Each year the Federal Trade Commission (the “FTC” or “Commission”) publishes a report on its activities with respect to consumer privacy and data security during the prior year. On February 25, 2020, the Commission released its 2019 Privacy and Data Security Update. The update contains a summary of the FTC’s enforcement, advocacy, and rulemaking actions as well as its activities with respect to its privacy and security-related workshops, consumer education and business guidance, and international engagement. The update is a useful way to see what the FTC focused on in the prior year and where to expect continued interest. Some highlights from the update are provided below.
In the enforcement space, the FTC update spotlights its two most high-profile settlements to date: Facebook and Equifax. First, in July 2019 the FTC and the Department of Justice’s announced a joint settlement with Facebook based on allegations that the company’s misrepresentations and consumer privacy failures violated its 2012 order. The 2019 settlement order imposed a record-setting $5 billion penalty and included a number of provisions designed to change Facebook’s overall approach to privacy. The settlement is currently pending approval by the United States District Court for the District of Columbia. Also, in July 2019, the FTC announced a settlement with Equifax for alleged data security violations, including Gramm-Leach-Bliley Act violations, that affected 147 million people. The settlement included a payment of up to $700 million to help consumers affected by the breach and was part of a global resolution with a consumer class action, the Consumer Financial Protection Bureau, and 50 states and territories.
Data Security Orders
The FTC’s enforcement actions over the past year with respect to data security incidents also highlight the Commission’s efforts to strengthen its data security orders, including through increased specificity, increased accountability of third- party assessors, and improved corporate governance on data security issues. Each category of improvement is reflected in seven data security orders issued by the FTC over the past year against companies in a range of industries: ClixSense (pay-to-click survey company), i-Dressup (online games for kids), DealerBuilt (car dealer software provider), D-Link (Internet-connected routers and cameras), Equifax (credit bureau), Retina-X (monitoring app), and InfoTrax (service provider for multilevel marketers).
The FTC’s update also makes clear the FTC’s continued focus on the Children’s Online Privacy Protection Act (“COPPA”) in 2019 and beyond. In September 2019, the FTC and New York Attorney General settled with Google, and its subsidiary YouTube over allegations it collected personal information, including in the form of persistent identifiers, from viewers of child-directed channels without first notifying parents and getting their consent. The $170 million judgment is the largest civil penalty under COPPA. In 2019 he FTC also settled charges against Musical.ly, now known as TikTok, for $5.7 million for illegally collecting personal information from children on a child-directed app. The FTC also announced it was seeking comments on the effectiveness of the 2013 amendments to the COPPA Rule and hosted a workshop in October 2019 to discuss whether additional changes are needed.
The FTC update describes other areas of focus, including credit reporting and financial privacy, Do Not Call and telemarketing, and international enforcement. You can read the entire update here.