Since the spring of 2013, when Chairwoman Edith Ramirez began her tenure at the Federal Trade Commission, the FTC has brought numerous enforcement actions to enforce privacy promises and improve data security practices. With Chairwoman Ramirez at its helm, the FTC has described its activities as targeting its enforcement practices to ensure that new technological developments — including big data, mobile devices, and IoT — advance in a way that respects consumer privacy.
Last week, Ramirez announced she will be stepping away from her post as chair and commissioner, with an end date of Feb. 20. Her departure leaves the FTC with just two commissioners, barring a very speedy appointment process under the new Trump administration: Maureen Ohlhausen, now the FTC's senior commissioner and some say the most likely chair, and Terrell McSweeny.
Below is a selection of FTC cases, linking to their full treatment in the IAPP's FTC Casebook, brought during Chairwoman Ramirez’s tenure, that have had a direct impact on privacy practice in the United States. We can only wait and see what the FTC's enforcement priorities will be in the future under new leadership.
- Dec. 20, 2016 - Turn Inc.
The FTC determined that Turn was deceptive when it tracked consumers with unique identifiers even after consumers took steps to block or delete cookies on their devices. Turn had represented that changing settings to block cookies would allow consumers to block targeted advertising.
- Dec. 14, 2016 - Ruby Corp. (AshleyMadison.com)
In one of the largest data breach cases the FTC has investigated, the FTC determined that AshleyMadison both deceived consumers by posting fake profiles and promising services it didn’t deliver and failed to properly protect consumer information. This case was a cooperative effort with enforcement bodies in Canada and Australia to bring enforcement action through the APEC cross-border enforcement framework.
- Nov. 30, 2016 - Sequoia One, Inc.
The FTC stopped and penalized a data broker operation which took financial information from payday loan applications and sold the information to scammers who then debited bank accounts and charged credit cards without permission.
- July 28, 2016 - ASUSTek Computer, Inc.
ASUSTek deceived consumers by making promises about the security of their equipment and then failing to take reasonable security steps.
- June 22, 2016 - InMobi Pte, Ltd.
The FTC determined that InMobi deceived consumers by tracking them regardless of their expressed location-tracking preferences while claiming that it would not do so. InMobi’s tracking actions also violated the Children’s Online Privacy Protection Act.
- June 8, 2016 - Practice Fusion, Inc.
Practice Fusion solicited reviews from patients about their doctors without adequately disclosing that these reviews and the patient’s information would be made public. The FTC determined that this was a deceptive act.
- May 4, 2016 - Very Incognito Technologies, Inc. (VipVape)
The FTC determined that VipVape deceived consumers by claiming that it was certified under the APEC CBPR framework when in fact it had never been certified. This was the first time the FTC had brought an enforcement action for the Asia-Pacific Economic Cooperation Cross Border Privacy Rules framework.
- Feb. 5, 2016 - General Workings Inc. (Vulcun)
Vulcun bought a popular web browser game and replaced it with a program that installed apps on user devices, bypassing the permissions process and installing without the knowledge of consumers. The FTC deemed this an unfair practice.
- Jan. 5, 2016 - Henry Schein Practice Solutions, Inc.
The FTC determined that Henry Schein engaged in false advertising by claiming that its software provided industry-standard levels of encryption for sensitive patient information when, in fact, it used encryption methods below the industry standard.
- Dec. 21, 2015 - Oracle Corp.
Oracle acquired Java in 2010 and told consumers to install updates that would make their systems secure. However, Oracle failed to inform consumers that the updates would only replace the most recent version of Java and that older versions on consumer systems would still leave them vulnerable to attack. The FTC determined that Oracle’s knowing failure to explain the limits of the update constituted an unfair and deceptive practice.
- Dec. 17, 2015 - LAI Systems, LLC and Retro Dreamer
Both of these companies created apps targeted at children and allowed third-party advertisers to collect children’s information through persistent identifiers. Neither informed the advertisers that the apps were targeted at children and neither acquired parental permission. This is the first FTC action challenging use of persistent identifiers to target advertisements at children.
- Oct. 21, 2015 - Sprint Corporation (Sprint ASL Program)
Sprint placed consumers with lower credit scores into a separate program with an additional monthly fee. Sprint did not properly notify these consumers that they were in this program or that they would incur additional fees. The FTC determined that this was a violation of the Risk-Based Pricing Rule in the Fair Credit Reporting Act.
- Sept. 28, 2015 - Roca Labs, Inc.
The FTC determined that a gag clause Roca Labs included in the product Terms and Conditions and the subsequent lawsuits they brought against consumers posting negative reviews of the products constituted unfair practice. The FTC also alleged false advertising and privacy violations from disclosing consumers’ personal health information.
