The Federal Trade Commission 2023 Privacy and Data Security Update

"The past three years have been a tremendously busy period for the Commission, and I am particularly proud of our accomplishments in the areas of privacy and data security. We have worked vigorously to ensure that the law has equal force across the digital ecosystem, rising to the challenges presented by new technologies and seeking meaningful remedies that establish critical standards for protecting consumers’ information, rather than placing the burden on consumers to protect themselves. This is an area that demands an all-hands-on-deck response, and as the examples in the report show, the Commission is using every tool it has to safeguard consumers’ rights. To highlight a few of the agency’s achievements:

• Artificial Intelligence: The Commission has been leading efforts to ensure that AI and similar technologies are not deployed in harmful ways. In addition to obtaining orders against Rite Aid, Ring, and Amazon to ensure that companies are disincentivized from using data that was wrongfully collected or trained to develop AI, we have initiated a market study of social media and video streaming platforms on the use of AI, announced a public contest to develop new approaches to protect consumers from AI-enabled voice cloning harms, proposed rules to crack down on AI-fueled impersonator and fake review fraud, and issued numerous business guidance alerts.

• Children and Teens: The Commission proposed strengthening the Children’s Online Privacy Protection Act to make digital services safer and more secure for children, and to put the onus on providers rather than parents to keep kids’ data secure. The Commission has also been active in the enforcement arena, obtaining a record-breaking civil penalty settlement with Epic Games, and implementing substantive protections for teens as well, by mandating that settings default to protect their privacy. Our work in the educational technology space—including our case against Edmodo and policy statement on education technology—sent a strong message that businesses cannot outsource compliance when it comes to children’s privacy. 1 This Update covers the time period from January 2021 to December 2023. 2023 Privacy and Data Security Update FEDERAL TRADE COMMISSION FTC.GOV 2

• Sensitive Data: As the privacy threats from data collection continue to grow, protecting the privacy and security of consumers' sensitive data has continued to be a top Commission priority. The Commission’s groundbreaking actions to safeguard health, biometric, and geolocation data—including BetterHelp, GoodRx Holdings, Premom, Flo Heath, RiteAid, and Kochava, along with the InMarket, X-Mode, and Avast cases that were filed after the time period covered by this update—demonstrate that our agency will not tolerate failures to protect consumers’ sensitive information at any stage in the data lifecycle

. • Market-wide Protections: The Commission initiated rulemaking initiatives to establish sensible and reasonable baselines that protect consumers and put honest businesses on a level playing field. These included amendments to require financial institutions to notify the FTC of large data breaches, notices of proposed rulemaking to clarify the application of the Health Breach Notification Rule to health apps and strengthen the Children’s Online Privacy Protection Act Rule, and an advanced notice of proposed rulemaking to explore rules that would crack down on harmful commercial surveillance and lax data security.

While the work of the FTC’s attorneys, economists, investigators, technologists, and other specialists has made enormous strides in protecting the privacy and security of consumers’ information, there is much more that needs to be done. The explosive growth in data collection and the rapid pace of technological developments that allow information to be exploited in new ways demands action. The Commission has consistently called on Congress to restore its ability under Section 13(b) of the FTC Act to return money to consumers in federal court, and to pass comprehensive privacy legislation. As the data abuses described in this report makes clear, that ask is more urgent than ever.."
FTC Privacy and Data Security 

Privacy & Data Security Update (2017): An Overview of the Commission’s Enforcement, Policy Initiatives, and Consumer Outreach and Business Guidance in the Areas of Privacy and Data Security: January 2017 – December 2017

"Federal Trade Commission 2017 Privacy and Data Security Update.

The Federal Trade Commission (FTC or Commission) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad authority allows the Commission to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.
How Does the FTC Protect Consumer Privacy and Promote Data Security?

 The FTC uses a variety of tools to protect consumers’ privacy and personal information. The FTC’s principal tool is to bring enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior. This includes, when appropriate, implementation of comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of illegally obtained consumer information, and providing robust transparency and choice mechanisms to consumers. If a company violates an FTC order, the FTC can seek civil monetary penalties for the violations. The FTC can also obtain civil monetary penalties for violations of certain privacy statutes and rules, including the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and the Telemarketing Sales Rule. To date, the Commission has brought hundreds of privacy and data security cases protecting billions of consumers..."
FTC privacy and data security report

Data Security and Breach Notification Legislation: Selected Legal Issues

"Recent data breaches at major U.S. retailers have placed a spotlight on concerns about the security of personal information stored in electronic form by corporations and other private entities. A data breach occurs when data containing sensitive personal information is lost, stolen, or accessed in an unauthorized manner, thereby causing a potential compromise of the confidentiality of the data. Existing federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and the Gramm-Leach-Bliley Act, impose security and breach notification requirements on specific industries or types of data. Additionally, 47 states, the District of Columbia (D.C.), and three territories have enacted laws requiring breach notification, while at least 12 states have enacted data security laws, designed to reduce the likelihood of a data breach. Alabama, New Mexico, and South Dakota have not enacted breach notification laws.

Several data security and breach notification bills have been introduced in the 114th Congress, which broadly would impose security and notification requirements on businesses regardless of industry sector, with limited exceptions. This report begins by describing the common elements of these federal proposals and then discusses state laws that may apply in the event of a data breach..."
Data security