FTC Issues Privacy and Data Security Update

On March 15, 2019, the Federal Trade Commission (FTC) issued its 2018 Privacy and Data Security Update, which reported on the agency’s enforcement activities for that calendar year.

As the United States’ primary consumer protection agency, the FTC has authority to enforce a variety laws directly related to privacy and data security, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This effectively places it on the front lines of data protection and consumer privacy issues – areas in which the Commission has been particularly active, contrary to popular perception that the Trump administration is soft on regulations.

The enforcement actions listed in the 2018 Update illustrate the FTC’s broad reach. The Commission commenced actions relating to spam and spyware, general privacy issues, data security and identity theft, credit reporting abuses and financial privacy breaches, children’s online privacy, violations of the Do Not Call Registry (part of the Telemarketing Sales Rule) as well as participated in international enforcement efforts to protect cross-border data security and privacy.

Following is a brief review of some of the actions.

General Privacy

• The FTC and the State of Nevada obtained judgements against the revenge porn site myex.com and its owners. The judgments directed that the site be taken down and prohibited the owners from operating any site that solicits private/intimate images of third parties and/or charges fees to remove victims’ private information from the web. The judgements also levied penalties of more than $2 million against the corporate and individual defendants.
• An enforcement action against Paypal, Inc. involved allegedly misleading privacy practices related to the company’s peer-to-peer payment service. In response, PayPal agreed to make affirmative disclosures about its privacy practices while also prohibiting future misrepresentations about customers’ ability to control the platform’s privacy settings.
• The Commission sued Sunkey Publishing, Inc., FanMail.com and the owners of both sites for participating in a scheme to obtain consumers’ personal information through imposter military recruitment websites and then using that information to market post-secondary education programs. The FTC obtained an order halting these practices, imposing more than $12 million in civil penalties and prohibiting the defendants from engaging in any type of similar activity in the future.

Data Security and Identity Theft

• Uber Technologies, Inc. agreed to strengthen its data protection policies contained in an earlier agreement with the Commission following a second documented breach of its customers’ personal information. Among the changes to the agreement, Uber will now have to pay civil penalties if it fails to promptly notify the FTC of any future data breach, must implement a comprehensive privacy program and for 20 years obtain independent, third-party assessments biennially, which it must submit to the Commission, certifying that it has an effective privacy program in place.
• VTech Electronics Limited (Hong Kong) and its U.S. subsidiary agreed to settle charges that they failed to use reasonable security measures to protect personal information. Specifically, the companies lacked an adequate intrusion detection or prevention system for the personal information it collected through its Kid Connect mobile app. As a result, a hacker was able to access VTech’s computer network and the personal information of its users, including children. The FTC also alleged that VTech violated the fundamental consumer protection provisions of the Federal Trade Commission Act by falsely stating that most personal information submitted by users through its Learning Lodge and Planet VTech platforms would be encrypted, when in fact the company failed to encrypt any of this data. As part of the settlement, the companies agreed to implement a comprehensive data security program and obtain independent biennial audits for 20 years and to submit those reports to the Commission.

Credit Reporting and Financial Privacy

• RealPage, Inc. agreed to pay a $3 million in settlement of charges that it violated the Fair Credit Reporting Act by failing to take reasonable steps to ensure the accuracy of tenant screening information that it provided to landlords and property managers. The misinformation included false reports of criminal convictions that likely resulted in prospective renters having their applications rejected.
• Credit Bureau Center LLC and several individual defendants agreed to the entry of a court order requiring them to pay $5.2 million in consumer restitution to resolve FTC charges that they deceived consumers with fake rental property ads and promises of “free” credit reports, and then tricked them into enrolling into a costly monthly credit-monitoring service.

Children’s Privacy

• The Commissions activities in this area are perfectly illustrated by the VTech matter mentioned above. Since 2000, the FTC has brought 25 actions based on the Children’s Online Privacy Protection Act of 1998 (COPPA) and collected millions of dollars in civil penalties.

Do Not Call

• The Commission commenced an action seeking a temporary restraining order and preliminary injunction against Redwood Scientific Technologies, Inc. and its owner for their alleged involvement in a scheme to deceptively market dissolvable oral film strips as effective smoking cessation, weight loss and sexual-performance aids through aggressive and harassing robo-calls.
• The FTC obtained temporary restraining orders and preliminary injunctions against 16 defendants – including recidivist robo-callers Aaron Michael Jones and Justin Ramsey. The defendants operated Florida-based robo-call scammer PointBreak Media, which deceived small business owners by falsely claiming to represent Google and threatening that businesses would be removed from Google search results unless the business owners hired PointBreak Media.

As this sampling of actions from 2018 indicates, despite the perception that the current administration in Washington is “anti-enforcement and pro-business,” the FTC has been and will remain an active advocate for consumers’ data, security and personal privacy online and elsewhere. It is clear that companies must take adequate steps to ensure that their customers’ information and privacy are protected. Failure to do so could have serious consequences.