The FTC and the future of third-party due diligence

The U.S. Federal Trade Commission's recent enforcement actions against Mobilewalla and Gravy Analytics signal the agency expects companies to conduct risk-based due diligence and verify consent.

While the unfairness prong of Section 5 of the FTC Act formed the grounds of those complaints and may generally be leveraged less frequently with the current composition of FTC commissioners, the majority, concurring and dissenting statements all evince a clear concern around a failure to conduct diligence. This concern was also expressed in previous FTC enforcement actions, e.g., InMarket and X-Mode Social.

Indeed, Chairman Andrew Ferguson stated in his concurrence, "data brokers that purchase sensitive information cannot avoid liability by turning a blind eye to the strong possibility that consumers did not consent to its collection and sale." Instead, they must "take reasonable steps to ensure that the data they are acquiring were originally collected with the consumer's consent."

The FTC's approach to diligence is not in a vacuum. State privacy laws also include due diligence requirements by mandating contractual rights for vendor assessments and requiring data protection assessments for high-risk processing activities, including targeted advertising. State attorneys general also have tools similar to those of the FTC under their state unfair and deceptive statutes to regulate similar practices, as reflected in recent state enforcement actions, such as Texas v. Allstate.

While the precise reach of those cases remains unclear, it is clear businesses should establish risk-based due diligence programs, scaling diligence level to data sensitivity and potential consumer harm.

Background