In a response to businesses' rampant data collection and sharing, the Federal Trade Commission has stepped up its consumer information protection role. In 2014, the FTC's Bureau of Consumer Protection Division of Privacy and Identity Protection has targeted the activities of data brokers, mobile app developers and other businesses that collect and share sensitive information.
The FTC has also pursued more enforcement actions in an effort to persuade companies to take data privacy and security more seriously. At the same time, the commission is calling on Congress to strengthen the FTC's compliance authority and to pass tougher regulations for collecting and retaining personal information.
This FAQ is part of SearchCompliance's IT Compliance FAQ series.
Why has the FTC targeted big data, data brokers and data analytics?
An FTC study on the practices of nine data brokers concluded that the typical U.S. consumer knows little, if anything, about the data brokers that collect and sell their personal information. The study led the FTC to press for greater transparency in the data broker business and to give consumers more control over their personal information.
What authority does the FTC have to enforce data privacy and security? What penalties are imposed on businesses charged with data privacy and security violations?
Section 5 of the Federal Trade Commission Act prohibits companies from using deceptive statements or unfair practices regarding the use of consumer data. This is the same regulation the FTC cites when it combats deceptive advertising and fraud. In its efforts to protect consumer data, the commission also references such laws as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Children's Online Privacy Protection Act.
Companies settling FTC data protection cases have agreed to a variety of data privacy and security requirements. Mobile application developer Snapchat, for example, agreed to implement a comprehensive privacy program and submit to outside audits to settle a case with the FTC. Medical billing and management firm Accretive agreed to implement an information security program to protect health data and is subject to a certified third-party audit every two years.
When the FTC brings charges under the Fair Credit Reporting Act or the Children's Online Privacy Protection Act, it can seek monetary penalties as well. This was the case in April, when data brokers Instant Checkmate Inc. and InfoTrack Information Services settled charges that they failed to comply with data protection rules when they sold consumer data.
Both brokers operate as consumer reporting agencies. The FTC charged them with violating the Fair Credit Reporting Act by not taking reasonable steps to ensure the data they sold was accurate and for not making sure that the buying entities were entitled to the data. InfoTrack was fined $1 million, and Instant CheckMate was fined $525,000. InfoTrack was unable to pay, however, and its owner had all but $60,000 of the penalty suspended. InfoTrack provides employers with job applicants' personal background information, and in numerous instances sold inaccurate data that suggested applicants were potential registered sex offenders, according to the FTC.
What greater enforcement power is the FTC seeking?
The FTC has asked Congress for expanded power to incur financial penalties when companies do not implement reasonable data privacy and security precautions. Currently, the commission can seek such data security violation penalties only in cases involving credit report information under the Fair Credit Reporting Act and cases involving children's online data under the Children's Online Privacy Protection Act. In April, Ramirez told the Senate Committee on Homeland Security and Governmental Affairs that the expanded authority would not only help deter violations but would also give the FTC jurisdiction over non-profit organizations.
What data protection legislation is the FTC urging Congress to pass?
In a report issued in May 2014, the FTC recommended legislation that would provide consumers greater transparency with regard to the data broker industry.
It should be mandated that data brokers that sell marketing products must provide consumers access to their data and allow them to opt out of data collection, the FTC told lawmakers. The FTC also suggested that these data brokers be forced to disclose their sources and inform consumers that they make inferences from the data they collect. Other stipulations of the FTC's proposed legislation include the following:
- A central portal must be developed where brokers identify themselves, describe their practices, and provide links to access tools and an opt-out capability.
- Retailers and other business must notify consumers when they share data with brokers.
- Retailers that want to collect and share sensitive data, such as health information, must get the consumer's express consent.
In addition, the FTC recommended that Congress should establish requirements for data brokers that sell risk mitigation products that limit a consumer's ability to complete a transaction. Under the FTC recommendation, retailers that buy information from these data brokers should be required to disclose which data was used, and consumers should have access to the data and be able to correct it. Data brokers that sell "people search" products should also be required to give consumers access to their data, disclose the data sources and provide an opt-out venue, according to the FTC.
In addition to seeking new restrictions on data brokers, the FTC urged Congress to pass a national data breach notification law.
What is the FTC doing to protect data on smartphones and other mobile technologies?
In 2014, the FTC brought legal action against a number of mobile app developers and charged them with deceptive data privacy practices. In a complaint against Goldenshore Technologies, the FTC stated that the app maker failed to let users know that its "Brightest Flashlight" app sent device location and other data to third parties, such as advertisers. To settle the case, Goldenshore agreed to obtain users' express consent before collecting their data and to fully inform them when, how and why their location information is collected, used and shared.
More SearchCompliance FAQs
'Heartbleed' OpenSSL flaw exposes Web security vulnerability
SEC rule development and enforcement activities continue to evolve
Consumer security spotlighted after Target data breach
Investment Company Act rule reduces liability for misled CCOs
Fandango and Credit Karma also settled FTC charges regarding mobile app security. In both cases, the commission accused the companies of failing to provide reasonable security for users' sensitive data. The settlements require the companies to implement information security programs and to conduct independent audits for the next 20 years.
In a much-publicized case, mobile messaging app developer Snapchat agreed to settle a case brought by the FTC in May. The FTC charged, among other things, that Snapchat did not verify users' phone numbers when they registered for the app and some users registered using other people's phone numbers. Security flaws also enabled hackers to put together a database of more than 4 million user names and phone numbers. Under the settlement agreement, Snapchat must implement a privacy program to be monitored for the next 20 years by an independent privacy professional. The Snapchat case is part of an effort by a multinational coalition of privacy enforcement agencies, including the FTC, to promote mobile app privacy.