- Sept. 16, 2015 - Tricolor Auto Acceptance LLC
Tricolor’s loan-servicing group failed to maintain policies and procedures to assure accuracy of credit information and to enable consumers to dispute inaccurate information, in violation of the Furnisher Rule of the Fair Credit Reporting Act.
- Aug. 17, 2015 - IOActive, Inc., Jubilant Clinsys, Inc., Just Bagels Mfg., Inc., NAICS Association, LLC, Pinger, Inc., SteriMed Medical Waste Solutions, Contract Logix, LLC, Forensics Consulting Solutions, LLC, Jharymaine Daniels (California Skate Line), One Industries Corp., Dale Jarrett Racing Adventure, Inc,. Golf Connect, LLC, and Inbox Group, LLC
Thirteen companies agreed to an FTC enforcement action that asserted the companies had falsely claimed to be certified members of either the U.S.-E.U. or U.S.-Swiss Safe Harbor Frameworks. The companies either had lapsed certifications or had never been certified.
- April 23, 2015 - Nomi Technologies, Inc.
- April 7, 2015 - TES Franchising, LLC and American International Mailing, Inc.
The FTC determined that both companies’ false claims that they were certified under U.S.-E.U. and U.S.-Swiss Safe Harbor Frameworks constituted a deceptive practice. Both companies had lapsed certifications.
- Jan. 29, 2015 - Craig Brittain, In the Matter of
Brittain ran a “revenge porn” website and a separate site that alleged the victims could pay to have their pictures taken down. The FTC determined that these practices violated subjects privacy rights and constituted unfair and deceptive practices. Brittain was ordered to take down all images of subjects and refrain from posting anything without the affirmative express of the subject in the future. This was the FTC’s first case against a revenge porn operator.
- Dec. 23, 2014 - Sitesearch Corporation, Doing Business As LeapLab
LeapLab bought payday loan applications and sold the consumer information within the applications to third parties, at least one of whom used the information to withdraw funds from consumer accounts without authorization. The FTC charged LeapLab with violating the prohibition against unfair practices.
- Nov. 17, 2014 - TRUSTe, Inc.
TRUSTe provides privacy certifications for businesses that demonstrate adherence to certain requirements for privacy protection programs. However, the FTC found that TRUSTe failed to recertify companies despite claiming to recertify companies with the TRUSTe seal each year. Additionally, TRUSTe failed to provide language to companies bearing its seal that reflected TRUSTe’s change in status from a non-profit company to a for-profit company. The FTC found that both of these charges constituted deceptive acts.
- Nov. 12, 2014 - Cornerstone and Company, LLC and Bayview Solutions, LLC
Two debt seller companies posted consumers’ sensitive personal information online. The FTC determined that this action violated consumers’ privacy and put them at risk of both identity theft and “phantom” debt collection. Exposing this information without consumer knowledge or consent constituted an unfair act.
- Sept. 17, 2014 - Yelp Inc. and TinyCo, Inc.
In separate complaints against the online review site Yelp and the mobile app developer TinyCo, the FTC alleged that the companies violated the COPPA Rule by failing to implement a functional age-screening mechanism during the registration process for their mobile apps. Both companies agreed to pay civil penalties and delete information collected from children under 13.
- Jun. 25, 2014 - Apperian, Inc., American Apparel, Atlanta Falcons Football Club, LLC, Baker Tilly Virchow Krause, LLP, BitTorrent, Inc., Charles River Laboratories International, Inc., DataMotion, Inc., DDC Laboratories, Inc., Fantage, Inc., Level 3 Communications, LLC, PDB Sports, Ltd., Reynolds Consumer Products Inc., Receivable Management Services Corp., Tennessee Football, Inc.
Fourteen companies, from a variety of industries, settled charges that they deceptively claimed they held current U.S.-EU Safe Harbor certifications, even though they had allowed their certifications to lapse.
- May 8, 2014 - Snapchat, Inc.
Snapchat settled FTC charges that it deceived consumers with promises about the disappearing nature of messages sent through the service, the amount of personal data it collected, and the security measures taken to protect that data from misuse and unauthorized disclosure. As Chairwoman Ramirez said, “If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises . . . or risk FTC action.”
- April 27, 2014 - Jerk, LLC
The FTC charged the operators of the website Jerk.com with harvesting personal information from Facebook to create over 70 million profiles labeling people a “Jerk” or “not a Jerk,” then falsely claiming that consumers could revise their online profiles by paying $30. The FTC considered this practice deceptive and required that the company delete the information and comply with Facebook’s third-party terms of service for use of its customers’ data.
