The FTC Released the Privacy & Data Security Update for 2023

The FTC Released the Privacy & Data Security Update for 2023
The Federal Trade Commission (“FTC”) released its 2023 Privacy and Data Security Update last month, highlighting its ongoing commitment to privacy and data security.  The FTC’s 2023 Privacy and Data Security Update reaffirms its commitment to protecting consumer privacy in a rapidly evolving technological landscape. The FTC discussed their focus on artificial intelligence, enhancing protections for children and teens, consumer sensitive information of health, biometric, and geolocation information.
Finally, the FTC has initiated rulemaking to establish sensible consumer protection baselines, ensuring fair competition and requiring better data breach notifications and clearer regulations for health apps. Overall, this update highlights the FTC’s proactive efforts to enhance consumer privacy and hold businesses accountable.
The FTC is taking significant action to enhance privacy protections, leveraging decades of experience in consumer privacy and data security enforcement. The Commission has pursued a broad range of enforcement actions across various industries, including social media, advertising technology, and mobile applications. Since 1999, it has handled 97 privacy cases and 169 cases related to the Telemarketing Sales Rule and CAN-SPAM Act, impacting hundreds of millions of consumers.
Recent enforcement efforts have concentrated on critical issues such as artificial intelligence, health data, geolocation tracking, and the privacy of children and teens. The FTC is also addressing data security, credit reporting, and the prevalence of spam calls and emails. While its primary focus is on protecting American consumers, the Commission also aims to safeguard foreign consumers from unfair or deceptive practices by businesses under its jurisdiction.
Summary of FTC Actions on Artificial Intelligence
The FTC is actively addressing consumer protection issues related to artificial intelligence (“AI”), algorithms, and automated tools. The Commission has brought enforcement actions against companies for violations related to the collection and use of personal information, sensitive information using AI technologies. Notably, the FTC asserts that there are no exceptions for AI in the law, emphasizing the importance of lawful data practices. The Commission has also implemented measures against companies misusing consumer data for AI development and launched a market study on AI usage in social media and streaming platforms.
  • Rite Aid: Charged with unfair practices regarding facial recognition technology in stores. Accusations included failure to prevent misidentifications, particularly affecting women and people of color. Proposed settlement includes a five-year ban on using facial recognition for security, along with strict monitoring for any future biometric technology.
  • Ring: FTC resolved allegations against Ring for illegally surveilling customers and inadequate security measures. Required Ring to delete unlawfully reviewed data and implement a robust privacy and security program. Ring must pay $5.8 million in consumer redress and inform customers about the FTC’s action.
  • Amazon/Alexa: FTC alleged Amazon violated laws by retaining children’s voice recordings indefinitely and failing to delete user data upon request. Settlement mandates deletion of inactive accounts and children’s data, prohibiting its use for algorithm training.
  • Everalbum: FTC alleged that Everalbum misrepresented its use of facial recognition technology, using it by default without user consent. Settlement requires the deletion of all data derived from unlawfully obtained images.
In addition to these law enforcement actions, the Commission has engaged in numerous other actions—settlements, reports, policy statements, workshops—related to artificial intelligence since January 2021.
  • Data Deletion Requirements: Settlements with companies like Weight Watchers and CRI Genetics mandated the deletion of algorithms and tools developed from unlawfully obtained data.
  • Combatting Online Harms Report: The FTC issued a report to Congress discussing AI’s potential to address harmful online content while cautioning against over-reliance on these tools due to their limitations.
  • Market Study Orders: The FTC ordered eight social media and video streaming platforms to provide information on their use of automation and human review to combat consumer exposure to fraud and misleading advertising.
  • Joint Statement on Discrimination: Chair Khan collaborated with other agencies to address discrimination and bias in automated systems.
  • Biometric Information Policy Statement: The FTC clarified how Section 5 applies to the collection and use of biometric information, which often relies on AI technologies.
  • Voice Cloning Challenge: An open challenge was launched to encourage the development of solutions to protect consumers from AI-enabled voice cloning risks, including methods for prevention, detection, and evaluation.
  • PrivacyCon: This recurring event features discussions on consumer privacy and emerging technologies, with recent panels focusing on AI and automated decision-making.
