Federal Trade Commission 2014 Privacy and Data Security update

July 6, 2014 |

In the United States privacy regulation at a Federal level is sectoral.  There are some strong protections but a lack of general coverage.  The key regulator, the Federal Trade Commission (FTC) wants more powers and broader coverage.  At the moment it has power to take action over unfair and deceptive practices and has powers to enforce the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act.  Its enforcement activities and educational activities even with restrictions are quite impressive.  Certainly something for other privacy regulators to heed.  It has also been a regulator not afraid to take on and best large organisations .

In Federal Trade Commission 2014 Privacy and Data Security Update the FTC provides an update of its activities.  Its settlements and the undertakings it has extracted from organisations are hugely influential for privacy practitioners in the United States.  Given the issues in the United States and the UK are very similar to those in Australia regarding proper privacy protections, data security and proper data handling processes and policies the outcome of enforcement activities of the FTC and the monetary penalty orders of the Information Commissioner in the UK should be regarded carefully by Australian privacy practitioners.  The reservoir of decisions by the Privacy Commissioner is small though it should be noted that he has been quite active this year.  Decisions and investigations involving the powers given to the Privacy Commissioner under the amendments which took effect on 12 March 2014 are yet to be made, or made public at least.

On the privacy protection front the FTC brought 40 general privacy lawsuits.  And notably:

  • it announced a settlement with Goldenshore Technologies, the maker of a popular flashlight app that promised it would collect information from users’ mobile devices for certain internal housekeeping purposes, but failed to disclose that the app transmitted the device’s location, precise device ID, and other device data to third parties, including mobile advertising networks.
  • Aaron’s, Inc., a national rent-to-own retailer, agreed to settle charges that it knowingly played a direct role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers, such as by taking webcam pictures of them in their homes. The complaint alleged that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software.
  • it settled an enforcement action with Path, a social networking app that accessed users’ contacts without permission, in violation of the FTC Act. The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.
  • Epic Marketplace, an online advertising company, agreed to settle FTC charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues ranging from fertility and incontinence to debt relief and personal bank- ruptcy. The order bars the company from using history sniffing technology or from making misrepresen- tations to consumers.
  • An affiliate marketer, Jason Q. Cruz d/b/a Appidemic Inc., was a subject in a series of FTC complaints targeting the senders of deceptive spam text messages. Cruz agreed to settle charges that he was responsible for sending millions of unwanted text messages to consumers that deceptively prom- ised “free” gift cards and electronics. In its complaint, the FTC alleged that he sent text messages to consumers around the country offering free merchandise, such as $1,000 gift cards to major retailers or free iPads, to those who clicked on links in the messages.
  • SubscriberBASE Holdings, Inc.; SubscriberBASE, Inc., Jeffrey French, individually and as an officer of SubscriberBASE Holdings, Inc. and SubscriberBASE, Inc.; All Square Marketing, LLC; Threadpoint, LLC; PC Global Investments, LLC; Slash 20, LLC; Brent Cranmer, individu- ally and as an officer and manager of All Square Marketing, LLC; PC Global Investments, LLC, and Slash 20, LLC; Christopher McVeigh, individually and also d/b/a CMB Marketing, Inc., and as a manager of All Square Marketing, LLC; and Michael Mazzella, individually and also d/b/a Mazzco Marketing, Inc. and  as an officer and manager of All Square Marketing, LLC who allegedly operated websites enticing consumers with bogus offers and hired affiliates to send spam text messages to promote them agreed to pay $2.5 million in settlements with the FTC.
  • In PCCare247, Inc. and Virtual PC Solutions, the defendants posed as major computer security and manufacturing companies to deceive consumers into believing that their computers were riddled with viruses, spyware and other malware. The complaints alleged that the defendants were not actually affiliated with major computer security or manufacturing companies and they had not detected viruses, spyware or other security or performance issues on the consumers’ computers. The defendants charged consumers hundreds of dollars to remotely access and “fix” the consumers’ computers.

On data security:

  • FTC settled allegations that GMR Transcription Services – an audio file transcription service – violated the FTC Act. According to the complaint, GMR relied on service providers and independent typists to transcribe files for their clients, which include healthcare providers. As a result of GMR’s failure to implement reasonable security measures and oversee its service providers, at least 15,000 files containing sensitive personal information – including consumers’ names, birth dates, and medical histories – were available to anyone on the Internet.
  •  the FTC alleged that GeneLink, Inc. and its former subsidiary, foru™ International Corp., the makers of genetically customized nutritional supplements, deceptively and unfairly claimed that they had reason- able security measures to safeguard and maintain personal information – including genetic information, Social Security numbers, bank account information, and credit card numbers.
  • In Accretive Health, Inc. – a company that provides medical billing and revenue management services to hospitals – the FTC alleged the company failed to provide reasonable security to protect consumers’ personal information, including sensitive personal health information, which led to an incident involving an employee’s stolen laptop containing 20 million pieces of information on 23,000 patients.
  •  FTC’s complaint alleged that TRENDnet marketed its IP cameras for purposes ranging from home security to baby monitoring and claimed in numerous product descriptions that they were “secure.” In fact, the cameras had faulty software that left them open to online viewing, resulting in hundreds of consumers’ private camera feeds were made public on the Internet.
  • in ongoing litigation FTC alleges a medical testing laboratory LabMD, Inc. failed to reasonably protect the security of consumers’ personal data, including medical information. The complaint alleges that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers.
  •   Mobile device manufacturer HTC settled FTC charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers and introducing security flaws that placed sensitive information about millions of consumers at risk. HTC must establish a compre- hensive security program, undergo independent security assessments for 20 years, and develop and release software patches to fix security vulnerabilities found in millions of HTC devices.
  • The Commission brought a case against Cbr Systems, Inc., a leading cord blood bank, for failing to protect nearly 300,000 customers’ personal information, including Social Security numbers, credit and debit card account numbers, and sensitive medical information.

