The FTC Released the Privacy & Data Security Update for 2017
January 18, 2018
The Federal Trade Commission (“FTC”) released its 2017 Privacy and Data Security Update, highlighting key initiatives aimed at ensuring responsible handling of personal information both online and offline.
The FTC enforced privacy laws vigorously in 2017, securing settlements with major companies like Lenovo and Vizio. These cases addressed violations and mandated corrective measures to protect consumer data. In 2017, the FTC initiated its first enforcement actions under the EU-U.S. Privacy Shield framework, ensuring compliance with international data transfer standards. The FTC published reports, conducted research, and organized workshops focusing on emerging privacy and security issues. Events covered topics such as connected cars, student privacy, identity theft, and informational injury.
The FTC stated that they have scheduled PrivacyCon for February 28, 2018, which marks the FTC’s annual event to delve into critical issues surrounding consumer privacy, underscoring ongoing commitment to transparency and dialogue.
The update highlights the FTC’s commitment to protecting consumer privacy through proactive enforcement, regulatory actions, and fostering dialogue among stakeholders.
A brief synopsis of the categories included in the Update is provided below:
Privacy Enforcement Actions
In 2017, the FTC addressed a spectrum of privacy concerns with significant implications for consumer protection:
-
Lenovo and Superfish: The FTC, alongside 32 State Attorneys General, alleged that Lenovo sold laptops with preinstalled software, VisualDiscovery, which intercepted sensitive consumer data without consent. This “man-in-the-middle” technique compromised user privacy, accessing personal information transmitted over the Internet.
-
Uber Technologies: Uber settled FTC charges for deceiving consumers about its handling of private data, failing to enforce strict policies on employee access to consumer and driver information.
-
Blue Global: Accused of misleading consumers seeking loans, Blue Global sold sensitive personal data without proper consent, disregarding promised protections for consumer information.
-
Upromise: Paid a civil penalty for failing to disclose data practices related to its RewardU toolbar, violating FTC orders aimed at protecting consumer data.
-
VIZIO: Settled charges for secretly collecting and selling viewing data from millions of smart TVs without user consent, utilizing demographic details for targeted advertising.
-
SQ Capital: The FTC obtained a judgment against SQ Capital for selling fake payday loan debts, which led to consumer harassment and financial harm.
-
ACDI Group: Alleged to have collected on non-existent payday loan debts, exploiting real consumer data for illegitimate debt collection practices.
-
Stark Law: Banned from debt collection and asset seizure, Stark Law surrendered millions in assets acquired through fraudulent debt collection practices.
-
Turn Inc.: The FTC modified an order against Turn Inc., addressing allegations of misleading consumers about their online and mobile tracking practices.
-
Jerk.com: The FTC affirmed its findings against Jerk.com for misleading consumers about user-generated content and the benefits of paid memberships.
The FTC said these cases underscore the FTC’s commitment to holding companies accountable for protecting consumer privacy and data security.
FTC’s Efforts in Data Security
In 2017, the FTC continued its robust efforts to address data security issues, bringing forth significant cases to protect consumers’ personal information. Here are the key highlights:
-
Uber Technologies: The FTC alleged that Uber failed to secure sensitive consumer data stored in the cloud, despite assurances of robust security practices. This lapse allowed unauthorized access to personal information of Uber drivers, including names and driver’s license numbers.
-
Lenovo’s VisualDiscovery Software: Lenovo faced allegations alongside 32 State Attorneys General for selling laptops with preinstalled VisualDiscovery software. This software created security vulnerabilities by replacing digital certificates on encrypted websites with its own, using an insecure method that potentially exposed consumers to spoofed or malicious websites.
-
D-Link: The FTC filed a complaint against D-Link for inadequately securing its wireless routers and Internet cameras, leaving them vulnerable to hacking. Despite promoting strong security measures on its website, D-Link allegedly failed to address well-known security flaws.
FTC’s Efforts in Credit Reporting & Financial Privacy
Ensuring the security and privacy of consumer financial information is paramount, and the FTC plays a crucial role in upholding these standards. Here’s a summary of their efforts in 2017:
-
Fair Credit Reporting Act (“FCRA”): The FTC has taken action against over 100 companies for FCRA violations, collecting over $30 million in penalties. The FCRA regulates how companies use data to assess creditworthiness, insurance eligibility, employment suitability, and tenant screening.
-
Gramm-Leach-Bliley (“GLB”) Act: This Act mandates that financial institutions provide consumers with initial and annual privacy notices, allowing them to opt out of sharing their information with third parties. It also requires these institutions to maintain reasonable security policies. Since 2005, the FTC has pursued nearly 30 cases related to GLB Act violations.