  • Virtual Roundtable on Generative AI: The FTC examined the implications of generative AI on creative industries, highlighting competition and consumer protection concerns.
  • Business Guidance on AI: The FTC has issued multiple blog posts providing principles for businesses using AI, emphasizing transparency and accountability, and warning against deceptive practices.
  • AI and Your Business Series: In 2023, the FTC published several blog posts cautioning companies against making exaggerated claims about AI capabilities and outlining potential liabilities for misleading practices.
  • Consumer Alerts on AI Scams: The FTC issued alerts about how scammers exploit AI to enhance schemes and spread malicious software.
Additionally, the FTC has launched an omnibus resolution to streamline the investigation process for AI-related products and services, enabling more efficient enforcement against entities claiming to use or detect AI-generated content.
Summary of FTC Actions on Health Privacy and Security
The FTC has prioritized the protection of consumer health information, launching numerous enforcement actions since January 2021 to uphold health privacy standards.
  • BetterHelp: Recently, the Commission issued a final order against BetterHelp, an online counseling service, prohibiting the sharing of sensitive health data with third parties for advertising. BetterHelp is required to pay $7.8 million in partial refunds to consumers and implement a comprehensive privacy program.
  • GoodRx Holdings: In its first enforcement under the Health Breach Notification Rule, the FTC took action against GoodRx Holdings, alleging that the company disclosed personal health information to advertising platforms. This resulted in a civil penalty of $1.5 million and strong injunctive relief to protect user data.
  • Easy Healthcare Corporation: The FTC also reached a settlement with Easy Healthcare Corporation, which involved sharing sensitive data from its Premom app. This settlement requires a $100,000 civil penalty and compliance with privacy standards.
  • Flo Health: The FTC’s case against Flo Health involved allegations of sharing users’ sensitive health information, including pregnancy data, with third-party analytics providers. The settlement mandates user notifications, data deletion by third parties, and independent compliance reviews.
  • 1Health.io (Vitagene): Additionally, 1Health.io (Vitagene) was charged with deceptive practices regarding the security of DNA data. The settlement includes a $75,000 payment for consumer redress and requires the implementation of a robust information security program.
  • CRI Genetics: The Commission, in collaboration with California, settled claims against CRI Genetics for deceptive marketing practices related to DNA testing, which includes a requirement to delete personal data and a civil penalty of $700,000.
To further support businesses, the FTC published guidance outlining key lessons on health information privacy, emphasizing the importance of clear communication and compliance.
Summary of FTC Actions in Geolocation Tracking
Geolocation data is particularly sensitive, as it can reveal personal information about individuals, including visits to medical facilities, places of worship, or shelters for domestic violence. In response to concerns about consumer privacy, the FTC has taken significant action to mitigate potential harms from the misuse of this information.
  • Kochava Inc.: One notable case involves Kochava Inc., a data aggregator that compiles and sells precise geolocation data collected from consumers’ mobile devices. The FTC alleges that Kochava sells this data in a manner that allows tracking of individuals to sensitive locations without adequate privacy protections. A federal court in Idaho recently denied Kochava’s motion to dismiss the FTC’s complaint, affirming that the claims against the company are both legally and factually plausible. This case is currently in active litigation.
  • Support King, LLC: The FTC finalized a settlement with Support King, LLC, which previously operated SpyFone.com, a service that marketed stalkerware apps. These apps enabled users to monitor individuals’ personal data, including GPS locations, without their consent. The FTC charged Support King and its CEO, Scott Zuckerman, with unfair practices, including failing to ensure that the apps would be used for lawful purposes and misrepresenting their data security measures. As part of the settlement, Support King and Zuckerman are prohibited from offering or promoting any surveillance apps or services.
The FTC published guidance on the risks associated with the illegal use and sharing of sensitive geolocation data. This guidance underscores the Commission’s commitment to enforcing the law against the misuse of sensitive information.
