FTC adds right to delete to cybersecurity settlement

The U.S. Federal Trade Commission's tentative settlement in the Marriott-Starwood data breaches proceeding, announced 9 Oct., contains what appears to be the commission's first-ever "right to be forgotten" requirement in a cybersecurity enforcement action.

At least since its January 2023 settlements with Chegg and Drizly, the FTC has required settling cybersecurity respondents to adopt data security programs that include retention limits, requiring systematic deletion of personal data that is no longer reasonably necessary to fulfill the purpose for which it was collected. That requirement is in the proposed Marriott settlement too; further evidence, if any, was needed on how important the FTC considers data minimization.

And, in a settlement with InMarket Media, proposed in January and finalized in May, the FTC imposed an obligation to delete location data upon customer request in what was at its core a privacy case.

But the Marriott case adds something new. It was the first time the FTC required a company that suffered a security breach to provide all customers with a link to request the deletion of personal information associated with an email address and/or a loyalty rewards program account number — a right that would apparently be available even if the data otherwise met the standard for retention. And it would prospectively apply for 20 years.

Of course, the California Consumer Privacy Act includes the right to delete, as does the EU General Data Protection Regulation, but this may be the first time a U.S. federal agency has imposed a right-to-delete obligation.

Jim Dempsey is the managing director for the IAPP Cybersecurity Law Center.