privacy of the personal information of children. The FTC also proposed changes to the rule that would further limit companies’ ability to monetize children’s data.
Data Security
Th FTC has filed 89 cases against companies for unfair and deceptive practices involving inadequate data protection since 2000. The FTC is enhancing data security relief to enhance consumer protection and business accountability. Settlements require companies to implement a comprehensive security program, undergo biennial assessments, and submit annual certifications from a senior officer regarding the compliance by the company with the order. Since 2021, the Commission has issued policy statements, sent warning letters, and issued a notice of penalty offense relating to privacy and data security.
Credit Reporting & Financial Privacy
The FTC safeguards consumers’ financial privacy and credit reporting by enforcing Section 5 of the FTC Act and specific laws. The FTC has brought 117 cases against companies for violating the FCRA and obtained over $137 million in civil penalties. The FTC has brought 35 cases since 2005, affecting the data security of hundreds of millions of consumers.
Spam Calls and Email
Since 2003, the FTC has filed 167 Do Not Call Provisions cases against telemarketers, seeking civil penalties, monetary restitution, and disgorgement of ill-gotten gains. The cases have resulted in over $2.1 billion in civil penalties and collections exceeding $395 million. The FTC has shut down over a billion abusive and fraudulent robocalls through its “Operation Stop Scam Calls” sweep, claiming defendants tricked consumers into providing personal information and consent. The FTC also brought cases under the CAN-SPAM Act, which protects consumers from receiving commercial email they consider to be spam.
Biometric
The FTC has issued a Biometric Policy Statement, warning that the growing use of biometric information and related technologies, including machine learning, raises privacy and data security concerns and potential bias and discrimination. The statement highlights risks such as creating deepfakes for fraud or harassment, targeting large databases for malicious actors, revealing sensitive information about consumers, and different performance across demographic groups in some biometric technologies. It emphasizes that businesses must adhere to longstanding legal requirements and obligations, and lists practices the Commission will consider in determining if a company’s use of biometric information is deceptive or unfair in violation of Section 5.
Rulemaking and Policy Initiatives
The FTC is actively engaged in establishing baseline privacy standards, proposing rules to clarify the Health Breach Notification Rule for health apps and strengthen COPPA.
The agency has also initiated discussions to explore regulations addressing harmful surveillance and inadequate data security practices.
Through these comprehensive efforts, the FTC emphasized they aim to enhance consumer protections and hold companies accountable for their data practices.
We expect to see more enforcement actions from the FTC, and it is clear from the update that the FTC will continue to emphasize the importance of brands safeguarding consumer data they collect and closely monitor its sharing and usage practices.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.