FTC Acts on Online Privacy, With State Laws Looming

In 2019, businesses learned that they could no longer hide from the inherent tension between commercial use of individual data and individual privacy interests. Over the past month or so, the Federal Trade Commission (FTC) took a number of notable privacy-related actions against a host of companies regarding what it considered to be their problematic online activities, which provide learning lessons to any business with an online presence. Many states have passed or carried over a patchwork of privacy legislation for consideration in their next legislative session, including 25 pieces of privacy legislation that are pending in New York State alone. In-house counsel, and we attorneys in private practice, must help our clients keep all of these balls in the air as deadlines pass and others rapidly approach.

Safeguarding Consumer Data

In mid-November, a Utah-based technology company agreed to implement a comprehensive data security program to settle FTC allegations that it failed to put in place reasonable security safeguards that allowed a hacker to access the personal information of one million consumers.

The FTC’s proposed action concerned InfoTrax Systems, L.C., and its former chief executive officer, Mark Rawlins. InfoTrax provides back-end operation services to multi-level marketers to manage their compensation, inventory, orders, accounting, training, and data security, and operates clients’ website portals.

The FTC alleged that InfoTrax and Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the sensitive personal information InfoTrax maintained on behalf of its clients, which hackers allegedly used to commit consumer fraud and identity theft. The FTC attributed that to InfoTrax’s failure to:

• Inventory and delete personal information it no longer needed;
• Conduct code review of its software and testing of its network;
• Detect malicious file uploads;
• Adequately segment its network; and
• Implement cybersecurity safeguards to detect unusual activity on its network, such as use of an intrusion prevention or detection system to alert InfoTrax to potentially unauthorized queries or access to InfoTrax’s network, integrity monitoring tools to determine whether any files on InfoTrax’s network had been altered, and data loss prevention tools to regularly monitor for unauthorized attempts to exfiltrate consumers’ personal information outside InfoTrax’s network boundaries.

In addition, the FTC also alleged that InfoTrax stored consumers’ personal information, such as Social Security numbers, payment card information, bank account information, and user names and passwords, in clear, readable text on its network.

Based on the foregoing, the FTC alleged that the failure to provide reasonable security for personal data in InfoTrax’s care violated the FTC’s prohibition against unfair practices.

InfoTrax and Rawlins entered into a consent order with the FTC that incorporated the FTC’s decision and order setting forth, in great detail, the mandated information security program, third party assessments, annual assessments, and incident reporting that InfoTrax is required to undertake as a condition of being permitted to collect, sell, share, or store personal information in the future. Included in the agreement is a requirement that Infotrax assess and document internal and external security risks, implement specifically defined safeguards to protect personal information from cybersecurity risks, and test and monitor the effectiveness of those safeguards. The settlement also requires that the company obtain third-party assessments of its information security program every two years and imposes certain recordkeeping requirements on the company. See Agreement Containing Consent Order, available at https://www.ftc.gov/system/files/documents/cases/162_3130_infotrax_agreement_containing_consent_order_clean.pdf, and Decision and Order available at https://www.ftc.gov/system/files/documents/cases/162_3130_infotrax_order_clean.pdf.

The FTC and Privacy Shield

The issue of data transfer between the United States and European Union countries has been an evolving challenge to the conduct of transatlantic business. Simply put, because EU principles recognize an individual’s privacy as a “human right” deserving of the highest protection, EU law restricts transfer of personal data to jurisdictions, such as the United States, that do not have equivalent privacy protections, unless a mechanism for protection of the transferred data is established that the EU deems “adequate.” To satisfy this EU adequacy standard, the U.S. Commerce Department and the European Commission negotiated the Privacy Shield, which took effect August 1, 2016. The Privacy Shield is the primary mechanism for the transfer of personal data lawfully from the EU to companies in the United States.

To participate in the Privacy Shield, an American company must self-certify to the U.S. Commerce Department that it complies with the Privacy Shield’s principles and meets the related requirements that have been deemed to meet the EU’s adequacy standard. Frequently, companies also include statements regarding their compliance with the Privacy Shield in the consumer-facing privacy or security policies on their websites, which may thereafter be relied on by consumers as assurances as to how their personal data will be handled.

In early November and again earlier this month, the FTC took action against five companies that it said had deceived consumers over their participation in the Privacy Shield.

First, the FTC sued RagingWire Data Centers, Inc., a Nevada data storage services company, alleging that it misled consumers about its participation in the Privacy Shield and that it failed to adhere to the program’s requirements before allowing its certification to lapse. See FTC Administrative Complaint, available at https://www.ftc.gov/system/files/documents/cases/d09386_ragingwire_administrative_complaint_public.pdf.

In particular, the FTC alleged that, between January 2017 and October 2018, RagingWire claimed in its online privacy policy that the company participated in the Privacy Shield and that it complied with the program’s requirements, even though it had allowed its certification to lapse in January 2018.

