In its 2012 Report, the Federal Trade Commission (FTC) noted that it had brought numerous cases against companies for violating the FTC Act by making deceptive claims about the privacy and security protections they afford to consumer data, and also cases relating to the protection of children’s privacy under the Children’s Online Privacy Protection Act 1998. The FTC is also a privacy enforcement authority in the Asia-Pacific Economic Co-operation (APEC) Cross-Border Privacy Rules system that was approved by the US in 2012 and is intended to enhance the protection of consumer data moving between countries that are members of APEC. Below are a number of recent and high profile enforcement actions taken by the FTC.
The FTC charged Google with deceiving customers by taking previously private information (Gmail frequent contacts lists) and making them public in order to generate custom for their new social network, Google Buzz. This was done without consent and in contravention of Google’s privacy promises. The FTC ordered that, if Google changes a product or service in a way that makes any data collected from or about consumes more widely available to third parties, it must seek affirmative express consent to such a change. In addition, the order required Google to implement a comprehensive privacy program and obtain independent privacy audits every other year for the next two decades. In a later enforcement action, the FTC claimed that Google made misrepresentations to users of the Safari internet browser that it would not place tracking ‘cookies’ or serve targeted ads to those users, violating the earlier agreement with the FTC. Because of the previous violations by Google, punitive damages were claimed by the FTC and Google reached an agreement to pay $22.5 million.
The FTC case against Facebook included a charge that certain changes made to the website had led to information designated as being private being released in the public domain. The complaint also charged that Facebook made inaccurate and misleading disclosures relating to how much information about users’ were accessible by third party applications operating on their website. The FTC investigation discovered that most third-party applications were able to view nearly all of the users’ information, regardless of whether or not the information was necessary for the app to operate. The Commission further charged Facebook for failing to keep certain promises in relation to privacy. For example, the company informed users that it would not share information with advertisers, but it did. The company had also stated that it would make inaccessible the photos and videos of users who had deleted their accounts, and then it did not. As part of the action, the Commission ordered Facebook to obtain users’ express consent before sharing their information in a manner exceeding their privacy setting. The order also required Facebook to create and implement a comprehensive privacy program, along with being obliged to undergo outside privacy audits for two decades following the action. Facebook were also ordered to not provide access to a user’s information once that information is deleted.
This article reviews enforcement actions carried out by the FTC (Federal Trade Commission). High profile cases include the Google Buzz case, Facebook’s inaccurate and misleading claims, and Epic Marketing’s “history sniffing.”
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- FTC privacy enforcement actions (II.A.b.)