Key Lessons from Federal Trade Commission’s 2017 Report on Privacy and Data Security

March 1, 2018 | Dan Doliner, Imran Ahmad, Marco Maduri

On January 18, 2018, the U.S. Federal Trade Commission (the “FTC”) released its annual report on Privacy & Data Security for 2017 (the “Report”). The Report reviews the FTC’s privacy and data security related activities in 2017, including in the areas of enforcement, policy and business guidance.

The enforcement section of the Report provides helpful insights into the types of privacy issues that are priorities for the FTC, both within the U.S. and globally. Below is a summary of some notable enforcement actions taken by the FTC in the areas of privacy, data security and international enforcement.

Privacy

Uber Technologies, Inc.

Following reports alleging that Uber employees were improperly accessing consumer data, Uber issued a statement claiming that it had a “strict policy prohibiting” employees from accessing rider and driver data – except for a limited set of legitimate business purposes – and that employee access would be closely monitored on an ongoing basis. However, according to the FTC, despite Uber’s representations, it did not always closely monitor and audit employees’ access to rider and driver accounts.

As a result, the FTC filed a complaint against Uber. Ultimately, in August 2017, the FTC and Uber entered into a settlement (see Decision and Order) whereby Uber would implement a comprehensive privacy program, obtain regular and independent audits, and file compliance notices with the FTC.

VIZIO, Inc.

VIZIO is one of the world’s largest “smart” television manufacturers. In February 2017, VIZIO agreed to pay USD2.5 million to settle charges by the FTC and the New Jersey Attorney General regarding VIZIO’s inappropriate collection and use of user information.

According to the FTC’s complaint, VIZIO installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent. The complaint further alleged that VIZIO’s smart TVs captured second-by-second information about video displayed on the smart TV. According to the complaint, VIZIO appended demographic information to the viewing data, such as sex, age, income, and marital status, and then allegedly sold this information to third parties, who used it for various purposes, including targeting advertising to consumers across devices. The complaint alleges that VIZIO’s data tracking practice, occurring without viewers’ informed consent, was in violation of consumer protection laws.

Data Security

D-Link Systems, Inc.

The FTC filed a complaint against computer networking equipment manufacturer D-Link. It alleged that D-Link failed to take reasonable steps to protect their routers and cameras from widely known and reasonably foreseeable risks of unauthorized access, including flaws which have been known to be among the most critical and widespread web application vulnerabilities. The FTC further argued that D-Link failed to conduct reasonable software testing on its products and failed to take reasonable steps to maintain the confidentiality of the private key that D-Link used to sign its software. According to the FTC, as a result of D-Link’s failures, thousands of consumers were put at risk of having their sensitive personal information exposed to unauthorized access.

Litigation in this matter is ongoing.

International Enforcement

The FTC also enforces certain international privacy frameworks, including the EU-U.S. Privacy Shield Framework (the “Privacy Shield”) and the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules System (the “CBPR System”). The Privacy Shield was jointly developed by the U.S. Department of Commerce and the European Commission to provide companies in the European Union (“EU”) and in the U.S. with compliance requirements to protect personal data being transferred from the EU to the U.S. The CBRP System  is a voluntary, enforceable code of conduct that requires participating businesses to implement certain data privacy and security policies with respect to personal information transferred between the U.S. and APEC members.

The FTC is mandated with enforcing companies’ privacy promises in regards to the Privacy Shield and the CBPR System. In 2017 three U.S. companies settled charges with FTC according to which they falsely claimed that they were certified to participate in the Privacy Shield. In addition, the FTC also approved final orders with three companies resolving allegations that they deceived consumers by misrepresenting their participation in the CBPR System.

Takeaways

The FTC’s enforcement actions are part of a broader international trend where regulatory agencies are taking strong actions to ensure that organizations are complying with privacy and data security requirements. The Report underscores that when organizations do not allocate sufficient resources to privacy and data protection (or are deliberately deceitful) they are exposing themselves to severe consequences, including enforcement measures by the FTC (with respect to U.S. customers) and other regulators.

While the Report raises many privacy, data protection and cybersecurity issues, the following three takeaway are notable:

  • Organizations must have up-to-date and transparent privacy policies, which should be diligently complied with.
  • When it comes to privacy, transparency is key because without transparency there is a risk that individuals will not be able to provide informed consent to the use of their personal information.
  • Organizations should constantly ensure the quality of their privacy and data protection protocols, including the engagement of third party auditors.

As recently discussed on our blog, with the EU’s General Data Protection Regulation coming into force on May 25, 2018, organizations may be required to address additional and more stringent privacy and data protection requirements.

Disclaimer

The blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of the blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.