In two recent proposed consent orders by the Federal Trade Commission (FTC or Commission), the agency has emphasized critical data governance practices that all data controllers should carefully consider. These cases, Gravy Analytics/Venntel and Mobilewalla, primarily focus on issues related to the brokerage of consumer mobile device location data and other adtech and data broker practices. However, the settlements, and the learnings that can be gleaned from them, are relevant beyond location data and these specific industries. Indeed, the data governance measures required of the respondents by the FTC signal the FTC’s thinking around what it considers proper data governance and privacy compliance programs, and can be used as a guide as to how companies in all industries should be framing such programs to both avoid FTC scrutiny and address compliance with the patchwork of state consumer privacy laws.

Most notably, the following general information governance practices will be required of Mobilewalla (with somewhat mostly similar terms applicable to Gravy/Venntel), regardless of the sensitivity of “Covered Information” (definition below):

• Covered Information is broadly defined as “information from or about an individual consumer including, but not limited to: (1) a first and last name; (2) Location Data; (3) an email address or other online contact information; (4) a telephone number; (5) a Social Security number; (6) a driver’s license or other government-issued identification number; (7) a financial institution account number; (8) credit or debit card information; (9) a persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, a mobile device ID, or processor serial number; or (10) socio-economic or demographic data. Deidentified information is not Covered Information.”
• Purpose Limitations and Data Minimization. The proposed Mobilewalla consent order imposes a requirement on the company “… not [to] collect, purchase, or otherwise acquire or retain Covered Information that [Mobilewalla] accesses while participating in online advertising auctions for any other purpose than participating in such auctions.” (Emphasis added.) While this proposed obligation is very specific to the advertising technology industry, it broadly aligns with the purpose limitation and data minimization requirements found in all state privacy laws. Put simply, regulators expect companies to collect only the data necessary to carry out specific and limited purposes, and not further process it in a manner that is incompatible with those purposes.
• Notice at Collection and Retention Notice/Limitations. Each of the proposed consent orders require the respondents to provide clear and conspicuous notice of data processing practices and data retention practices. Specifically, the Mobilewalla consent order imposes the requirement to “…document, adhere to, and make publicly available through a link on the home page of their website(s), in a manner that is Clear and Conspicuous, a retention schedule for Covered Information, setting forth: (1) the purpose or purposes for which each type of Covered Information is collected or used; (2) the specific business needs for retaining each type of Covered Information; and (3) an established timeframe for deletion of each type of Covered Information limited to the time reasonably necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information (emphasis added) (there are similar requirements in Gravy Analytics/Venntel). These are similar to California’s notice at collection and retention notice and limitation obligations.
• Implementation and Detailed Documentation of Comprehensive Privacy Program. The consent order in Mobilewalla imposes that the company “… in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must establish and implement, and thereafter maintain, a comprehensive privacy program (the “Program”) that protects the privacy of such Covered Information…. To satisfy this requirement, Respondent must at a minimum:
  • A. [Documentation.] Document in writing the content, implementation, and maintenance of the Program;
  • B. [Board/Senior Management Involvement.] Provide the written Program and any evaluations thereof or updates thereto to Respondent’s board of directors or, if no such board or equivalent governing body exists, to a senior officer of the Respondent responsible for the Program at least once every twelve months;
  • C. [Designation of Responsible Employee(s).] Designate a qualified employee or employees to coordinate and be responsible for the Program;
  • D. [Risk Assessments.] Assess and document, at least every 12 months, internal and external risks to the privacy of Covered Information that could result in the unauthorized collection, maintenance, use, disclosure, alteration, destruction of, or provision of access to Covered Information;
  • E. [Internal and External (e.g., vendor) Safeguards.] Design, implement, maintain, and document safeguards that control for the material internal and external risks Respondent identifies to the privacy of Covered Information identified in response to Provision [D]. Each safeguard must be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized collection, maintenance, use, disclosure, alteration, or destruction of, or provision of access to Covered Information.
  • F. [Personnel Training.] On at least an annual basis, provide privacy training programs for all employees and independent contractors responsible for handling or who have access to Covered Information, updated to address any identified material internal or external risks and safeguards implemented pursuant to this Order;
  • G. [Continuous Testing, Monitoring, and Improvement.] Test and monitor the effectiveness of the safeguards at least once every twelve (12) months, and modify the Program based on the results; and
  • H. [Evaluating/Adjusting in response to operational change.] Evaluate and adjust the Program in light of any changes to Respondent’s operations or business arrangements, new or more efficient technological or operational methods to control for the risks identified in Provision [D] of this Order, or any other circumstances that Respondent knows or has reason to believe may have an impact on the effectiveness of the Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Program at least once every 12 months and modify the Program based on the results.”
• (Emphasis added.) This is akin to Minnesota’s requirement of a formal privacy compliance program, as well as states’ obligations to carry out vendor and data recipient diligence and data risk assessments. There are similar requirements in Gravy Analytics/Venntel.

It is important to note that the failure to meet these requirements was not, for the most part, the basis of the unfairness allegations under Section 5 of the FTC Act against the respondents. Rather, they appear to be so-called “fencing in” provisions, where to settle claims the respondent agrees to do more going forward than might be clearly required to avoid Section 5 liability. These have historically been seen as “signposts” for industry, but which are not precedential. Further, while the two Republican Commissioners agreed as to the unfairness conclusions with respect to certain allegedly unlawful sensitive data practices, they did not agree that all of the allegations and claims were enough to establish Section 5 violations, and warned that the majority’s ongoing expansive use of unfairness was unjustified:

• Commissioner Ferguson opined: “My colleagues want the FTC Act to be a comprehensive privacy law. But it is not. Comprehensive privacy regulation involves difficult choices and expensive tradeoffs. Congress alone can make those choices and tradeoffs. It did not do so when it adopted the general prohibitions of Section 5 nearly nine decades ago. And it has not adopted comprehensive privacy legislation since then. We must respect that choice.”
• Commissioner Holyoak added: “[The majority] colors well outside of the lines of the Commission’s authority. Indeed, the Chair is seeking to effectuate legislative and policy goals that rest on novel legal theories well beyond what Congress has authorized…. [and] uses a settlement to effectuate policy objectives that political leadership at the Commissions has sought for years to achieve [unsuccessfully] through regulation.”

Under the new administration, President Trump will be entitled to a Republican majority of Commissioners, which is likely to rein in the expansive use of unfairness that the current FTC Commission has undertaken. However, these information governance requirements can find support under some state privacy laws and, at minimum, can be seen as best practices that should help avoid the kind of media exposé that led to the Gravy/Venntel and Mobilwalla investigations in the first place. Further, even if federal privacy regulation and enforcement is reprioritized in the next administration (e.g., more of a national security than consumer protection focus), many of the twenty states with comprehensive consumer privacy laws have engaged in, and can be expected to continue, robust enforcement. In addition, several blue states have “Mini-FTC Acts” that provide broader authority to their AGs than do their respective state privacy laws (in states that have them) and, notably, broader authority than Section 5 provides to the Commission.. which are also utilized for privacy enforcement and could also be used to continue the expansion of unfairness jurisprudence that we have seen from the Commission in the last several years.