The U.S. Federal Trade Commission enforcement action against Drizly demonstrates how the agency plans to give teeth to its new emphasis on data minimization. The FTC reached a settlement with Drizly, an online alcohol marketplace, and its CEO, alleging the company knew about its data security shortcomings and failed to take action to protect personal data from a data breach affecting 2.5 million users. Though the case derives from a security breach, privacy pros should pay close attention to the remedial actions in the proposed consent order. This is the first time we have seen the details of a granular data minimization program spelled out by the agency.
It will not be the last time.
Over the past two years, FTC commissioners and staff have made it crystal clear they see data minimization as an important tenet of both privacy and data security best practices. Why security? Simply put, as Commissioner Rebecca Kelly Slaughter writes, because “hackers cannot steal data that companies did not collect in the first place.” Chair Lina Khan, in her keynote speech at IAPP’s 2022 Global Privacy Summit, warned that “the incentive to maximally collect and retain user information can also concentrate valuable data in ways that create systemic risk, increasing the hazards and costs of hacks and cyberattacks.”
In fact, this intentional return to a focus on the privacy principle of data minimization has been a steady drumbeat during Slaughter’s tenure. In speech after speech, she has highlighted the need to focus on data minimization as a way to move beyond the dominant framework of notice and consent: “Data collection must have limits. Data should only be collected for discrete and specific purposes. We should be extremely skeptical about secondary uses of data — that is, uses beyond the purpose for which the data was collected.”
The drizzle that fizzled
The FTC’s complaint alleges a classic case of unreasonable security practices. This is not a privacy case. But at a time when privacy and cybersecurity professionals should be collaborating more, as IAPP recently explored in a whitepaper with (ISC)2, privacy teams may want to familiarize themselves with some of the basic practices that the FTC’s complaint alleges were missing before its breach. In a nutshell:
- Hire a professional responsible for implementing your data security program.
- Write down your program policies and procedures — and then implement them, including through robust employee training.
- When storing passwords, don’t use deprecated encryption protocols, like MD5.
- Require multifactor authentication whenever possible.
- Conduct ongoing vulnerability testing and monitor for exfiltration of personal data.
If you want just one security takeaway instead of five bullets, here it is: Please stop using encryption functions that are cryptographically broken. This includes MD5, an insecure hash function that has been deprecated for almost a decade. For up-to-date guidance on implementing cryptographic key management procedures, see NIST publication SP 800-131A Rev. 2. And for more detail about recent technical safeguards in FTC settlements, see the IAPP’s whitepaper on the subject.
Executive liability: Do you know where your CISO is?
Many headlines covering the Drizly case are likely to focus on the executive liability component. This is indeed an important takeaway the FTC has taken pains to underscore: if you are an executive at a company that handles personal information, you should care about implementing a data security program that meets or exceeds industry standards. If you don’t, you may be held personally responsible.
The FTC has always held individuals personally liable for certain consumer protection violations. In scams or cases of fraudulent behavior, individual defendants are routinely named. FTC Commissioner Christine Wilson, in a partially dissenting statement, takes issue with the extension of executive liability to this data security action, writing that the commission “traditionally has exercised its prosecutorial discretion and assessed a variety of factors when deciding whether to name a CEO or principal, including consideration of whether individual liability is necessary to obtain effective relief.” She believes adding the executive defendant doesn’t make the case more effective, but merely signals “that the agency will substitute its own judgement about corporate priorities and governance decisions for those of companies.” Chair Khan and Commissioner Alvaro Bedoya disagree, writing, "The FTC has a role to play in making sure a company’s legal obligations are weighed in the boardroom.”
In any case, this is a strong signal of a trend toward more cases with executive liability, though there are some facts here that make it unclear whether this will be generalizable to other actions. The Drizly complaint specifies that its CEO should have been aware of the risks of not hiring a security executive, especially after an earlier security incident put the company and its CEO on notice that its security practices were not up to par. Nevertheless, as Khan summarizes, “the company neglected to implement basic best practices, such as developing a written data security policy or hiring a qualified employee responsible for data security.” In future cases, learning from mistakes may show different results.
Avoid surprise — minimize!
In addition to the usual requirements in an FTC data security case to implement a robust security program with annual third-party assessments, the proposed Drizly consent order includes two innovative remedial actions. The first, labeled “mandated deletion and data minimization” requires the company to review the personal information it currently holds and “delete or destroy” anything that is “not being used or retained in connection with providing products or services to [its] customers.” Within 60 days, it must also provide a written statement to the commission “specifically enumerating which types of information were deleted or destroyed.”
This is paired with an order to establish “data retention limits” through the creation of a retention schedule for personal information, which the company must post publicly on its website. Although we also saw a mandated public retention schedule in the recent Kurbo case, this order explicitly requires a new level of scope and granularity. Drizly’s public retention schedule must disclose:
- The purpose or purposes for which each type of personal data is collected.
- The specific business needs for retaining each type of personal data.
- A set timeframe for deletion of each type of personal data that precludes indefinite retention of any personal data.
That is, Drizly must publicly commit to specifications about why each type of personal data is collected, rather than general commitments to broad purpose limitations over all collected data. Of course, such commitments would then become enforceable by the FTC, if the company were to err in the future. This goes a step further than the generalized data minimization requirements ordered in the similar CafePress case, which simply specified that the company’s FTC-mandated information security program should include “Policies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures.”
Finally, Drizly is under an ongoing obligation to review its data practices and “refrain from collecting or maintaining any [personal data] not necessary for the specific purpose(s) provided in the retention schedule.” If a new type of personal information is collected in the future, the company must update its public data retention schedule accordingly.
Looking ahead: A minimization framework?
This will likely be one of many FTC enforcement actions that mandate data minimization via public disclosures of retention schedules. Although these requirements conform with current data privacy best practices, the granular public commitments to purpose limitations go beyond the public notices that the vast majority of organizations provide. To prepare for this type of oversight, privacy professionals should consider assessing the level of granular purpose limitations prescribed here, with an eye toward reducing unnecessary collection and retention of data, even if they do not choose to make these commitments public.
Yet the FTC may not stop at one-off cases. In her concurring statement, Slaughter reiterates her belief in the need for a workable data minimization framework that would require “substantive limits on appropriate collection and use.” Specifically, Slaughter would support a framework that centers a “consumer’s reasonable expectation that there should be limits on the collection and use of their information based on the service they’ve actually requested. I believe the agency is in a better position to effectuate this expectation than it is to anticipate, understand, and police every claim of reasonable business necessity.”
Whether rooted in consumer expectations or business necessity, data minimization is one direction in which the FTC’s ongoing rulemaking proceeding could develop. In fact, questions 43 through 50 of the Advance Notice of Proposed Rulemaking directly address the scenario of a rule prescribing data minimization or purpose limitations. A joint report from the Electronic Privacy Information Center and Consumer Reports, published in January 2022, called for exactly this type of rule, potentially limiting all secondary uses of data, or prohibiting secondary uses for certain purposes.
Data minimization will remain at the forefront of privacy developments in the near term, whether through force of law, regulation, or a shift in best practices.