-
2017 Case Highlight – TaxSlayer: The FTC alleged that TaxSlayer, an online tax preparation service, violated the GLB Act’s Safeguards Rule and Privacy Rule. TaxSlayer allegedly failed to implement a comprehensive security program until late 2015, neglecting to assess and mitigate internal and external security risks adequately. This lapse resulted in cyberattacks compromising nearly 9,000 customer accounts, leading to tax identity theft incidents. Furthermore, TaxSlayer allegedly did not provide clear initial privacy notices to customers as required.
FTC’s Efforts in Safeguarding Global Privacy
In an increasingly interconnected world, the FTC plays a vital role in enforcing international privacy standards. Here’s a summary of their efforts:
-
EU-U.S. Privacy Shield Framework: This framework enables companies to transfer personal data from the EU to the U.S., ensuring privacy and security under agreed Privacy Shield Principles. Administered by the Department of Commerce, the FTC enforces these principles, ensuring companies uphold their privacy commitments. In recent actions, the FTC settled cases against three companies—Tru Communication, Decusoft, and Md7—for falsely claiming participation in the Privacy Shield and the Swiss-U.S. Privacy Shield without completing certification.
-
Swiss-U.S. Privacy Shield Framework: Similar to its EU counterpart, this framework governs data transfers between Switzerland and the U.S., with the FTC committed to its enforcement.
-
APEC Cross-Border Privacy Rules (CBPR) System: This voluntary code enhances privacy and security in data transfers among APEC members, including the U.S. The FTC ensures compliance with APEC’s privacy principles. Recently, the FTC finalized orders with Sentinel Labs, SpyChatter, and Vir2us for falsely stating their participation in the APEC CBPR system and misrepresenting their privacy practices.
FTC’s Efforts in Children’s Privacy
Ensuring children’s privacy online remains a top priority for the FTC, guided by the Children’s Online Privacy Protection Act (“COPPA”) of 1998. Here’s a summary of recent actions and guidelines:
-
COPPA Overview: COPPA mandates websites and apps to obtain parental consent before collecting personal information from children under 13. Since 2000, the FTC has enforced COPPA through over 20 cases, imposing substantial civil penalties.
-
2013 Rule Update: To adapt to evolving technology, the FTC updated COPPA in 2013. This update addressed new challenges like social networking, smartphone use, and geolocation data, ensuring robust protections for children’s privacy.
-
Recent FTC Actions:
-
Audio Voice Recordings: The FTC issued new guidance clarifying COPPA’s application to audio voice recordings. Specifically, when a child’s voice is collected solely to perform a command or request on internet-connected devices, parental consent may not be required if the recording is held briefly.
-
TRUSTe Safe Harbor Program: The FTC approved modifications to TRUSTe’s safe harbor program under COPPA. This program allows industry groups to establish self-regulatory guidelines that meet or exceed COPPA requirements. Participants in approved programs are subject to the safe harbor’s guidelines instead of formal FTC investigations.
-
FTC’s Efforts in Telemarketing and Do Not Call
The update highlighted that the FTC has been relentless in safeguarding consumer privacy through the Do Not Call provisions, established under the Telemarketing Sales Rule (“TSR”) in 2003. Here’s a summary of key actions and outcomes:
-
Do Not Call Registry: The national Do Not Call (“DNC”) Registry boasts over 229 million active registrations, protecting consumers from unwanted telemarketing calls. It prohibits sellers and telemarketers from contacting individuals listed on the DNC Registry, making repeat calls after requests to cease, and using robocalls to sell products or services.
-
FTC Enforcement: Since its inception, the FTC has pursued 134 cases under the Do Not Call provisions, resulting in significant penalties and restitution totaling over $1.5 billion. Recent actions include:
-
Dish Network: Facing penalties totaling $280 million, Dish Network was found liable for millions of illegal telemarketing calls violating the TSR and other laws. This case remains under appeal.
-
Operation Game of Loans: In this initiative, the FTC targeted deceptive student loan and mortgage relief scams, including actions against A1 DocPrep and Student Debt Relief Group. These defendants misled consumers, promising debt relief but instead profiting unlawfully.
-
Justin Ramsey: Ramsey and his company, Prime Marketing LLC, agreed to a settlement imposing a $2.2 million civil penalty for illegal robocalls and DNC violations. This settlement highlights the FTC’s stance against abusive telemarketing practices.
-
Aaron Michael Jones: The FTC secured default judgments against Jones and his companies for billions of illegal robocalls, permanently banning them from telemarketing activities and imposing penalties to deter future violations.
-
ABC Hispana Inc.: This company used deceptive tactics in telemarketing English-learning products, resulting in a judgment exceeding $6.3 million and a ban from future telemarketing practices.
