Federal Trade Commission (FTC) Updates

Background

In February 2024, the FTC created a new Office of Technology to “strengthen the FTC’s ability to keep pace with technological challenges in the digital marketplace,” including to “strengthen and support law enforcement investigations and actions.”

In its latest Privacy and Data Security Update released on March 28, 2024 (covering the time period of January 2021 through December 2023), the FTC underscored its work on issues related to artificial intelligence (AI), health data, geolocation tracking, children and teens’ data, data security, credit reporting and financial privacy, as well as spam calls and emails. The FTC also noted its consistent call on Congress to restore its ability under Section 13(b) of the FTC Act to seek monetary relief, including consumer refunds, in federal court, and to pass comprehensive privacy legislation.

Updates

Here is a quick listing of updates from the FTC’s report and recent events that have transpired since December 2023 bringing the FTC’s focus into fruition in 2024.

Artificial Intelligence (AI)

• The FTC has brought several enforcement actions, alleging that companies violated the FTC Act or other laws in connection with their collection, retention, or use of consumers’ personal information to develop or deploy machine learning or similar algorithms. Examples include orders obtained against Rite Aid, Ring, and Amazon.
• The FTC has also sought to ensure that unlawfully obtained or retained data cannot be used to develop algorithms or for machine learning.
• On March 1, the FTC released a Final Rule prohibiting government and business impersonation schemes (the “Impersonation Rule”). The Impersonation Rule marks the first time since 1980 that the Commission finalized a new trade regulation rule prohibiting an unfair or deceptive practice. The Supplemental Notice expands its prohibitions to encompass the impersonation of all individuals to address the production of AI “deepfakes” that can impersonate individuals’ voices through voice cloning, which could be used in communications and marketing efforts to misrepresent products or services that could be harmful to consumers.

Children & Teen’s Data

• The FTC has brought 42 Children’s Online Privacy Protection Act (COPPA) cases and collected more than $532 million in civil penalties since 2000.
• The FTC is continuing in its efforts in 2024 to update the COPPA Rule to address the evolving methods of collecting, using, and disclosing personal information from children, including those in their teenage years. It recently denied an application, without prejudice, for the use of “Privacy — Protective Facial Age Estimation” technology, which utilizes the geometry of a user’s face to confirm that they are an adult. The FTC took no position on the merits of the application, indicating that more information is needed to better understand age verification technologies and their application.

Credit Reporting & Financial Privacy

• The FTC has brought 117 cases against companies for violating the Fair Credit Reporting Act (FCRA) and has obtained more than $137 million in civil penalties pushing its goal of ensuring that consumer reporting agencies follow reasonable procedures to assure the maximum possible accuracy of consumer report information.
• Since 2005, the FTC has brought about 35 cases alleging violations of the Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions to send customers initial and annual privacy notices and allow them to opt out of sharing their information with unaffiliated third parties.
• One enforcement action against Blackbaud, Inc. in February 2024 charged the South Carolina firm, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits and others, for failing to implement appropriate safeguards to secure and protect the vast amounts of personal data it collects. In the complaint, the FTC alleged that as a result of these failures, a hacker in early 2020 exploited weaknesses in Blackbaud’s networks, which went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. The company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen, according to the complaint.
• In April 2024, the breach notification amendment to the GLBA Safeguards Rule, which requires financial institutions to notify the FTC of breaches affecting 500 or more consumers to come into effect. Last October, the FTC also issued changes to now require financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards.

Data Security

• Since 2000, the FTC has brought 89 enforcement actions against companies alleging inadequate protection of consumers’ personal data.
• The FTC noted that it is imposing stronger terms in its data security cases. For example, the update listed new terms in settlements such as requiring the company to implement a comprehensive security program, to obtain robust third-party biennial assessments of the program, and to submit annual certifications by a senior officer about the company’s compliance with the order.

Ephemeral Messaging

• Ephemeral messaging platforms or ephemeral messaging applications (EMAs) are communication platforms that automatically delete the conversation history between parties nearly immediately or after a preset amount of time. Examples include Telegram, Signal, Wickr, Hash, Snapchat, and Wire.
• The FTC recently issued guidance for business to ensure there were document retention policies to cover the treatment of ephemeral messaging communications.
• The FTC also advised companies to conduct regular and updated training sessions to (i) instruct employees about the appropriate use of EMAs, (ii) inform employees of how EMAs are retained by the company, and (iii) alert employees to the likelihood that any communications generated on EMAs will be discoverable in agency investigations and litigation.

Geolocation Tracking

• Over the past few years, the FTC has focused on preventing harm to consumers that can result from exposure of highly sensitive information about an individual’s location, such as their visits to cancer treatment or reproductive clinics, places of worship, or domestic violence shelters.
• An example of banning such tracking is seen in the FTC’s actions against InMarket Media in January 18, 2024, barring the company from selling or licensing precise location data. According to the FTC’s charges, InMarket failed to obtain informed consent from users of applications developed by the company and its third-party partners.

Health Data

• Recent FTC movement has focused on advertising practices. What began as a joint warning letter in July 2023 from the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and the FTC to approximately 130 hospital systems and telehealth providers to alert them to the “serious privacy and security risks” stemming from the use of online tracking technologies integrated into their websites and mobile apps quickly changed into the FTC amending the Health Breach Notification Rule (HBNR).
• On April 15, 2024, the FTC ordered mental telehealth company Cerebral from using or disclosing personal medical data for advertising purposes. Cerebral has also been fined more than $7 million over charges that it revealed users’ sensitive personal health information and other data to third parties for advertising purposes and failed to honor its easy cancellation policies.
• On April 26, 2024, the FTC updated its HBNR, which applies to entities that handle personal health records (PHR) that are not protected health information (PHI) covered by the Health Insurance Portability and Accountability Act (HIPAA) to clarify that the rule also restricts marketing practices involving personal health information.
  • The updated rule makes it clear that the HBNR applies to personal health information in health apps, fitness trackers, and other wearable devices, as well as applying to online services that collect health care data, and any vendors that access that data. It requires these “covered health care providers” to inform affected individuals who their data was shared with.
  • Under new HBNR timing requirements, covered entities must notify the FTC at the same time they send notices to affected individuals, if more than 500 individuals were affected and must issue the notification “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. To learn more, read the update by HBS.
• Recent FTC enforcement orders have imposed strong injunctive relief, requiring health-related businesses to: (a) stop sharing health information with third parties for advertising purposes, (b) obtain affirmative express consent for other disclosures of health data, (c) instruct third parties to delete improperly disclosed data, (d) provide notice to consumers about illegal third-party disclosures, and (e) establish privacy or data security programs without independent assessments.
• Recent FTC enforcement orders have also included civil penalties under the HBNR. Last year, the FTC brought an action against a telehealth and drug discount provider for sharing users’ information with third-party advertising platforms contrary to its privacy promises and focused on the company’s third-party tracking capabilities.

Telemarketing

• On March 7, 2024, the FTC released its long-awaited Final Rule updating the Telemarketing Sales Rule (TSR). Among other things, the new TSR Rule extends telemarketing fraud provisions to cover business to business (B2B) calls and updates provisions on recordkeeping requirements. Simultaneous with the Final Rule, the FTC introduced a Supplemental Notice of Proposed Rulemaking to further amend the TSR. The Supplemental Rulemaking would extend the TSR’s reach to calls consumers make in response to an advertisement through any medium or to a direct mail solicitation.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.