Summary of FTC Actions in Children’s Privacy
The FTC said they are committed to protecting children’s personal information through the enforcement of the Children’s Online Privacy Protection Act (COPPA) and Section 5 of the FTC Act. The FTC has also focused on enhancing protections for children and teens by proposing updates to the COPPA and achieving substantial penalties against companies like Epic Games for data privacy violations. New mandates require that privacy settings default to protect teen users.  Since 2000, the FTC has initiated 42 COPPA cases, collecting over $532 million in civil penalties. Here’s a summary of recent actions taken by the FTC since January 2021:
  • Meta (formerly Facebook): In May 2023, the FTC proposed changes to a 2020 privacy order due to concerns that Meta had not fully complied with the COPPA Rule. Allegations included misleading parents about the control over their children’s communications on the Messenger Kids app and gaps in Meta’s privacy program. Proposed modifications would prohibit Meta from profiting from data collected from users under 18 and impose further limitations on its use of facial recognition technology.
  • Epic Games, Inc.: The company settled allegations that it violated COPPA by collecting personal information from children without parental consent and allowing them to communicate with strangers through Fortnite. The settlement requires Epic to delete unlawfully collected data, implement stronger privacy settings, and pay a record $275 million civil penalty.
  • Amazon: The company reached a settlement regarding its Alexa-powered Echo devices, accused of retaining children’s voice recordings indefinitely and failing to delete data upon request. The order mandates Amazon to delete inactive child accounts and certain data, prohibits using such data for algorithm training, and imposes a $25 million civil penalty.
  • Edmodo: This educational technology company settled FTC allegations for failing to obtain parental consent before collecting children’s data and improperly outsourcing compliance to schools. The settlement includes a civil penalty and restrictions on data collection practices.
  • Microsoft: The company settled COPPA allegations related to collecting personal information from children signing up for Xbox without parental consent. The order requires Microsoft to inform parents about the need for child accounts to enhance privacy protections and imposes a $20 million civil penalty.
  • WW International, Inc. (formerly Weight Watchers): This company and its subsidiary Kurbo were charged with marketing a weight loss app for children without parental consent. The order requires them to delete non-compliant data and imposes a $1.5 million civil penalty.
  • OpenX: The advertising platform entered a settlement for collecting information about children in violation of COPPA. The order mandates OpenX to delete the collected data, implement a compliance program, and pay a $2 million civil penalty.
  • Kuuhuub Inc. (Recolor app): The operators of this coloring book app faced allegations for collecting personal information from children using social features. The settlement requires notifying users of violations, deleting illegally collected data, providing refunds to underage subscribers, and paying a $3 million monetary penalty (suspended upon a $100,000 payment).
Summary of FTC Actions on Data Security
The FTC has been proactive in addressing companies that inadequately protect consumers’ personal data, having initiated 89 cases since 2000. These cases focus on unfair or deceptive practices and aim to enhance consumer protection and business accountability. Each settlement typically requires companies to implement comprehensive security programs, undergo biennial assessments, and submit annual compliance certifications from senior officials. Here’s a summary of notable recent actions:
  • Global Tel*Link: The FTC settled with this company, which provides services for incarcerated individuals, over allegations of insufficient security safeguards. A breach affected hundreds of thousands of users. The settlement mandates a comprehensive security program, user notifications for affected individuals, and credit monitoring services.
  • Drizly: The online alcohol marketplace and its CEO faced allegations for security failures that exposed personal information of about 2.5 million consumers. The settlement requires Drizly to destroy unnecessary data, limit data collection, and enforce specific security measures overseen by its CEO.
  • Chegg: This edtech provider settled allegations of inadequate data protection that led to breaches exposing sensitive information. The order mandates a comprehensive security program, multifactor authentication, and access rights for users to manage their personal data.
  • CafePress: The company was charged with failing to secure sensitive data and covering up breaches. The settlement requires improved security measures and data minimization practices, along with a $500,000 compensation to small businesses affected.
  • MoviePass: The subscription service faced allegations for not securing subscriber data and misleading customers about service access. The settlement includes a ban on misrepresentation, along with the requirement to implement comprehensive security programs.
  • Ring: The maker of home security cameras was accused of illegally surveilling customers and failing to protect accounts from hackers. The settlement requires a robust privacy and security program, including novel safeguards for video access and independent assessments.
  • Twitter (now X): The company was found to have misused users’ phone numbers and email addresses for targeted advertising instead of security purposes. The settlement includes a $150 million civil penalty and mandates multi-factor authentication options that do not require a phone number.
