The FTC Released the Privacy & Data Security Update for 2020

The FTC Released the Privacy & Data Security Update for 2020

The Federal Trade Commission (“FTC”) released its 2020 Privacy and Data Security Update, highlighting key initiatives aimed at ensuring responsible handling of personal information both online and offline.

The update highlights the FTC’s commitment to protecting consumer privacy through proactive enforcement, regulatory actions, and fostering dialogue among stakeholders.

 

Privacy Enforcement Actions

In 2020, the FTC said they continued its vigilant efforts to safeguard consumer privacy across various industries, both online and offline. Here are some key highlights from the FTC’s enforcement activities:

  • Facebook Settlement: The FTC settled with Facebook over allegations that the social media giant misled users about their control over personal information and the use of phone numbers provided for security purposes in targeted advertisements. This landmark settlement included a record-breaking $5 billion penalty and required significant changes to Facebook’s privacy practices.

  • Zoom Case: Amidst the surge in its user base during the COVID-19 pandemic, Zoom faced FTC allegations regarding misleading claims about encryption and the storage of recorded meetings. The FTC found that Zoom had misrepresented its security measures and had installed software on users’ computers without adequate notice or consent. The settlement mandates Zoom to implement a comprehensive security program and undergo regular independent assessments.

The FTC said that these cases underscore the FTC’s commitment to holding companies accountable for deceptive practices and ensuring robust privacy protections for consumers. The FTC’s actions aim not only to safeguard American consumers but also to set standards that protect users globally from unfair business practices.

 

FTC’s Efforts in Data Security and Identity Theft

In 2020, the FTC continued its efforts by addressing significant cases that highlighted vulnerabilities in data security practices among various businesses. Here are some key cases:

  • Tapplock: Tapplock settled allegations that its smart locks falsely claimed to be “unbreakable” and failed to secure user data adequately. Vulnerabilities allowed unauthorized access to sensitive user information and control over smart locks. The settlement mandates Tapplock to refrain from deceptive security claims, implement a robust security program, and undergo biennial assessments.

  • SkyMed International: SkyMed mishandled personal information by leaving a cloud database with 130,000 membership records unprotected. The company falsely claimed HIPAA compliance and misled consumers about the security of their data. The settlement requires SkyMed to implement proper data security measures, conduct biennial assessments, and provide affected consumers with detailed breach notices.

  • Ascension Data & Analytics: Ascension’s vendor exposed personal information from mortgage documents of over 60,000 consumers due to misconfigured cloud storage. The FTC alleged violations of the Gramm-Leach-Bliley Act’s Safeguards Rule, which mandates financial institutions to ensure adequate data security from third-party vendors. As part of the settlement, Ascension must implement a comprehensive data security program, including audits and executive certifications.

The FTC said these cases underscore the FTC’s commitment to holding companies accountable for safeguarding consumer data and ensuring transparency in their privacy practices. For businesses, compliance with these regulations is essential to mitigate risks and maintain consumer trust.

 

FTC’s Efforts in Credit Reporting & Financial Privacy

In the realm of consumer protection, the FTC said they play a crucial role in enforcing laws that safeguard consumer financial information. Here’s a summary of key regulations and recent cases:

  • Fair Credit Reporting Act (FCRA): The FCRA ensures that companies using consumer data for credit decisions, insurance eligibility, employment screening, and tenant screening follow strict guidelines. Over the years, the FTC has pursued over 100 cases, collecting more than $65 million in penalties. These actions ensure consumer reporting agencies maintain accurate information, crucial for obtaining credit, insurance, housing, and employment opportunities.

  • Gramm-Leach-Bliley (GLB) Act: Financial institutions must provide initial and annual privacy notices to customers, offering them the option to restrict sharing of their information with third parties. Moreover, GLB mandates these institutions implement robust security measures to protect sensitive consumer data. Since 2005, the FTC has tackled approximately 35 cases under GLB, enhancing data security for millions of consumers.

  • Fair Debt Collection Practices Act (FDCPA): Focused on third-party debt collectors, the FDCPA prohibits abusive, deceptive, and unfair practices in debt collection. It imposes obligations on collectors and ensures consumers are treated fairly. In recent cases:

  • Mount Diablo Lending: The FTC settled with Mount Diablo Lending for $120,000 over allegations of improperly disclosing consumers’ personal data in response to negative Yelp reviews. The settlement mandates improved data security practices and compliance with privacy laws.

