It’s that time of year again – the FTC has released its report on enforcement activity in 2018, including its efforts at enforcing privacy promises. It was, as you might expect, a busy year, with major proceedings instituted against a number of high-profile entities like Uber, Paypal, and Facebook. Although the total amount in fines wasn’t huge (sub $100m), the Commission’s active role hasn’t abated, and claims that EU Data Protection Authorities would occupy the privacy-regulation field were overblown.
There is, as mentioned, plenty to discuss about the major players like Facebook or Uber, but these companies occupy a unique space in the market, and are, frankly, unrepresentative of the FTC’s enforcement priorities and regulatory posture. It’s like looking at DOJ’s pursuit of Microsoft in the 1990s and concluding that the Justice Department spent most of its time working on antitrust cases when, in reality, the bulk of its efforts and budget have always gone to more traditional law enforcement. We just see the big players and assume they are the most important ones.
In fact, FTC’s enforcement efforts in 2018 was aimed largely in the same direction it has been for the last two decades: holding companies to their promises to consumers, particularly when it comes to how data is used and how it is protected. Thus, there were actions against Paypal for misrepresenting the nature and scope of the security of Venmo’s financial transactions and against BLU for hiding that it was transferring user data to China. There was also the standard effort to curb identity theft, which have long been a central focus of FTC’s activity.
One important ongoing theme is the development of a “minimum standards of safeguards” test for companies that fall prey to hacking or cybercrime. You may remember VTech, which manufactures toys, cameras, and other electronics aimed at children, had a massive problem with the susceptibility of the devices to hacking. FTC’s action not only covered the expected COPPA (Children’s Online Privacy Protection Act) territory, but also alleged that VTech failed to meet basic standards of safeguarding data. That concept is an important one, because it goes a long way towards creating a cross-industry minimum for securing data — a simple password isn’t going to cut it. And while that’s a far cry from the GDPR’s “security appropriate to the risk” test, it is at least movement in that direction. The VTech case is notable also because it was undertaken alongside Canada’s Office of the Privacy Commissioner, an important step towards cross-border cooperation on data privacy issues — although the FTC issued its findings and announced the settlement long before the Canadians had finished investigating.
How does 2018 compare in terms of overall enforcement profiles? I think you can expect it to be a relatively quiet year when contrasted with 2019 and 2020, for two reasons. First, 2018 was the year of GDPR, and so many American companies tried to be on their best behavior, modifying privacy policies (ad nauseam) and implementing new terms and conditions. I’m not necessarily suggesting that these policies were actually followed. I’m suggesting that, because the policies were new, FTC didn’t have a substantial record of violations from which it could base an enforcement action. With all the focus on getting GDPR compliant, there was enough focus on self-regulation that FTC seemingly gave American companies some breathing room to get their privacy programs in order.
The other reason is that, in our view, FTC enforcement actions in 2019 or, more likely 2020, are going to be very active. We’re anticipating that the looming billion dollar fine for Facebook will be the first of potentially several from the Commission, with more aggressive enforcement against tech giants to follow. The reason is that, when Congress starts holding hearings where Senators ask difficult, informed questions about ad policies, tracking, and overly-long privacy policies, it signals that enforcement season is open. And, because a comprehensive federal privacy law still seems like a pipe dream, FTC will still have something akin to free rein in policing the boundaries of privacy in the U.S.
How does this affect your business? Use the FTC’s report as a scorecard for your own privacy policies and practices. You can even make it a checklist (lawyers love checklists) and compare your activities with those businesses that were fined or sued last year. For starters, ask the following questions:
- Are we relying on consumer consent for what we do? How clearly do we define what we’re asking them to agree to?
- If our products or services have anything to do with kids, have we gone above and beyond the bare minimum when it comes to security? VTech is a cautionary tale for all companies: when children are involved, the standards are (and should be) much higher.
One final point. Remember that you’re in a data partnership with your customers if you use their data: treat them like a partner.