On Friday, March 15, 2019, the U.S. Federal Trade Commission (“FTC”) issued its 2018 Privacy & Data Security Update (the “Update”) detailing its activities last year in seven “zones” of privacy and data security: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance, and international engagement.
A substantial portion of the Update was devoted to cases pursued in 2018. A few noteworthy themes emerge from this coverage:
- Misrepresentations regarding data security and privacy. The FTC entered into a settlement with PayPal, Inc following allegations that Venmo misrepresented the steps necessary to keep financial transactions private and claimed that it provided “bank-grade security systems” to customers but allowed unauthorized users to withdraw funds from consumer accounts without notifying consumers. The FTC also settled charges against VTech Electronics Limited alleging that the company falsely stated it would encrypt personal data submitted by users when no such encryption was used and failed to use reasonable and appropriate data security measures to protect personal information.
- Liability for third-party vendor conduct. In 2018, the FTC entered into a settlement with BLU Products, Inc. (“BLU”), a mobile phone manufacturer, following allegations that BLU allowed a third-party service provider to collect detailed personal information about consumers that was not necessary to the services it provided and that BLU had failed to implement appropriate security procedures to oversee the security practices of its service providers.
- GLB Act Privacy Rule. In 2018, the FTC brought charges against two companies for violations of the Privacy Rule. The FTC charged Lending Club for failing to provide its customers with “a clear and conspicuous initial privacy notice before collecting customers’ financial data,” and settled charges against Venmo for failure to deliver annual privacy notices to consumers as required by the Privacy Rule.
- Repeat players. In 2018, the FTC announced a nonpublic investigation into Facebook’s privacy practices, “following press reports that the company may have shared consumer information with Cambridge Analytica, in violation of Facebook’s consent decree with the FTC.” Similarly, upon learning that Uber failed to disclose a significant breach of consumer data that occurred during the FTC’s investigation that led to a 2017 settlement, the FTC and Uber entered into an expanded settlement that subjects Uber to additional requirements.
- Reporting obligations and third-party oversight. FTC privacy and security settlements in 2018 included extensive ongoing obligations, including outside monitoring and reporting. For example, Venmo is required “to make affirmative disclosures about its privacy practices;” BLU “will be subject to third-party assessments of its security program every two years for 20 years;” and Uber will be subject to “civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.”
In 2018, the FTC also took on an advocacy role, repeatedly expressing its support for federal privacy legislation. The Update notes that the FTC staff submitted a comment in response to the National Telecommunications and Information Administration (“NTIA”) September 2018 request for comments on a federal approach to consumer privacy. The FTC’s comment, as summarized in the Update, called for an approach that protects consumer privacy and innovation and focused on the importance of “making accurate disclosures about privacy.” The comment also “called for a balanced approach to choice, where the level of control would depend on consumer preferences, context and risk.” Additionally, the Commission provided testimony to the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security and the House Energy and Commerce Subcommittee on Digital Commerce and Consumer protection in which, according to the Update, it “renewed its longstanding bipartisan call for comprehensive data security legislation and urged Congress to consider enacting privacy legislation that would be enforced by the FTC.”
On the whole, the 2018 Update highlights that the FTC’s prominent role in privacy and data security advocacy and enforcement continued unabated in 2018—and shows no signs of slowing down. Those under FTC jurisdiction should continue to follow the FTC’s privacy and security enforcement actions carefully, and particularly those addressing failures to make transparent and accurate statements to consumers.