  • Kohl’s Department Stores: Kohl’s paid a $220,000 penalty for denying identity theft victims access to transaction records, as required under FCRA Section 609(e). The settlement ensures timely access to records for affected consumers and enhances compliance with identity theft protections.

  • MyLife.com: Facing allegations of deceptive background reports and misleading billing practices, MyLife.com is under FTC scrutiny for violating FCRA and other consumer protection laws. The case highlights the FTC’s efforts to combat false information in consumer reports.

  • AppFolio, Inc.: The FTC settled with AppFolio for $4.25 million for inaccuracies in tenant screening reports, violating FCRA’s accuracy requirements. The settlement requires AppFolio to maintain accurate reporting and implement stringent data accuracy measures.

  • Operation Corrupt Collector: A sweeping enforcement initiative targeting deceptive debt collection practices, resulting in multiple actions against companies like National Landmark Logistics and Absolute Financial Services. These cases address illegal debt collection schemes and protect consumers from unfair practices.

  • Midwest Recovery Systems: The FTC tackled “debt parking,” where questionable debts were placed on consumer credit reports, impacting financial transactions like home purchases and job applications. The settlement requires Midwest Recovery Systems to delete inaccurate debts and comply with FCRA and FDCPA regulations.

The FTC said these cases underscore the FTC’s commitment to enforcing laws that protect consumer financial privacy and ensure fair treatment in debt collection practices.

 

FTC’s Efforts in Children’s Privacy

Ensuring children’s privacy online is a top priority governed by the Children’s Online Privacy Protection Act (“COPPA”). Here’s a summary of recent actions taken by the FTC to uphold these protections:

  • COPPA Enforcement Overview: Since 1998, COPPA has mandated that websites and apps must obtain parental consent before collecting personal information from children under 13. The FTC has actively enforced COPPA, bringing 34 cases and collecting over $190 million in penalties to date.

  • Recent FTC Actions: In the past year, the FTC addressed the following cases to safeguard children’s privacy:

  • HyperBeard: The FTC imposed a $4 million civil penalty on HyperBeard, a children’s app developer, for COPPA violations. The penalty was partially suspended due to financial constraints. HyperBeard allowed third-party ad networks to collect children’s personal information without parental consent through its apps. As part of the settlement, HyperBeard agreed to pay $150,000 and delete illegally collected personal information from children under 13.

  • Miniclip: Miniclip, S.A., a Swiss gaming company, falsely claimed membership in the Children’s Advertising Review Unit’s COPPA safe harbor program from 2015 to mid-2019, despite termination of its membership in 2015. The FTC settled allegations that Miniclip violated Section 5 by misrepresenting its status in this program. Under the settlement, Miniclip is prohibited from misrepresenting participation in any privacy or security program sponsored by a government or self-regulatory organization. The company must adhere to strict compliance and recordkeeping requirements.

The FTC said they are commitment to holding companies accountable for safeguarding children’s privacy online. As regulations evolve, it’s crucial for businesses to comply with COPPA guidelines to protect young users’ personal information effectively.

 

FTC’s Efforts in Telemarketing and Do Not Call

In 2003, the FTC established the national Do Not Call (“DNC”) Registry under the Telemarketing Sales Rule (“TSR”) to safeguard consumers from intrusive telemarketing practices. Today, the DNC Registry boasts over 241 million registrations, enabling individuals to opt out of receiving unsolicited calls. Here’s a summary of recent FTC actions and key provisions:

  • Overview of Do Not Call Rules: The DNC provisions prohibit sellers and telemarketers from engaging in various practices that infringe on consumers’ right to privacy. These include calling numbers listed on the DNC Registry, contacting consumers after they’ve requested not to be called, using robocalls for sales purposes, and employing spoofed caller IDs.

  • FTC Enforcement Efforts: Since 2003, the FTC has pursued 151 cases enforcing Do Not Call provisions, targeting companies and individuals responsible for abusive telemarketing practices. These actions have resulted in over $1.8 billion in civil penalties, redress, and disgorgement, with actual collections surpassing $290 million.

