Last Updated on January 19, 2024
While the US doesn’t yet have a nationwide privacy or data security law, the Federal Trade Commission (FTC) has sweeping powers to prosecute businesses for what it deems deceptive or unfair privacy-related practices.
If your company engages in the collection, processing and/or sale of consumer data, you should be aware of recent FTC actions and its growing privacy enforcement role.
FTC legal authority
As an independent law enforcement agency whose purpose is to protect the interests of consumers and support fair competition across the US economy, the FTC’s primary legal authority comes from Section 5 of the FTC Act. This legislation prohibits “unfair or deceptive” practices in the marketplace—including privacy and data security activities. A deceptive or unfair activity can be any “representation, omission, or practice” that “misleads or is likely to mislead the consumer.”
Besides the FTC Act, the Commission also enforces other consumer privacy and cybersecurity laws, including the Health Breach Notification (HBN) Rule and the recently strengthened Safeguards Rule that protects consumer financial data under the Gramm-Leach-Bliley Act (GLBA).
When businesses promise their customers or website visitors that they will protect their personal data, the FTC can step in if these promises are not upheld. Under the FTC Act, the agency has successfully prosecuted social media companies, retailers, mobile app developers, ad tech firms, data brokers, and others. Its enforcement actions cover multiple privacy issues from spam to spyware to pretexting to improper behavioral advertising.
Among the most widely reported actions under the FTC Act has been the recent $150 million fine levied against repeat offender Twitter, this time for selling users’ phone numbers that it gathered under the pretext of improving their account security.
The FTC can also bring enforcement actions against organizations following data security breaches where deceptive or unfair practices were involved, or where security practices were notably lax. For example, in 2022 the FTC acted against e-tailer CafePress for covering up multiple data breaches, and for failure to implement reasonable security controls to protect sensitive data. This included storing consumer Social Security numbers in plain text and failing to adequately encrypt users’ stored passwords. The proposed penalties include requiring CafePress to implement specific security controls and paying $500,000 to compensate SMBs that the company’s lack of security materially harmed.
Expanded FTC enforcement
The FTC has been expanding its mandate to both establish and enforce cybersecurity and privacy standards. Its explicit focus is on “developing rules that allow the agency to recover redress for consumers who have been defrauded and seek penalties for firms that engage in data abuses.”
If and when Congress enacts a nationwide privacy law, this legislation may well increase the FTC’s authority to enforce compliance even further. Either way, the FTC is one of the US federal government’s principal watchdogs over consumers’ privacy and personal data.
Steering clear of FTC enforcement actions
If you are profiting from any activity involving consumer data, you should carefully review, confirm, and document legal compliance across all your advertising and sales campaigns, customer services policy/scripts, and other consumer-facing content that makes statements about how personal data is or is not used.
If you have questions about how FTC rules apply to your business, whether you are in compliance and how to address gaps or improve privacy and security processes, contact Pivot Point Security.