FTC Privacy and Data Security Report for 2018

FTC Privacy and Data Security Report for 2018

April 3, 2019

The Federal Trade Commission (FTC) publishes a comprehensive annual update detailing the significant actions it has taken to protect American consumers’ privacy and data security. For the 2018 calendar year, the FTC’s update detailed the following actions.

Prosecutions

General Privacy Cases

  • The FTC and the State of Nevada obtained a court order from the U.S. District Court for the District of Nevada shutting down revenge porn website MyEx.com and ordering the operators of the website to pay more than $2 million. In their complaint, the FTC and the State of Nevada alleged that the website solicited intimate and sexually explicit images and videos of victims, as well as in some instances their personally identifying information. In many cases, the website operators allegedly charged victims as much as $2,800 to remove their images and information from the site.
  • The FTC finalized a settlement agreement with the peer-to-peer electronic payment application Venmo over its allegedly deceptive privacy settings. The FTC alleged that Venmo misrepresented the steps necessary for users to make their transactions private and thereby conceal them from the app’s social media-style feed. Venmo must now affirmatively disclose the steps necessary to enable the privacy settings.

Data Security and Identity Theft

  • Uber Technologies, Inc. agreed to a broadened settlement agreement after a 2016 data breach. Following the 2016 data breach and subsequent settlement with the FTC, the FTC learned that Uber had concealed evidence of another breach that had occurred while the FTC was investigating the 2016 breach. Uber is now under direct order to notify the FTC of any future incidents which involve the unauthorized dissemination of consumer information.
  • VTech Electronics Limited, a supplier of electronic learning products for children, agreed to settle charges that it failed to implement adequate security measures to protect users’ personal information. As a result of the security deficiencies, a hacker was able to infiltrate Vtech’s computer network and gain access to children’s personally identifying information. Through the settlement with the FTC, VTech agreed to expand its data security program and submit to biennial audits for the next 20 years.

Credit Reporting and Financial Privacy

  • LendingClub, a peer-to-peer lending company, was charged with failing to deliver adequate privacy notices to consumers required by the Gramm-Leach-Bliley Act’s Privacy Rule and Regulation P. The FTC’s complaint alleged that “LendingClub violated these rules by failing to provide its customers with clear and conspicuous notice before collecting consumers’ financial data and by failing to deliver the notice in a way that ensured that consumers received it.” Customers were instead forced to follow a series of links before being able to review the privacy policy, a method the FTC deemed to be improper.
  • The FTC’s settlement with Venmo also covered allegations that Venmo failed to meet certain requirements of Gramm-Leach-Bliley by not satisfying the Privacy Rule’s requirement that it deliver annual privacy notices to consumers.

Children’s Privacy

  • In the FTC’s case against VTech Electronics Limited, the FTC alleged that VTech collected personal information from children despite failing to obtain parental consent to do so. As part of the settlement, VTech agreed to pay a $650,000 civil penalty.
  • In the FTC’s case against Explore Talent, a talent agency, the FTC alleged that Explore Talent knowingly collected personal information from children under the age of 13 without adequately disclosing the practice and without obtaining parental consent. Explore Talent agreed to pay a $235,000 civil penalty as a result of the alleged practices.
  • The FTC also issued cautionary letters to smart watch makers Gator Group, Ltd. and Tinitell, Inc. notifying them that their smart watches marketed toward children must abide by the Children’s Online Privacy Protection Act. The China-based Gator Group and the Sweden-based Tinitell allegedly failed to provide notice to consumers of their information collection practices, including geolocation information.

Do Not Call

The FTC amended the Telemarking Sales Rule in 2003 to create a national Do Not Call Registry (the “DNC Registry”), which now includes more than 235 million active registrants. Since enacting this provision, the FTC has brought 140 cases against telemarketers for contacting individuals listed on the DNC Registry. These cases have resulted in orders totaling over $1.5 billion in civil penalties, redress, or disgorgement, and actual collections in excess of $121 million. The FTC pursued several DNC cases in 2018.