Summary of FTC Actions on Credit Reporting and Financial Privacy
The FTC is dedicated to protecting consumers’ financial privacy and ensuring fair credit reporting practices through enforcement of the Fair Credit Reporting Act (FCRA) and other regulations. With 117 cases filed under the FCRA, the FTC has secured over $137 million in civil penalties, ensuring that consumer reporting agencies maintain accuracy in consumer information. Here’s a summary of recent cases involving credit reporting and financial privacy:
  • TransUnion Rental Screening Solutions: TransUnion and its parent company settled allegations of FCRA violations by failing to ensure the accuracy of eviction records in tenant screening reports. They will pay $11 million in consumer redress and a $4 million civil penalty, while also implementing procedures to prevent the inclusion of misleading or sealed records.
  • TruthFinder and Instant Checkmate: These background check companies were accused of violating the FCRA by operating as consumer reporting agencies without adhering to necessary accuracy standards. The settlement requires them to improve compliance procedures and pay a $5.8 million civil penalty.
  • ITMedia Solutions Inc.: This lead generation company faced allegations for unlawfully obtaining and reselling consumer credit scores. ITMedia will pay a $1.5 million civil penalty as part of the settlement.
  • Vivint Smart Home, Inc.: Vivint settled allegations of improperly obtaining credit reports by using a deceptive practice known as “white paging” to qualify unqualified customers. The company will pay $20 million and is required to implement training programs and establish a customer service task force to ensure proper account verification.
  • Financial Education Services: The FTC is currently litigating against this fraudulent credit repair company for making false certifications to obtain consumers’ credit reports. They falsely promised to improve credit scores while often harming consumers’ credit instead.
Summary of FTC Actions on Do Not Call Violations
The FTC established a national Do Not Call (DNC) Registry in 2003, now with over 249 million registrations, to protect consumers from unwanted telemarketing calls. The FTC enforces rules prohibiting telemarketers from calling numbers on this registry and engaging in deceptive practices. Since then, the agency has taken significant action against violators, resulting in over $2.1 billion in penalties and restitution. Here are key recent cases involving Do Not Call violations:
  • Fluent, LLC: The FTC sued for misleading consent practices, alleging that the company obtained consent from nearly one million consumers daily through deceptive websites. Fluent agreed to pay $2.5 million and comply with strict guidelines for obtaining consumer information.
  • Yodel Technologies, Inc.: This company used “soundboard” technology to make over 1.4 billion robocalls, often purchasing contact information from deceptive consent farms. Yodel settled with a permanent ban on telemarketing and a $1 million judgment, paying $400,000.
  • Viceroy Media Solutions: The FTC took action against this consent farm for selling consumer information without obtaining proper consent. The defendants agreed to pay $150,000 and implement clearer disclosures on their job websites.
  • Solar Xchange LLC: The FTC sued for making unlawful calls related to solar panel sales, including to consumers on the DNC list. They settled with a $13 million judgment, paying $62,500, and must ensure their lead generators do not engage in deceptive practices.
  • Hello Hello Miami, LLC: This VoIP provider was sued for facilitating 37.8 million illegal robocalls, many directed at DNC-listed consumers. A default judgment requires the company to implement screening measures for their clients.
  • Benefytt Technologies, Inc.: The FTC took action against this network selling sham healthcare products, collecting over $110 million through deceptive calls. Benefytt agreed to pay $100 million in refunds and implement monitoring measures to avoid future violations.
  • Associated Community Services, Inc.: This operation made 1.3 billion deceptive fundraising calls and was ordered to pay $100 million, which was partially suspended. Most defendants were permanently banned from fundraising activities.
  • Environmental Safety International, Inc.: The FTC sued for making over 45 million illegal telemarketing calls related to septic tank cleaning products. The defendants agreed to a ban on telemarketing and paid over $1.65 million.
  • American Vehicle Protection Corp.: This group falsely claimed affiliation with auto companies while making calls to DNC-listed numbers. They agreed to a lifetime ban on telemarketing and to pay $500,000.
  • XCast Labs, Inc.: The FTC sued this VoIP provider for delivering billions of illegal robocalls. The settlement includes a $10 million penalty, which was suspended due to financial difficulties.
  • Home Matters USA: The FTC and California regulators halted operations of a mortgage modification scheme that marketed to DNC-listed consumers. The litigation is ongoing.
