How has the FTC targeted improvements to data privacy and security?

As businesses continue to collect and share the personal data of unknowing consumers, the FTC has pushed for improved privacy and security standards.

In a response to businesses' rampant data collection and sharing, the Federal Trade Commission has stepped up its consumer information protection role. In 2014, the FTC's Bureau of Consumer Protection Division of Privacy and Identity Protection has targeted the activities of data brokers, mobile app developers and other businesses that collect and share sensitive information.

The FTC has also pursued more enforcement actions in an effort to persuade companies to take data privacy and security more seriously. At the same time, the commission is calling on Congress to strengthen the FTC's compliance authority and to pass tougher regulations for collecting and retaining personal information.

This FAQ is part of SearchCompliance's IT Compliance FAQ series.

Why has the FTC targeted big data, data brokers and data analytics?

An FTC study on the practices of nine data brokers concluded that the typical U.S. consumer knows little, if anything, about the data brokers that collect and sell their personal information. The study led the FTC to press for greater transparency in the data broker business and to give consumers more control over their personal information.

FTC Chairwoman Edith Ramirez is an outspoken advocate for enhanced restrictions on third parties' collection and retention of personal data. In marked opposition to some in the industry, Ramirez has called for limiting collection and retention of data used to reach business objectives. "Before data is collected or used in a way that is surprising -- that is, inconsistent with the context of the consumer's interaction or relationship with a business -- consumers should be given a say, in a simple, straightforward manner outside of a privacy policy," Ramirez said in a May 8 speech. The "question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice when it comes to big data."

Related content
FTC calls on Congress to increase consumer privacy protection
Big data causes big privacy concerns, according to FTC report

What authority does the FTC have to enforce data privacy and security? What penalties are imposed on businesses charged with data privacy and security violations?

Section 5 of the Federal Trade Commission Act prohibits companies from using deceptive statements or unfair practices regarding the use of consumer data. This is the same regulation the FTC cites when it combats deceptive advertising and fraud. In its efforts to protect consumer data, the commission also references such laws as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Children's Online Privacy Protection Act.

Companies settling FTC data protection cases have agreed to a variety of data privacy and security requirements. Mobile application developer Snapchat, for example, agreed to implement a comprehensive privacy program and submit to outside audits to settle a case with the FTC. Medical billing and management firm Accretive agreed to implement an information security program to protect health data and is subject to a certified third-party audit every two years.

When the FTC brings charges under the Fair Credit Reporting Act or the Children's Online Privacy Protection Act, it can seek monetary penalties as well. This was the case in April, when data brokers Instant Checkmate Inc. and InfoTrack Information Services settled charges that they failed to comply with data protection rules when they sold consumer data.

Both brokers operate as consumer reporting agencies. The FTC charged them with violating the Fair Credit Reporting Act by not taking reasonable steps to ensure the data they sold was accurate and for not making sure that the buying entities were entitled to the data. InfoTrack was fined $1 million, and Instant CheckMate was fined $525,000. InfoTrack was unable to pay, however, and its owner had all but $60,000 of the penalty suspended. InfoTrack provides employers with job applicants' personal background information, and in numerous instances sold inaccurate data that suggested applicants were potential registered sex offenders, according to the FTC.

Related content
Data brokers settle consumer data violation charges
White House big data report reveals consumer privacy concerns

What greater enforcement power is the FTC seeking?

The FTC has asked Congress for expanded power to incur financial penalties when companies do not implement reasonable data privacy and security precautions. Currently, the commission can seek such data security violation penalties only in cases involving credit report information under the Fair Credit Reporting Act and cases involving children's online data under the Children's Online Privacy Protection Act. In April, Ramirez told the Senate Committee on Homeland Security and Governmental Affairs that the expanded authority would not only help deter violations but would also give the FTC jurisdiction over non-profit organizations.

Related content
FTC guidelines put mobile ecosystem on notice
Privacy advocates warn against fitness data tracking

What data protection legislation is the FTC urging Congress to pass?

In a report issued in May 2014, the FTC recommended legislation that would provide consumers greater transparency with regard to the data broker industry.

It should be mandated that data brokers that sell marketing products must provide consumers access to their data and allow them to opt out of data collection, the FTC told lawmakers. The FTC also suggested that these data brokers be forced to disclose their sources and inform consumers that they make inferences from the data they collect. Other stipulations of the FTC's proposed legislation include the following:

  • A central portal must be developed where brokers identify themselves, describe their practices, and provide links to access tools and an opt-out capability.
  • Retailers and other business must notify consumers when they share data with brokers.
  • Retailers that want to collect and share sensitive data, such as health information, must get the consumer's express consent.

In addition, the FTC recommended that Congress should establish requirements for data brokers that sell risk mitigation products that limit a consumer's ability to complete a transaction. Under the FTC recommendation, retailers that buy information from these data brokers should be required to disclose which data was used, and consumers should have access to the data and be able to correct it. Data brokers that sell "people search" products should also be required to give consumers access to their data, disclose the data sources and provide an opt-out venue, according to the FTC.

In addition to seeking new restrictions on data brokers, the FTC urged Congress to pass a national data breach notification law.

Related content
Is privacy an option in the big data era?
Proactive stance necessary for businesses' big data privacy concerns

What is the FTC doing to protect data on smartphones and other mobile technologies?

In 2014, the FTC brought legal action against a number of mobile app developers and charged them with deceptive data privacy practices. In a complaint against Goldenshore Technologies, the FTC stated that the app maker failed to let users know that its "Brightest Flashlight" app sent device location and other data to third parties, such as advertisers. To settle the case, Goldenshore agreed to obtain users' express consent before collecting their data and to fully inform them when, how and why their location information is collected, used and shared.

More SearchCompliance FAQs

'Heartbleed' OpenSSL flaw exposes Web security vulnerability

SEC rule development and enforcement activities continue to evolve

Consumer security spotlighted after Target data breach

Investment Company Act rule reduces liability for misled CCOs

Fandango and Credit Karma also settled FTC charges regarding mobile app security. In both cases, the commission accused the companies of failing to provide reasonable security for users' sensitive data. The settlements require the companies to implement information security programs and to conduct independent audits for the next 20 years.

In a much-publicized case, mobile messaging app developer Snapchat agreed to settle a case brought by the FTC in May. The FTC charged, among other things, that Snapchat did not verify users' phone numbers when they registered for the app and some users registered using other people's phone numbers. Security flaws also enabled hackers to put together a database of more than 4 million user names and phone numbers. Under the settlement agreement, Snapchat must implement a privacy program to be monitored for the next 20 years by an independent privacy professional. The Snapchat case is part of an effort by a multinational coalition of privacy enforcement agencies, including the FTC, to promote mobile app privacy.

Related content
Website and mobile app privacy must go beyond policy
Snapchat controversy provides teachable moment for privacy concerns

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

This was first published in June 2014

Dig deeper on Industry-specific requirements for compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Caron Carlson, Contributor asks:

Has your organization adapted consumer data privacy and security practices in response to federal regulations? If so, how?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close