The report details agency actions related to AI and health privacy, as well as Fair Credit Reporting Act enforcement.
05/03/2024 1:55 P.M.
3 minute read
The Federal Trade Commission released its 2023 Privacy and Data Security Update in March, highlighting its efforts to protect consumer privacy and respond to the evolving ways that companies use or misuse consumer data.
The report outlines the FTC’s proactive stance against indiscriminate data collection and misuse by companies.
“The FTC is taking bold actions to challenge the indiscriminate collection and monetization of consumers’ data,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “We are securing meaningful remedies to protect consumers’ information, rather than placing the burden on consumers to protect themselves.”
The publication highlights the FTC’s privacy and data security work in the last few years, including the enforcement actions it has brought in a range of industries. For example, the FTC has brought 97 privacy cases and 169 Telemarketing Sales Rule and CAN-SPAM cases since 1999. It has also brought 89 cases against companies that have engaged in unfair or deceptive practices involving inadequate protection of consumers’ personal data.
In addition to its law enforcement work, the agency has engaged in rulemaking and policy work to push companies to bolster privacy protections for consumers and implement safeguards to secure consumer data.
One significant area of focus for the FTC has been artificial intelligence and its implications for consumer privacy. The agency has taken decisive action against companies leveraging AI algorithms without adequate safeguards, including cases like Amazon Alexa’s alleged violation of the Children’s Online Privacy Protection Act (COPPA).
Similarly, the FTC also brought a case against Rite Aid in 2023 over charges it failed to take reasonable steps to ensure that the AI facial recognition technology it deployed in its retail stores did not erroneously flag people as shoplifters or other wrongdoers.
Last year, the FTC gave final approval to an order banning BetterHelp, an online counseling service, from sharing sensitive health data for advertising with Facebook and other third parties and requiring it to pay $7.8 million to provide partial refunds to consumers. Also in 2023, the FTC banned GoodRx from sharing sensitive health data with applicable third parties for advertising, and also required the company to pay a civil penalty for violating the Health Breach Notification Rule, the agency’s first action under the rule.
The FTC’s oversight extends beyond enforcement actions to encompass efforts in bolstering data security measures. In 2022 and 2023 alone, the FTC announced or finalized enforcement actions against Global Tel*Link, Drizly, Chegg and CafePress for data security failures.
The agency has also been actively involved in ensuring companies adhere to the Fair Credit Reporting Act. Over the years, the FTC has initiated 117 cases related to FCRA violations, resulting in over $137 million in civil penalties. Notably, in 2023, a joint action by the FTC and Consumer Financial Protection Bureau targeted Trans Union LLC and a subsidiary for inaccuracies in tenant screening reports.
Apart from enforcement actions, the FTC has undertaken rulemaking and policy initiatives to establish fundamental standards safeguarding consumer privacy. Recent efforts include proposing rules to clarify the Health Breach Notification Rule’s scope regarding health apps and strengthening COPPA. Moreover, it has launched an advanced notice of proposed rulemaking to address harmful surveillance practices and inadequate data security, alongside issuing a policy statement emphasizing the illegality of companies pressuring parents and schools into surrendering children’s privacy rights for remote learning purposes.