  • Stratics Networks Inc.: The FTC took action against this group for illegal calls and advance fee charging. Litigation against them and associated defendants is ongoing.
  • VOIP Terminator, Inc.: This provider was sued for transmitting millions of illegal robocalls. They agreed to a settlement requiring compliance with telemarketing laws.
Summary of Recent FTC Actions Under the CAN-SPAM Act
The FTC enforces the CAN-SPAM Act to protect consumers from unwanted commercial emails, often referred to as spam. Recently, the FTC has taken action against two companies for violations of this law:
  • ConsumerInfo.com (Experian): The FTC alleged that Experian sent marketing emails to consumers who had signed up for accounts, failing to provide an opt-out option as required by the CAN-SPAM Act. These emails, labeled as “important updates,” were primarily promotional and did not inform consumers of their rights to opt out. As a result of the settlement, Experian is prohibited from sending such marketing messages without an opt-out mechanism and has agreed to pay a civil penalty of $650,000.
  • Publishers Clearing House (PCH): The FTC accused PCH of using deceptive tactics to mislead consumers into making purchases to enter or enhance their chances in sweepstakes. PCH’s emails featured misleading subject lines designed to create urgency, such as “High Priority Doc. W-2 Issued.” The FTC also claimed that PCH misrepresented its data-sharing practices. Under the settlement, PCH must cease deceptive practices, provide clear disclosures, and destroy consumer data collected before January 2019, in addition to paying $18.5 million for consumer refunds.
Summary of FTC Actions on International Data Privacy
The FTC has been actively enforcing privacy protections related to international data transfers for over 20 years, particularly under frameworks like the EU-U.S. Data Privacy Framework (DPF). This framework allows companies to transfer personal data from the EU to the U.S. in compliance with EU law. Companies must self-certify their compliance, and failure to do so can lead to enforcement actions under Section 5, which prohibits unfair and deceptive practices. The FTC, led by Chair Lina Khan, has committed to robust enforcement of DPF Principles and collaboration with EU privacy authorities. Since January 2021, the FTC has resolved the following matters under the Privacy Shield Framework:
  • Flo Health: The FTC alleged that the fertility-tracking app improperly disclosed user health information to third-party analytics providers despite promises of privacy. This was found to violate multiple DPF Principles, including Notice, Choice, Accountability for Onward Transfer, and Data Integrity and Purpose Limitation.
  • CafePress: The FTC claimed that CafePress failed to secure sensitive consumer information and concealed a major data breach. This conduct violated DPF Principles related to Choice, Security, and Access.
  • Twitter: The FTC secured $150 million from Twitter for violating a previous order, affecting over 140 million customers. This action was linked to breaches of the Data Integrity and Purpose Limitation principle under the DPF.
Summary of FTC Rules on Consumer Privacy and Security
The FTC is empowered by Congress to issue rules that regulate consumer privacy and security. Here are some key rules and ongoing initiatives since 2021:
  • GLB Safeguards and Privacy Rules: In December 2021, the Commission issued an amended Privacy Rule and an amended Safeguards Rule, which became effective on June 9, 2023. In October 2023, the Commission issued a breach notification amendment to the GLB Safeguards Rule, which requires financial institutions to notify the FTC of breaches affecting 500 or more consumers. Financial institutions must implement comprehensive security programs and provide initial and annual privacy notices to customers.
  • Health Breach Notification Rule: Vendors of personal health records must notify individuals and the FTC about breaches of unsecured health information. In June 2023, the FTC proposed updates to strengthen this rule, particularly regarding health apps, receiving 128 public comments for consideration.
  • COPPA Rule: Websites must obtain parental consent before collecting personal information from children under 13. A Notice of Proposed Rulemaking issued in December 2023 aims to modernize the COPPA Rule, with public comments accepted until March 11, 2024.
  • Commercial Surveillance and Data Security Rulemaking: The FTC is exploring new rules to address harmful commercial surveillance practices. An Advance Notice of Proposed Rulemaking sought public comments on the risks of commercial surveillance, closing in November 2022. Over 10,000 comments were submitted for review.
  • CAN-SPAM Rule: Designed to prevent deceptive commercial emails, this rule requires companies to provide opt-out options. Following a review process, the FTC determined in 2019 it would retain the CAN-SPAM Rule as it remains, unchanged.
