• FTC's Annual Privacy and Data Security Report Highlights Connected Products Cases
  • March 6, 2018 | Authors: Tracy P. Marshall; Sheila A. Millar; Nathan A. Cardon
  • Law Firms: Keller and Heckman LLP - Washington Office; Keller and Heckman LLP - Washington Office
  • The Federal Trade Commission (FTC) has released its annual Privacy and Data Security Update for 2017, which summarizes its enforcement activity, public education, and research over the year. Enforcement actions included complaints brought for privacy and data security violations related to connected products and services, many of which we've written about in this space over the past year.

    Among the actions the FTC highlights are a settlement with the ride-sharing service Uber for misrepresentations about the privacy of customer and driver data and failure to implement reasonable data security, and a settlement with smart television manufacturer Vizio for tracking customer viewing activity without consent. Data security cases also included an action against computer giant Lenovo for selling laptops with preinstalled software that allegedly compromised security to deliver ads, and an action against mobile ad network Turn Inc. for deceptive online tracking. In another notable data security case against computer equipment manufacturer D-Link, the FTC alleged that the company's wireless routers and Internet cameras were susceptible to hackers because of lax security measures. A California district court subsequently dismissed three of the six counts against D-Link. Click on the links above to read articles about these actions published on Keller and Heckman LLP's website and Consumer Protection Connection blog throughout 2017.

    On the international front, the Commission took its first three enforcement actions under the new U.S.-EU Privacy Shield framework, which in 2017 replaced the U.S.-EU Safe Harbor program. According to the FTC, printing company Tru Communication, human resources software company Decusoft, and real estate leasing company Md7 falsely claimed that they were certified to participate in the EU-US Privacy Shield. The Commission also brought 4 actions under the APEC Cross-Border Privacy Rules (CBPR), charging software protection company Sentinel Labs, messaging service marketer SpyChatter, and cybersecurity software manufacturer Vir2us with violations of the FTC Act for deceptively stating in their online privacy policies that they participated in the APEC CBPR system.

    The FTC also took other actions, including approving TRUSTe's proposed revisions to its COPPA Safe Harbor program.

    In addition to its enforcement and regulatory work, the FTC convened several stakeholder meetings and public workshops during 2017 on topics ranging from emerging issues in consumer privacy and security to connected cars and the general issue of what should constitute actionable "informational injury" for FTC enforcement purposes. Commission staff released several reports, including Cross-Device Tracking: an FTC Staff Report, which details the challenges and benefits of tracking technology across multiple Internet-connected devices and industry efforts to address privacy and data security issues related to tracking.

    With 2017 behind us, 2018 already looks like it will also be a busy year at the FTC. The FTC began 2018 with its first-ever connected toy settlement under COPPA, the first time a COPPA settlement addressed both alleged data security and alleged privacy violations. Connected toymaker Vtech settled with the FTC over alleged COPPA privacy and security violations, agreeing to injunctive provisions and payment of a $650,000 civil penalty. The FTC alleged that Vtech violated COPPA by collecting personal information from children without parental notice and consent, and failing to take reasonable steps to secure the data it collected.

    The Commission has also just taken an action against a company for deceptive "Made in the USA" advertising - the third time it has done so in the last twelve months - which indicates the seriousness with which the FTC is approaching enforcement of country-of-origin claims.

    The FTC continues to be an active cop on the beat on privacy, data security, advertising, and related consumer protection issues. It also seems likely to continue its useful tradition of seeking to be informed about changes and trends in technology and real-world implications to consumers and businesses before issuing regulations. With four new Commissioners to take office once confirmed by Congress, it will be interesting to see whether they identify new or different priorities for action in the next few years.