The FTC Is Flexing Its Muscles: What Does It Mean for Privacy Professionals?
By Tim Rollins
So much happens so fast in the realm of consumer privacy protection these days that it’s easy to lose sight of the forest for the trees. State legislatures are passing laws with increasing regularity. Data protection authorities in Europe and across the world issue stunning seven-, eight-, and nine-figure fines. And consumers’ increasing attention to and demand for privacy rights shows no sign of diminishing.
Perhaps the most notable lack of action is Congress’s failure to pass a comprehensive consumer privacy law, but that doesn’t mean the federal government isn’t active. The Federal Trade Commission (FTC) has very notably picked up the cadence and severity of its enforcement of existing consumer privacy protections. As of writing, the FTC has taken 11 privacy enforcement actions since May 2022 using its authority under a variety of laws and regulations. That’s more than double the number of actions taken between May 2021 and 2022.
A recent Exterro whitepaper provides insight into five of these recent developments in the world of privacy. Each case offers its own valuable lessons to organizations looking to remain in compliance with today’s complex patchwork of privacy regulations. But taken as a whole, the message is clear. Embrace and enact privacy-by-design principles across all elements of your business, or run the risk of being the next organization splashed across the headlines for a forced settlement with regulators.
5 Key Privacy Lessons from Recent FTC Actions
- Individuals may be held responsible for organizational shortcomings. The FTC's action against Drizly and its CEO over their failure to take protective measures against a data breach demonstrates that in cases of negligence, there can be direct consequences for executives.
- Regulators will use whatever means at their disposal to protect consumer privacy. The FTC turned to the 14 year-old Health Breach Notification Rule for its $1.5 million settlement over privacy violations against GoodRx Holdings.
- Don't violate your privacy promises to consumers. BetterHelp agreed to a $7.8 million settlement over their repeated failure to abide by their promise "not to use or disclose [customers'] personal health data."
- Dark patterns and other deceptive practices will not be tolerated. Vonage's use of dark patterns and other deceptive practices to make it harder for customers to cancel their services and continued billing of clients who had cancelled earned a $100 million enforcement action from the FTC.
- Children's rights will be protected vigorously. The gaming company behind the smash hit Fortnite got dealt an epic defeat with its $520 settlement, including $275 million for Children's Online Privacy Protection Act (COPPA) violations.
The Big Takeaway from the FTC's Regulatory Approach
Piecemeal compliance efforts are doomed to failure as regulatory regimes grow more and more complex. Organizations that hope to remain compliant with all privacy requirements must adopt privacy-by-design principles. Organizations that are clear about their policies, implement systems to follow them, and can demonstrate their compliance will not only avoid costly enforcement actions–it’s also good business that earns customer loyalty.
Privacy experts agree that it is impossible to keep up with these requirements without technology. Given organizations’ complex data infrastructure, the journey to compliance starts with a comprehensive, intelligent, and automated data inventory.
