The Federal Trade Commission (FTC) has released its annual Privacy and Data Security Update, which highlights the FTC’s activities during the past year. The FTC, the U.S. agency tasked with a unique dual mission to protect consumers and promote competition, detailed its record year for enforcement actions aimed at protecting consumer privacy and data security.

The FTC’s primary enforcement authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of industry-specific laws, including the Gramm-Leach-Bliley Act, the Truth in Lending Act, the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, the Children’s Online Privacy Protection Act (COPPA), the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. The FTC has used its authority to address a wide range of practices affecting consumers, including those that come with the development of new technologies and business models.

Agency watchers look to the FTC’s annual reports as a signal for insights into the agency’s upcoming priorities. Some highlights from 2019 discussed in the report include:

  • In July 2019, the FTC and the Department of Justice announced a joint settlement with Facebook for alleged violations of its 2012 FTC privacy order. The allegations were that Facebook’s misrepresentations as to the controls users had over their personal information, Facebook’s failure to institute and maintain a reasonable program to ensure consumers’ privacy, and Facebook’s failure to disclose that it was using phone numbers provided by users for two-factor authentication for targeted advertising. The FTC levied a $5 billion penalty—the largest consumer privacy penalty ever—against Facebook and imposed new restrictions on the company’s business operations. The settlement is currently pending approval by the U.S. District Court for the District of Columbia.
  • In a related but separate case, the FTC filed a law enforcement action against the data analytics company Cambridge Analytica, as well as its CEO and app developer. The FTC’s complaint alleged that Cambridge Analytica used false and deceptive tactics to harvest personal information from millions of Facebook users for voter profiling and targeting. The complaint alleged that app falsely told users that it would not collect users’ names or other identifiable information, but in fact, the app collected users’ Facebook User ID, which connects individuals to their Facebook profiles. The CEO and app developer agreed to settlements with the FTC that restrict how they conduct any business in the future, and the FTC entered a default judgment against Cambridge Analytica.
  • Also, in July 2019, the FTC announced a settlement with Equifax to resolve allegations that the company failed to secure the massive amount of personal information stored on its network which led to a data breach affecting 147 million people and exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud. The settlement included a payment of up to $700 million to help consumers affected by the breach and was part of a global resolution with a consumer class action, the Consumer Financial Protection Bureau, and 50 states and territories.
  • The FTC also obtained a record $170 million penalty against YouTube and Google for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”), which generally requires websites and apps to obtain verifiable parental consent before collecting personal information from children under 13. The complaint alleged YouTube violated COPPA by collecting personal information—including persistent identifiers that are used to track users across the internet—from viewers of channels targeted at children, without first notifying parents and getting their consent.
  • The FTC settled a complaint against, now known as TikTok, the video social networking app that allows users to create short videos of themselves and to share those videos with others, over allegations that the app was child-directed and violated COPPA by illegally collecting personal information from children. TikTok paid $5.7 million to settle the charges.
  • Throughout the year, the FTC continued its vigorous enforcement of the EU-U.S. Privacy Shield framework by bringing 13 cases against companies that allegedly made false promises related to the framework.
  • In addition to its enforcement work, the report highlights four privacy-related events hosted by the FTC, including examining consumer privacy as part of the FTC’s Hearings on Competition and Consumer Protection in the 21st Century, its annual PrivacyCon event highlighting cutting-edge privacy research, a COPPA Rule workshop, and a workshop examining consumer report accuracy.

The FTC update describes other areas of focus, including data security, credit reporting, and financial privacy, Do Not Call and telemarketing, and international enforcement. You can read the entire update here.

For more information regarding this post, please contact Sean Buckley.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.