Summary of FTC Policy Statements and Actions on Privacy and Data Security
Since 2021, the FTC has taken significant steps to address privacy and data security issues through policy statements, warning letters, and notices of penalty offenses. Here are the key issues outlined by the FTC:
  • Notice of Penalty Offenses for Tax Preparation Companies (September 2023): The FTC warned against unfair practices involving consumer information that is expected to remain confidential. Misuse includes using information for unrequested purposes, obtaining financial benefits unrelated to the service, and misleading consumers about confidentiality. Warning letters were sent to five tax preparation companies regarding potential civil penalties for misuse of confidential data, particularly concerning tracking technologies like cookies and pixels.
  • Warnings on Online Tracking Technologies (June 2023): The FTC and HHS cautioned approximately 130 hospital systems and telehealth providers about privacy risks associated with online tracking technologies, like Facebook/Meta pixels. These technologies may disclose sensitive personal health data to third parties without consumer knowledge.
  • Biometric Policy Statement (May 2023): The FTC highlighted concerns over the use of biometric data and related technologies, which pose risks of bias, discrimination, and fraud. The statement warns that biometric information can create deepfakes and that large databases may attract malicious actors. Businesses are reminded to comply with legal obligations regarding biometric data.
  • Joint Statement on AI and Discrimination (April 2023): The FTC, alongside other federal agencies, emphasized enforcement against discrimination and bias in automated systems.
  • Policy Statement on Education Technology and COPPA (May 2022): The FTC addressed data collection issues in education technology, clarifying that COPPA prevents Ed Tech companies from denying service based on parental consent for data collection. Ed Tech providers must fully comply with COPPA provisions regarding children’s data privacy.
  • Policy Statement on Gig Work (September 2022): The FTC committed to protecting gig workers from unfair practices and emphasized that gig companies must fulfill promises to workers, even when using automated systems.
  • Statement on Breaches by Health Apps (September 2021): The FTC clarified that health apps and connected devices must adhere to the Health Breach Notification Rule, ensuring accountability for breaches of sensitive health information. The statement reinforces that entities not covered by HIPAA must notify consumers and the FTC of any breaches.
Summary of Recent FTC Reports and Studies
The FTC has conducted various reports and studies to assess and improve consumer privacy and security practices. Here are the key issues outlined by the FTC:
  • 6(b) Orders to Social Media Companies: The FTC issued orders to nine major social media companies, including Amazon, TikTok, Facebook, and Twitter, to gather information on: Collection and use of personal and demographic information; Methods for ad targeting; Application of algorithms and data analytics; User engagement metrics; Effects on children and teens
    • The goal is to inform future agency policies and reports.
  • Automation and Fraud Prevention Study: In March 2023, the FTC issued orders to eight social media and video streaming platforms to gather insights on their use of automation and human review to reduce consumer exposure to fraudulent ads.
  • Joint Request for Information on Tenant Screening: The FTC and CFPB sought comments on housing application and screening practices that may affect consumers’ ability to secure rental housing. They received input from a variety of stakeholders, including tenants and property managers, which will aid in policy development and law enforcement initiatives.
  • RFI on Cloud Computing: The FTC issued a Request for Information on cloud computing practices, focusing on security, generative AI, and competition. Findings from a subsequent virtual panel were published and discussed in a blog post.
  • Public Comment on COPPA Parental Consent: The FTC invited public comments on a new method for obtaining verifiable parental consent under COPPA, proposed by the ESRB Group. The Commission is currently reviewing the proposal and the over 350 public comments received.
  • FTC Report to Congress on Privacy and Security: The Commission submitted a comprehensive report assessing its efforts related to data privacy and security.
Summary of Recent FTC Workshops on Consumer Privacy and Security
The FTC has a long history of hosting workshops to address emerging issues in consumer privacy and security. Here are highlights from recent events:
  • PrivacyCon 2022: The seventh iteration of PrivacyCon took place virtually in November 2022, attracting nearly 2,000 viewers. Key topics discussed included: Consumer Surveillance; Automated Decision-Making Systems; Children’s Privacy; Devices that Listen; Augmented Reality/Virtual Reality; User Interfaces and Dark Patterns; and AdTech. Archived videos and transcripts of the sessions are available on the event page.