  • Recent FTC Actions:

  • Dish Network: Following a lengthy legal battle, Dish Network agreed to a $210 million settlement for making millions of illegal calls to numbers on the DNC Registry, using robocalls and ignoring consumers’ requests not to be contacted. This included a record $126 million federal penalty.

  • Educare and Globex Telecom: In a significant move, the FTC took action against Globex Telecom for its role in transmitting illegal robocalls for a fraudulent credit card rate reduction scheme. This marked the FTC’s first enforcement against a Voice over Internet Protocol (VoIP) provider.

  • Alcazar Networks: The FTC charged Alcazar Networks for facilitating millions of illegal telemarketing calls, even after being alerted to customers using the service for scam calls. The settlement imposes strict bans and compliance measures.

  • Operation Income Illusion: Amid pandemic-related scams, the FTC secured a restraining order against Randon Morris and his companies, accused of deceptive robocall schemes promising lucrative work-from-home opportunities falsely linked to Amazon.com.

  • Outreach Calling: The FTC and multiple state attorneys general targeted a fundraising operation that deceived consumers about charity donations. Defendants were banned from charity fundraising and faced substantial monetary judgments.

  • Grand Bahama Cruise Line: Alleged for millions of illegal robocalls, the defendants in this case were accused of misleading consumers with promises of free cruises. Litigation is ongoing.

  • 8 Figure Dream Lifestyle: The FTC dismantled a fraudulent money-making scheme using illegal robocalls to lure victims with false promises of substantial earnings, resulting in bans and monetary penalties.

  • First Choice Horizon: The FTC halted a deceptive credit card interest rate reduction scheme that targeted seniors with illegal robocalls, resulting in a significant judgment against the defendants.

  • FTC v. Jasjit Gotra: Lead defendant Jasjit “Jay” Gotra and Alliance Security were penalized for violating DNC rules through unauthorized telemarketing, with substantial civil penalties and bans on outbound calling.

These actions demonstrate the FTC’s dedication to upholding DNC regulations and shielding consumers from deceptive telemarketing tactics.

 

FTC’s Efforts in Global Privacy

In the realm of international data protection, the FTC plays a critical role in upholding privacy standards across borders. Here’s a summary of recent developments and actions:

  • Privacy Shield Frameworks: The FTC has long enforced agreements like the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, which facilitate secure data transfers between the EU, Switzerland, and the U.S. However, a 2020 ruling by the European Court of Justice invalidated the EU-U.S. Privacy Shield, citing concerns over data privacy protections. Despite this, the FTC emphasized that U.S. companies must continue to comply with their obligations under these frameworks. This includes maintaining accurate privacy policies and adhering to rigorous privacy principles.

  • FTC Enforcement Actions: Over the years, the FTC has initiated 66 enforcement actions to ensure companies uphold their commitments under international privacy programs. In 2020 alone:

  • Settlements: The FTC finalized settlements with multiple companies accused of misrepresenting their compliance with the Privacy Shield Framework. These included Click Labs, Inc., DCR Workforce, Inc., and others. Such settlements require companies to maintain accurate disclosures about their privacy practices and uphold Privacy Shield requirements.

  • Litigation: In its first Privacy Shield litigation, the FTC sued RagingWire Data Centers, Inc. (now NTT Global Data Centers Americas, Inc.), alleging misleading claims about Privacy Shield participation. The subsequent settlement mandates ongoing compliance with Privacy Shield principles or equivalent protections for data collected under the framework.

  • Ortho-Clinical Diagnostics: The FTC charged Ortho-Clinical Diagnostics for falsely claiming participation in the Privacy Shield after allowing its certification to lapse. The company also allegedly failed to verify the accuracy of its Privacy Shield statements annually, violating program requirements.

  • T&M Protection Resources: Similarly, T&M Protection Resources faced charges for misrepresenting its Privacy Shield participation status post-lapse. The FTC alleged the company failed to annually verify the accuracy of its Privacy Shield claims and affirm continued application of Privacy Shield protections.

The FTC says these cases underscore the FTC’s commitment to maintaining international data privacy standards despite regulatory challenges. For businesses handling international data transfers, it’s essential to stay informed about evolving regulations and ensure strict adherence to privacy frameworks.