  • The FTC charged Travis Deloy Peterson with contacting consumers through robocalls posing as fake veterans’ charities in order to solicit donations. Peterson allegedly convinced a number of consumers to donate items of significant value, including cars, boats, real estate, and timeshares. Though the robocalls indicated that sales proceeds from these items would go to veterans’ charities, Peterson kept the proceeds for his own personal benefit. A federal court issued a temporary restraining order against Peterson preventing him from making unlawful robocalls or engaging in deceptive conduct with respect to charities.
  • The FTC obtained temporary restraining orders against the operators of Pointbreak Media, a company that orchestrated a robocall scheme which called small businesses claiming to represent Google and threatening to remove the businesses from Google’s search results. The FTC’s complaint alleged that the calls threatened to list the business as “permanently closed” unless they were to “press one” to speak to a “Google specialist.” The robocalls would then instruct the business owners that for a one-time fee ranging from $300 to $700, they could protect their listing and appear prominently when consumers searched for their products or services.
  • The FTC filed a complaint and motion for preliminary injunction against Alliance Security, Inc., a home security company. The complaint alleged that the company and its founder called millions of consumers who were listed on the DNC Registry. Through its settlements with Alliance and its authorized telemarketers, the FTC has obtained judgments in excess of $5.5 million.
  • Higher Goals Marketing, LLC allegedly orchestrated a credit card interest-rate reduction scam which defrauded consumers seeking to lower their interest payments on credit card debt. The FTC complaint and motion for preliminary injunction assert that the company’s principals had been ordered to shut down a nearly identical operation in the recent past, and started the new operation just weeks after officially shutting down. The FTC successfully shut down Higher Goals.
  • The FTC charged M&T Financial Group and American Counseling Center Corp., doing business as Student Debt Relief Group, with deceiving consumers struggling to pay student loans. The complaint alleges that the defendants called consumers, falsely claiming to be affiliated with the Department of Education, and inducing consumers to pay as much as $1,000 to be enrolled in free federal programs. Defendants allegedly then kept the money themselves.

Other Notable FTC Activity

In addition to prosecuting rules violations, the FTC acts to protect consumer privacy and data security in many other ways. In 2018, the FTC took the following actions.

  • The FTC provided testimony before both the Senate Commerce Subcommittee on Consumer Protection and the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection about its commitment to enforcing legislation to protect data security and consumer privacy.
  • The FTC also drafted and enforced a number of rules geared toward consumer privacy protection. The Health Breach Notification Rule, for instance, requires certain online businesses to notify consumers when their health information is compromised by a breach. The Children’s Online Privacy Protection Act, discussed supra, requires websites and electronic applications to obtain parental consent before collecting information from children under 13. Additionally, the Disposal Rule, a component of the Fair and Accurate Credit Transactions Act of 2003, requires companies that collect consumers’ credit information to meet certain requirements and make certain disclosures about how they dispose of that information.
  • The FTC hosted a number of workshops in 2018, including:
    • Decrypting Cryptocurrency Scams, a workshop designed to help consumer groups examine fraudulent practices in the cryptocurrency sector
    • PrivacyCon, an annual conference organized and hosted by the FTC to explore current research and trends in protecting consumer privacy and security
  • The FTC also authored reports and conducted surveys related to consumer privacy and data security, including:
    • A staff perspective paper discussing its December 2017 workshop regarding informational injuries. The paper focuses on the ways in which non-financial harm to consumers, such as the dissemination of personal information, can harm the marketplace and create distrust in consumers.
    • A staff perspective paper highlighting key take-aways from a workshop it jointly hosted with the National Highway Traffic Safety Administration. The paper focuses on the ways in which the collection of data from autonomous cars may trigger consumer worry.

The FTC engaged with certain international authorities in 2018 to assist with protecting consumer confidence and privacy in other nations. For example, the FTC worked with the Office of the Privacy Commissioner of Canada in the agency’s enforcement action against VTech Electronics Limited. Further, the FTC hosted the 49th Asia Pacific Privacy Authorities forum in San Francisco, where representatives from 13 countries gathered to discuss privacy investigations and enforcement efforts.