- April 9, 2014 - Instant Checkmate, Inc.
The data broker Instant Checkmate ran a website allowing users to search public records and marketed its services to landlords and employers, but failed to comply with the provisions of the FCRA when creating and selling its reports. The settlement included a civil penalty of $525,000.
- April 9, 2014 - InfoTrack Information Services, Inc.
InfoTrack, a data broker that provides employment background screening reports, agreed to pay a civil penalty of $1 million to settle charges that it violated the FCRA. It allegedly failed to use reasonable procedures to assure accuracy of consumer report information obtained from sex offender registry records; failed to provide FCRA-required notices; and failed to provide written notices to consumers of the fact that InfoTrack reported public record information to potential employers.
- Mar. 28, 2014 - Credit Karma, Inc. and Fandango, LLC
Credit Karma and Fandango agreed to settle FTC charges that they misrepresented the security of their mobile apps and failed to secure the transmission of sensitive personal information from the mobile apps of millions of consumers. This case highlighted the trend in FTC actions toward requiring companies to monitor and respond to external security vulnerability reports. Additionally, though a third party contractor created some of its security vulnerabilities, Credit Karma was still held liable for the inadequate security.
- Jan. 16, 2014 - TeleCheck Services, Inc.
Matching its second-largest FCRA penalty ever, this action imposed a $3.5 million fine on one of the country’s largest check authorization service companies for violations of FCRA, including failing to institute appropriate procedures for consumers to dispute errors and furnishing inaccurate credit information to consumer reporting agencies.
- Dec. 31, 2013 - Accretive Health, Inc.
Accretive Health, a company that provided medical billing and revenue management services to hospitals, agreed to settle FTC charges that its inadequate data security measures—including a lack of rigorous procedure to remove unneeded data from employee’s computers—unfairly exposed sensitive consumer information to the risk of theft or misuse. The settlement required the company to establish a comprehensive information security program and submit to audits.
- Dec. 19, 2013 - Time Warner Cable, Inc.
Imposing a $1.9 million penalty, the FTC settled charges against Time Warner Cable, in the FTC’s first enforcement of its amendment to the Risk-Based Pricing Rule after the Dodd-Frank Act. The Rule requires creditors to give notice to consumers who are provided less favorable credit terms based on information in their credit reports.
- Dec. 5, 2013 - Goldenshores Technologies, LLC
Goldenshores, a mobile app developer, settled charges that its free flashlight app deceived consumers about how their geolocation information would be shared with third parties. This was the first case against an app developer to charge that omission of any disclosure about a data collection practice amounted to deception (just as wrongful disclosure would). The settlement required specific disclosures regarding geolocation information.
- Oct. 22, 2013 - Aaron’s, Inc.
Aaron’s, a national rent-to-own retailer, settled FTC charges that it knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including by taking webcam pictures of them in their homes. The settlement required express notice and consent from consumers before privacy invasive software is installed in their rent-to-own devices.
- Sept. 25, 2013 - National Attorney Collection Services, Inc.
This $1 million settlement against the debt collector National Attorney alleged (among other things) a violation of the Fair Debt Collection Practices Act, because the company had publicly revealed debts it was collecting by including information on the outside of mailed letters showing that the recipient owed a debt.
- Sept. 4, 2013 - TRENDNet, Inc.
This settlement against TrendNet, a maker of Internet-connected security cameras, marked the FTC’s first action against a manufacturer of connected home electronics (the so-called Internet of Things) for inadequate security practices. The FTC alleged that the company had failed to monitor vulnerabilities in its software, leading to hundreds of private camera feeds being posted publicly online. As part of the settlement, TrendNet agreed to implement a comprehensive security program and submit to audits.
- Aug. 29, 2013 - LabMD, Inc.
One of a series of enforcements prompted by P2P file sharing software sharing sensitive customer information online, the medical testing company LabMD contested the FTC’s authority to penalize its failure to implement reasonable and appropriate data security measures as an unfair act or practice under the FTC Act. In this precedent-establishing adjudicative action, the Commissioners unanimously agreed that the FTC has authority to enforce against inadequate data security practices, including among healthcare companies. Notably, this case continues to work its way through the court system.
- Aug. 15, 2013 - Certegy Check Services, Inc.
This $3.5 million settlement against Certegy Check Services, a check authorization company and consumer reporting agency subject to the Fair Credit Reporting Act, was the first enforcement of FCRA’s “Furnisher Rule,” which requires information that companies furnish to credit reporting agencies be accurate and complete.
If you want to comment on this post, you need to login.