 

FTC’s Efforts in Global Privacy Engagement

The FTC explained that safeguarding privacy and data security extends beyond national borders. Here’s how they engage internationally to protect data:

  • Enforcement Collaboration: The FTC collaborates with foreign counterparts through informal consultations, memoranda of understanding, and complaint sharing. The U.S. SAFE WEB Act enables the FTC to share information and provide investigative assistance to foreign law enforcement. Recently renewed by Congress, this act reinforces international cooperation for another seven years.

  • COVID-19 Response and Global Initiatives: Amid the COVID-19 pandemic, the FTC played a pivotal role. It led discussions within the Global Privacy Enforcement Network (GPEN), organizing teleconferences and a virtual roundtable to address enforcement challenges during the crisis. GPEN, comprising 69 privacy authorities from 50 countries, facilitated global coordination on privacy issues.

  • Advocacy and Policy Development: The FTC advocates for robust privacy policies globally, aiming for interoperable privacy frameworks and enhanced accountability for businesses handling cross-border data transfers. It actively contributes to global policy forums like the Global Privacy Assembly, APEC, and OECD, addressing diverse issues from pandemic responses to children’s privacy.

  • Direct Engagement: In 2020, the FTC engaged directly with international counterparts. It hosted delegations and held bilateral discussions with officials from countries such as Chile, South Korea, Turkey, and members of the European Parliament. Technical exchanges on privacy and cross-border data issues were conducted with Bangladesh, Bermuda, India, and Singapore.

The FTC’s international engagements ensure data is protected globally.

 

FTC’s Efforts in Rules and Regulations

Since 2000, the FTC has been empowered by Congress to establish rules that govern various aspects of consumer privacy and security. Here’s a concise overview of key FTC rules and recent developments:

  • Health Breach Notification Rule: This rule mandates that vendors of personal health records and related entities notify individuals, the FTC, and sometimes the media about breaches involving unsecured individually identifiable health information. The FTC recently conducted a review of this rule and is evaluating feedback received during the public comment period.

  • Red Flags Rule and Card Issuers Rule (Identity Theft Rules): Under the FCRA, financial institutions and certain creditors are required to implement programs to detect and respond to activities that could indicate identity theft. The FTC has been reviewing these rules to assess their economic impact and effectiveness, considering public comments received.

  • COPPA Rule (Children’s Online Privacy Protection Act): Websites and apps must obtain parental consent before collecting personal information from children under 13. The FTC has been evaluating the effectiveness of amendments made in 2013 to ensure they keep pace with evolving technologies and business models, based on extensive public feedback.

  • GLB Safeguards Rule and Privacy Rule: Financial institutions under FTC jurisdiction must maintain comprehensive information security programs and disclose privacy policies to customers. Proposed amendments to these rules were under FTC review in response to public comments, with ongoing evaluation of next steps.

  • Telemarketing Sales Rule: This rule requires telemarketers to disclose important information, prohibits misrepresentations, limits calling hours, and imposes restrictions on payment for certain goods and services. It also includes Do Not Call provisions to protect consumers from unwanted calls and strict regulations on robocalls.

  • CAN-SPAM Rule: Designed to combat deceptive commercial email, this rule requires companies to provide opt-out mechanisms for recipients. Following a review, the FTC confirmed the rule without changes based on public input.

  • Disposal Rule: Under the Fair and Accurate Credit Transactions Act, companies must dispose of credit reports and information securely.

  • FCRA Rules: The FTC sought public input on changes to five FCRA rules in 2020, focusing on effectiveness and alignment with Dodd-Frank Act requirements. These rules cover various aspects, including consumer report usage, prescreened solicitations, and risk-based pricing disclosures.

The FTC stressed that rules are crucial for safeguarding consumer rights and ensuring businesses adhere to fair practices in handling personal information, in an evolving digital landscape. By setting clear standards and seeking public input, the FTC aims to ensure that businesses uphold privacy protections and maintain secure practices when handling consumer information.

For businesses, staying informed about these enforcement actions is crucial. They highlight the importance of transparency in privacy policies, data security, consumer privacy, children’s privacy, marketing, telemarketing, and the need for companies to uphold stringent security measures to protect sensitive user information.

 

For more information, see here:  https://www.ftc.gov/reports/privacy-data-security-update-2020

 

These materials were obtained directly from the Federal Government public website and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  This may not be the most recent version.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.