On credit reporting and financial privacy:

  • TeleCheck Services, Inc., one of the nation’s largest check authorization service companies, agreed to pay $3.5 million to settle that they violated the FCRA by failing to follow proper dispute procedures, including refusing to investigate disputes.
  • Certegy provided merchants with recommendations as to whether to approve consumers checks, based on their past payment history. The FTC obtained a $3.5 million fine for FCRA violations, alleging that Certegy did not have reasonable procedures to resolve consumer disputes over errors in its database.
  • The Commission took action against mobile app developer Filiquarian that compiled and sold criminal record reports without complying with the FCRA. The order bars Filiquarian from furnishing reports to anyone they do not believe has a permissible purpose to use the report, failing to take reasonable steps to ensure the maximum possible accuracy of information conveyed in its reports, and failing to provide users of its reports with information about their FCRA obligations.
  •  Time Warner Cable, Inc. agreed to pay $1.9 million in civil penalties to settle charges that the company violated the Risk-Based Pricing Rule, which requires creditors to give notice to consumers who are provided less favorable credit terms based on information in their credit reports.
  • FTC staff members posed as individuals or representatives of companies seeking information about consumers to make decisions related to their creditworthiness, eligibility for insurance or suitability for employment. Following the test-shopping operation, the FTC issued warning letters to ten data brokers that appeared to be selling information for FCRA purposes without following the FCRA requirements.

Regarding breach of US -EU Safe Harbour Framework:

  • Apperian, Inc., Atlanta Falcons Football Club, LLC, Baker Tilly Virchow Krause, LLP, BitTorrent, Inc., Charles River Laboratories International, Inc.; DataMotion, Inc.; DDC Laboratories, Inc.; Level 3 Communications, LLC, PDB Sports, Ltd., d/b/a Denver Broncos Football Club,  Reynolds Consumer Products Inc,  Receivable Management Services Corporation and Tennessee Football, Inc. agreed to settle FTC charges that they falsely claimed they were abiding by the Safe Harbor.

Regarding children’s privacy:

  • In addition to privacy allegations, the FTC’s settlement with Path addressed charges that the social network app also collected information from children under 13 without obtaining parental consent, in violation of COPPA. Path paid $800,000 to settle the COPPA charges.

It is a comprehensive report which also deals with other activities of the FTC.  The FTC has its detractors but compared to privacy regulation in Australia and New Zealand it is positively zealous.

It appears that the FTC is being drawn in to consider the very questionable (ethically at least) Facebook emotion experiment.  The Guardian reports in Privacy watchdog files complaint over Facebook emotion experiment that EPIC has made a formal complaint to the FTC regarding the misuse of users’ data and requesting an investigation, injunction or other relief.  It provides:

Facebook could face an investigation by the US Federate Trade Commission (FTC) over its use of user data in the controversial “emotion contagion” experiment.

The US privacy pressure group the Electronic Privacy Information Centre (Epic) has filed a complaint with FTC demanding that the watchdog investigate Facebook’s actions.

“The company purposefully messed with people’s minds,” states Epic in the complaint. “Facebook conducted the psychological experiment with researchers at Cornell University and the University of California, San Francisco, who failed to follow standard ethical protocols for human subject research.”

The study conducted over one week in 2012 and published in the Proceedings of National Academy of Sciences, hid “a small percentage” of emotional words from peoples’ news feeds, without their knowledge, to test what effect that had on the statuses or “likes” that they then posted or reacted to.

‘Unfair and deceptive’ acts and practices

“Facebook’s conduct is both a deceptive trade practice under Section 5 of the FTC Act and a violation of the Commission’s 2012 Consent Order,” the complaint continues.

The FTC Act prohibits “unfair and deceptive” acts and practices, which Epic alleges Facebook’s actions within the Cornell study countermand.

Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy, first imposed in July 2012, after an FTC investigation found the social network to be in volition of the FTC Act in the US.

The settlement caused Facebook to increase its privacy and security of information measures, as well as preventing the social network from misrepresenting the extent to which user data is held as private.

“Facebook’s failure to adequately disclose that it shared consumer data with third-party researchers constitutes a deceptive act or practice in violation of Section 5(a) of the FTC Act,” states the Epic complaint. “Facebook has violated Count I of its 2012 Consent Order with the FTC and is subject to FTC enforcement in Federal district court.”

Epic demands that Facebook makes public the NewsFeed algorithm

As well as demanding that the FTC conducts an investigation into the study and sharing of data without explicit user consent with third-party researchers at Cornell University, Epic demands that Facebook makes public the proprietary algorithm that produces the NewsFeed.

The FTC last investigated Facebook after the company made changes to the way information privacy was handled making some previously private information – such as friends lists – public without warning or approval in advance.

The company settled with the FTC in November 2011 over the what the regulator described as Facebook “deceiving consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”

The settlement included a clause that forces Facebook to obtain consent for making any changes to privacy settings, something Epic alleges was not the case for the nearly 700,000 users unwittingly involved in the “emotion contagion” study.

Epic was part of the original complaint group in 2009 and 2010 that induced the investigation by the FTC.

Facebook declined to comment.

One Response to “Federal Trade Commission 2014 Privacy and Data Security update”

  1. Federal Trade Commission 2014 Privacy and Data Security update | Australian Law Blogs July 6th, 2014

    […] Federal Trade Commission 2014 Privacy and Data Security update […]

Leave a Reply