  • Bringing Dark Patterns to Light Workshop: In April 2021, the FTC hosted a virtual workshop focused on “dark patterns” in user interfaces that can mislead consumers regarding their choices. The workshop garnered over 1,500 viewers and examined how design elements can obscure consumer privacy options. Following the event, the FTC released a staff report detailing the issues surrounding dark patterns, providing further insights.
Summary of FTC Consumer Education and Business Guidance
The FTC outlined how it has made significant efforts to educate consumers and provide guidance to businesses on privacy and security matters. Here are key initiatives from 2021 to 2023:
  • Educational Materials for Consumers and Businesses: Millions of educational materials have been distributed in both English and Spanish, addressing topics such as identity theft, internet safety for children, mobile privacy, and more.
Key Programs and Updates
  • Cybersecurity for Small Business Campaign: Ongoing promotion of resources at ftc.gov/cybersecurity (and Spanish version at ftc.gov/ciberseguridad). Provides plain-language advice on protecting computers, networks, and training employees. Collaborated with federal partners like the SBA and NIST to host events and webinars, focusing on minority-owned businesses and women entrepreneurs.
  • Business Guidance: New and updated guidance documents focused on health privacy, including:
    • Health Information Compliance: Publications on HIPAA, the FTC Act, and Health Breach Notification Rule.
    • Mobile Health App Guidance: Best practices for developers and a new interactive tool to identify applicable privacy laws.
    • Safeguards Rule Guidance: Updated resources to help businesses understand the 2021 revisions.
  • Consumer Guidance: Updated privacy and security guidance at ftc.gov/onlinesecurity covering: Online privacy understanding and device protection. Everyday security tips like strong passwords and two-factor authentication. Resources for parents and kids to navigate online risks.
  • Identity Theft Guidance: Collaboration with the SBA to assist those affected by identity theft during the pandemic, including reporting pathways. Enhanced outreach through Identity Theft Awareness Week, leveraging partnerships with organizations like AARP and ITRC.
  • Business Alerts: More than 100 alerts covering data security and privacy issues related to companies like Twitter and Amazon. A comprehensive series addressing the implications of AI and privacy principles.
  • Consumer Alerts: Regular updates on potential privacy hazards and protective measures. Alerts about scams, data security tips, and advice on responding to data breaches.
FTC International Engagement on Privacy and Data Security
The FTC actively collaborates with international partners to enhance privacy and data security standards globally. Here’s a summary of their key initiatives:
Enforcement Cooperation.
  • Collaboration with Foreign Authorities: The FTC engages in informal consultations and shares complaints with foreign counterparts.
  • U.S. SAFE WEB Act: This act allows the FTC to share information and provide investigative assistance to foreign law enforcement. The act was renewed for another seven years in 2020.
  • Global Cooperation Arrangement: The FTC contributed to the drafting of the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), supporting the APEC Cross-Border Privacy Rules (CBPR) system.
  • Global Privacy Enforcement Network (GPEN): As a member of the GPEN Committee, the FTC hosted a workshop and developed a new action plan for better enforcement cooperation.
Policy Advocacy.
  • Promoting Global Privacy Protections: The FTC advocates for strong privacy policies that protect consumer data during international transfers.
  • Interoperability of Privacy Regimes: The agency works towards achieving compatibility among different global privacy frameworks to enhance accountability in data handling.
International Participation.
  • Global Meetings and Initiatives: The FTC was involved in significant international gatherings, including: Global Privacy Assembly; APEC Electronic Commerce Steering Group; Asia-Pacific Privacy Authorities Forum; G7 Data Protection Authorities; and Organisation for Economic Co-operation and Development (OECD).
  • Bilateral Discussions: The FTC engaged directly with various countries, hosting delegations and discussing privacy issues with officials from: Egypt; United Kingdom; Canada; and European Data Protection Supervisor and Board; and European Parliament.
  • Technical Cooperation Exchanges: The agency held exchanges on privacy and cross-border data transfer with countries like Kenya and the Philippines, participating in events organized by the Department of Commerce.
For more information, see here:  https://www.ftc.gov/reports/federal-trade-commission-2023-privacy-data-security-update
These materials were obtained directly from the Federal Government public website and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  This may not be the most recent version.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.