The Federal Trade Commission (FTC) recently released its annual report highlighting its work on privacy and data security during 2018. The FTC initiated five enforcement actions arising out of data breaches and nine data privacy enforcement actions in 2018, including cases against online payment system Venmo and mobile phone maker BLU for misrepresenting their privacy protections and providing inadequate security. One of the most high-profile enforcement actions of 2018 was the FTC’s expanded settlement with Uber, which stemmed from a major data breach in 2016 that the company failed to report for over a year. The FTC also launched an investigation into whether Facebook violated its consent decree with the agency when it shared the personal information of its users with political research firm Cambridge Analytica.
On children’s privacy issues, the FTC settled with two companies for violations of the Children’s Online Privacy Protection Act (COPPA), including the agency’s first case involving connected toys, against toy manufacturer VTech, and another case against talent agency Explore Talent. The FTC alleged that both companies failed to obtain parental consent before collecting personal information from hundreds of thousands of children under 13 and failed to provide the required notice of their privacy policies. The FTC also sent letters to two watch manufacturers, Gator Group Co., Ltd. and Tinitell, Inc., warning them that their children’s smart watches must comply with COPPA. The agency alleged that the companies failed to provide proper notice about their personal information collection practices and obtain verifiable parental consent before collecting personal information of children under 13.
In November of last year, the FTC launched a series of public hearings on Competition and Consumer Protection in the 21st Century which are ongoing and examine the intersection of big data, privacy, and competition. The FTC also held its third annual PrivacyCon, which brings together a range of stakeholders to discuss trends and developments in consumer privacy and security.
On the policy front, several FTC commissioners testified before the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, and the Senate Banking, Housing and Urban Affairs Committee. Recurrent themes in their testimony included a push for greater rulemaking and enforcement powers for the FTC and the need for national data privacy legislation. FTC staff submitted a comment to the Consumer Product Safety Commission (CPSC) on the potential safety risks and hazards related to connected consumer products in which the FTC which recommended that: (1) CPSC consider how companies might better communicate with customers regarding notifications and recalls for Internet of Things (IoT) devices; (2) CPSC’s approach should be technology-neutral and flexible; and (3) any certification requirements for IoT devices should require manufacturers to publicly set forth the standards to which they adhere.
With COPPA under review following the recent introduction of a bill to modify its provisions and the debate over national privacy and data security legislation raising the possibility of greater FTC powers, 2019 is shaping up to be a very busy year for the agency.