-
KFJ Marketing Inc.: As part of a settlement, KFJ Marketing paid a $1.4 million civil penalty for placing illegal robocalls related to solar energy services, reinforcing compliance with DNC regulations.
-
Higher Goals Marketing LLC: Accused of operating a fraudulent debt-relief scheme, Higher Goals Marketing faced FTC action for making illegal robocalls and misleading consumers about debt reduction services.
-
Caribbean Cruise Line: Defendants in this case were banned from robocalling and ordered to pay a significant sum for engaging in unlawful telemarketing practices, including calls to numbers on the DNC Registry.
-
Advertising Strategies LLC: Operators of this alleged telemarketing scheme were fined $25 million for misleading consumers with fake investment opportunities and violating DNC regulations.
-
All US Marketing LLC: Defendants misrepresented credit card services through robocalls, resulting in FTC orders banning further telemarketing activities and imposing suspended monetary judgments.
-
FTC’s Efforts in Global Privacy Protection
The FTC outlined they are committed to protecting consumer privacy on a global scale through extensive international engagement. Here’s a summary of their initiatives and collaborations:
-
Partnerships and Cooperation: The FTC collaborates closely with foreign privacy authorities, international organizations, and global privacy networks to strengthen mutual enforcement cooperation on privacy and data security investigations. This cooperation includes informal consultations, memoranda of understanding, and sharing complaints to address global privacy concerns effectively.
-
U.S. SAFE WEB Act: Under this act, the FTC shares information with foreign law enforcement agencies and provides investigative assistance, leveraging its statutory evidence-gathering powers to combat cross-border privacy violations.
-
Key Developments in 2017:
-
Ashley Madison Data Breach: The FTC, alongside Australian and Canadian counterparts, received the “Grand Award for Innovation” from the International Conference of Data Protection and Privacy Commissioners (ICDPPC) for their collaboration in investigating the Ashley Madison data breach. This breach affected consumers worldwide, and the agencies’ joint efforts led to settlements requiring comprehensive data-security measures and significant fines.
-
Global Privacy Enforcement Network (GPEN): The FTC played a pivotal role in organizing GPEN’s first enforcement workshop, aimed at enhancing investigative and enforcement capabilities among privacy authorities globally. GPEN expanded its membership to 66 authorities from 49 countries, fostering a robust platform for collaboration.
-
EU Data Protection Authorities (DPAs): Under the Privacy Shield framework, the FTC undertook initiatives to strengthen cooperation with EU DPAs. This included participating in annual reviews, appointing a dedicated liaison for Privacy Shield compliance inquiries, and finalizing procedures to facilitate DPA referrals.
-
FTC’s Efforts in Global Privacy Advocacy
In the realm of global privacy protection, the FTC said they have been proactive in advocating for robust policies to safeguard consumer data across borders. Here’s a recap of their efforts over the past year:
-
EU-U.S. Privacy Shield: The FTC, in collaboration with the Department of Commerce and other U.S. agencies, actively participated in the First Annual Review of the EU-U.S. Privacy Shield Framework. This framework facilitates secure transatlantic data transfers while ensuring strong privacy standards.
-
International Policy Deliberations:
-
ICDPPC Group of Experts: The FTC contributed to the development of key legislative principles that enhance enforcement cooperation, endorsed at the 39th ICDPPC conference in Hong Kong. These efforts aim to streamline global privacy regulations.
-
APEC and OECD Engagement: The FTC engaged in meetings and initiatives of the APEC Electronic Commerce Steering Group, Asia-Pacific Privacy Authorities Forum, International Working Group on Data Protection in Telecommunications, and OECD. These platforms promote harmonized privacy standards and interoperability.
-
-
Bilateral Engagements: The FTC fostered direct dialogues on privacy and data security with counterparts from Canada, China, Japan, Korea, Singapore, and the UK. This included hosting delegations and engaging in bilateral discussions to strengthen international privacy frameworks.
-
Technical Cooperation Missions: In 2017, the FTC conducted technical cooperation missions in Colombia and the Philippines, focusing on privacy and cross-border data transfer issues. These efforts aim to enhance global cooperation and knowledge exchange on privacy practices.
-
International Fellows Program: As part of its commitment to international cooperation, the FTC hosted an official from the European Data Protection Supervisor’s office under its International Fellows Program. This initiative promotes collaboration and knowledge sharing on privacy enforcement practices.
In summary, the update highlights the FTC’s active engagement and its commitment to protecting consumer privacy and enhancing global data security standards.
For more information, see here: https://www.ftc.gov/news-events/press-releases/2018/01/ftc-releases-annual-privacy-data-security-update
These materials were obtained directly from the Federal Government public website and are posted here for your review and reference only. No Claim to Original U.S. Government Works. This may not be the most recent version. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.