FTC will ‘vigorously enforce’ law against companies that fail to protect consumer privacy | Pillsbury – Internet and Social Media Law Blog

It’s no secret that every move you make on the internet can be tracked. Even when you’re not actively searching, browsing a social media feed, or using your phone to navigate to a new local restaurant, your digital behavior can be tracked, analyzed, stored, marketed, and sold. But is that just the price we’re now paying for convenience and connectivity? Maybe, but companies should at least tell you what they do with your valuable data.

We have already written about amendments the California Consumer Privacy Act (CCPA) which requires online businesses that sell consumers’ personal information to inform individuals of their right to opt out of the sale of their personal information. The amendments also prohibit companies from taking advantage of “dark models” or methods designed to hinder a consumer’s choice to opt out. In Illinois, another state known for its pioneering privacy law and resulting consumer disputes, a class of students came up with a claim against an online testing company for collecting their biometric data without their informed consent. Even when consent is given, companies must provide detailed information in accordance with state regulations, as we described in a Publish about employers collecting and storing new categories of health information, such as vaccination status and COVID-19 test results. In the metaverse, a discreet username or avatar might seem like a strategic route to anonymity, but it’s just not enough to protect your digital identity.

Enter the Federal Trade Commission (FTC), the government entity charged with protecting consumers from deceptive and unfair business practices, which now includes protection against the unlawful use, sharing, and sale of consumer data, such as the location and health information. “[M]Millions of people are also actively generating their own sensitive data, including using apps to test their blood sugar, log their sleep patterns, monitor their blood pressure, track their fitness or share their face and other biometric information to use the app or device functionality,” the FTC Explain. “The powerful combination of location data and user-generated health data creates a new frontier of potential harm for consumers.”

To help combat this damage, the FTC has taken action against Flo Health, the developer of a period and fertility tracking app used by more than 100 million consumers, alleging the company shared its users’ health information with third-party analytics providers without users’ consent. More recently, the FTC penalized health and wellness app Kurbo for indefinitely storing consumer data and collecting personal information from children without parental permission.

And the FTC doesn’t stop there. In a recent blog post, the FTC has suggested that companies view past enforcement action as a “roadmap” to inform compliance with privacy and consumer protection laws. For companies that fail to comply with the law, the FTC has made it clear that it “will vigorously enforce the law if we discover unlawful behavior that exploits Americans’ location, health, or other sensitive data.”

The FTC provided the following tips for companies that collect sensitive consumer information:

  • Understand federal and state laws that govern the collection, use, and sharing of consumer information. Companies that process consumer data should consider FTC Section 5, FTC Safeguard Rule, Health Injury Notification Rule, and Privacy Shield Rule Online (COPPA), among others, in addition to each state’s privacy and consumer protection laws. . Having a retained privacy advisor available to enforce policies and procedures is always a good idea.
  • Ask whether the data collected from consumers is truly anonymized. The FTC warns that data can often be re-identified, especially in the context of location data, and in some cases a few seemingly anonymized data elements when combined can be enough to identify an individual. Companies must be careful not to mislead consumers about the anonymization, or lack thereof, of data.
  • When processing consumer data, do not over-collect, retain indefinitely, or misuse data. It’s not always as simple as notifying users or disclosing terms of data collection and use in the depths of a privacy policy. Companies that collect consumer data must consider every step of the process, from consumer notification to data sharing, data retention and data destruction, and ensure that each of these steps is conducted in accordance with best practices.

Compliance with privacy laws is an ever-present obligation for companies that collect, use and share consumer information. The FTC provides general information tips about the various laws that apply to businesses and how they can comply with them, but as regulations change and business priorities change, businesses need to be proactive by frequently evaluating and reassessing their policies , their practices and current legal requirements.

Finally, companies with a global presence should also be aware of the privacy laws that apply to their collection and use of personal consumer data in other jurisdictions. The EU GDPR has extraterritorial scope and will apply to businesses providing products and services to consumers based in the EU, subject to limited exceptions. Countries around the world are introducing their own privacy laws, in some cases based on the EU GDPR. Monitoring and compliance with privacy laws and obligations in key jurisdictions where customers are based should also be a priority.

[View source.]

About Roberto Frank

Check Also

Philips sees the rise of personal care and DIY trends in grooming

NEW DELHI : Pandemic shutdowns with work-from-home mandates have boosted sales of the Philips skincare …