According to the FTC, the Commerce Department warned RagingWire twice to either remove the claims or to take steps to recertify its participation in the program. As alleged by the FTC, however, the company failed to recertify until it was contacted by the FTC in October 2018.

The FTC also alleged that while RagingWire claimed to be a participant in the Privacy Shield, the company failed to comply with the three following Privacy Shield requirements:

• To verify annually that it had made accurate statements about its Privacy Shield privacy practices;
• To maintain a dispute resolution process for consumers who had privacy-related complaints about the company; and
• To abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Commerce Department that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

The FTC’s action against RagingWire remains pending as of this writing. In early December, however, the FTC announced that it had reached settlements with four companies that allegedly misrepresented their participation in the Privacy Shield; two of the companies also allegedly failed to comply with Privacy Shield requirements.

In separate actions, the FTC settled Privacy Shield cases against:

• Click Labs, Inc., a website and mobile app services provider;
• Incentive Services, Inc., a developer of service award and incentive programs for employers;
• Global Data Vault, LLC, a provider of data storage and recovery services; and
• TDARX, Inc., an IT services provider.

In addition to allegations that each company falsely claimed to participate in the Privacy Shield, the FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework, which establishes a process for companies to transfer consumer data in compliance with Swiss law.

In its cases against Global Data and TDARX, the FTC further alleged that the companies continued to claim participation in the EU-U.S. Privacy Shield after allowing their certifications to lapse, and that those companies failed to comply with the framework. The companies allegedly failed to verify annually that statements about their Privacy Shield practices were accurate, and failed to affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.

Under the settlements, all four companies are prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government, or any self-regulatory or standard-setting organization. As part of their settlements, Global Data Vault and TDARX also are required to continue to apply the Privacy Shield protections to personal information they collected while participating in the program, or return or delete the information. See Agreements Containing Consent Orders available at https://www.ftc.gov/system/files/documents/cases/tdarx_consent_agreement_07-30-19.pdf; https://www.ftc.gov/system/files/documents/cases/2019.09.26_clicklabs.consent_agreement.pdf; https://www.ftc.gov/system/files/documents/cases/192_3093_global_data_vault_agreement.pdf; and https://www.ftc.gov/system/files/documents/cases/incentive_services_inc._consent_agreement_07-26-19.pdf

Including its actions against these five companies, the FTC now has brought nearly two dozen enforcement actions related to the EU-U.S. Privacy Shield framework since it was established in 2016. It should be self-evident that representations made to consumers about participation in the Privacy Shield or any privacy regimen must be truthful, accurate, and up-to-date and that false or inaccurate representations will be considered actionable consumer fraud by the FTC.

And in the States…

The requirements imposed on InfoTrax and Rawlins under the settlement they reached with the FTC can serve as a roadmap for the most basic actions that all companies should be taking to protect customers’ personal information and the honest disclosure that should be provided in their consumer-facing policies. Similarly, the four Privacy Shield settlements discussed above, and the allegations in the FTC’s complaint against RagingWire, highlight steps that online businesses should adopt to comply with the Privacy Shield’s requirements.

But companies also must do more – much more – to meet the patchwork of privacy laws and regulations that states, including New York, have been adopting and that have taken effect or are about to become effective. For instance, New York has its Shield Act, among other privacy provisions applicable to various industries. Presently there are over two dozen additional privacy bills pending in New York that will be addressed in 2020. Not all bills will pass, and it is difficult to predict with precision exactly what New York’s privacy law will require in the future. A Nevada law that became effective on October 1 requires the posting of privacy notices by operators of websites and online services – and requires that they provide consumers with the ability to opt-out of the sale of their personal information.

And, of course, the California Consumer Privacy Act (CCPA) is about to take effect – on January 1 – with its highly burdensome provisions, not to mention the draft regulations recently proposed by the state’s attorney general that still have to be finalized. The CCPA covers everything from businesses’ obligations to provide specific notices to California citizens about their right to have access to the information collected about them, their right to have that information deleted and to opt-out of the sale of that information, and companies’ use of Adtech to deliver online advertisements to website users. Companies that fall within the scope of the CCPA also must determine whether to extend California’s privacy protections nationally or face the challenge of creating a national privacy policy that complies with various state rules.

Notably, as with data security, there is no omnibus, federal legislation that governs consumer privacy, except in certain highly regulated industries such as health care and banking. Accordingly, states have forged a patchwork of often conflicting legislation whose jurisdictional reach, like the CCPA’s, depends on the residency of the individual whose personal information is affected, rather than the business’ location. There are many proposals for federal legislation that would pre-empt individual state law and provide a consistent regimen for the handling of personal information in interstate commerce, but none is likely to pass in the near term given the present Congressional logjam.

Executives have much to consider, worry about, and ultimately address as they operate their companies. Privacy issues, including pending litigation and regulatory enforcement, should certainly be near the top of that list.

Reprinted with permission from the December 17, 2019 issue of the New York Law Journal. © ALM Media Properties, LLC.  Further duplication without permission is prohibited.  All rights reserved.