With privacy and data security issues dominating headlines over the past year, the Federal Trade Commission – the Nation’s top privacy watchdog – has had its hands full. The FTC’s recently released 2018 “Privacy and Data Security Update” reflects this flurry of activity. The report provides an overview of the FTC’s significant 2018 privacy and data security enforcement actions as well as the other tools the agency uses to promote consumer privacy and data security. In summarizing its 2018 activity, the FTC provides insight into its 2019 priorities and its overall approach to consumer privacy and data security. We discuss the highlights of the report and key takeaways below.

Enforcement highlights. The report summarizes the following types of privacy and data security issues on which the FTC has focused:

  • Children’s privacy and data security. The report reflects the FTC’s continued focus on safeguarding children’s privacy through its enforcement of the Children’s Online Privacy Protection Act (COPPA). Its 2018 settlement with VTech Electronics Limited, for example, involved a $650,000 civil penalty and 20 years of monitoring to settle alleged COPPA and inadequate security violations. (More recently, the FTC entered into a record $5.7 million COPPA settlement, discussed here).
  • Financial privacy and data security. The report also reflects the FTC’s emphasis on financial privacy and data security enforcement, particularly with respect to the Gramm Leach-Bliley Privacy and Safeguards Rules (such as its 2018 settlement with Venmo) and the Fair Credit Reporting Act (for which the FTC has collected a total of $30 million in civil penalties over the years).
  • Telemarketing and Do Not Call. The FTC has committed significant resources to telemarketing and Do Not Call enforcement, bringing over 140 Do Not Call cases and obtaining $1.5 billion in civil penalties since 2003. The agency continued its activity in 2018, initiating actions or settling or obtaining judgments in at least 10 different matters and obtaining close to $40 million in civil penalties.
  • False statements regarding privacy and data security. The FTC continues to target businesses that misrepresent their privacy and data security measures, demonstrating the importance of ensuring that all public-facing privacy statements are accurate and complete. The agency settled allegations that a phone manufacturer misrepresented its vendor security safeguards, for example, and also settled claims alleging businesses misrepresented their EU-U.S. Privacy Shield Framework participation. Any company that claims to be Privacy Shield certified and that receives an inquiry from the FTC can expect that the FTC will inquire into its Privacy Shield certification, even if that is not the main target of the investigation.

Other activity. In addition to addressing the FTC’s enforcement efforts, the Report outlines the agency’s activity in six other “zones”:

  • Advocacy. For example, in its June 2018 response to the Consumer Product Safety Commission’s Request for Comments on potential safety issues and hazards associated with Internet-connected consumer products, the FTC raised concerns about poor safety and security associated with IoT devices.
  • Issuing rules. In 2018, the FTC issued a notice of proposed rulemaking with respect to credit reporting agency obligations under the Fair Credit Reporting Act.
  • Hosting workshops. In February 2018, for instance, the FTC hosted the third annual PrivacyCon to explore the privacy and security implications of emerging technologies, such as IoT, artificial intelligence, and virtual reality. Staff reports typically issued following such workshops tend to provide businesses with a roadmap for compliance with respect to the particular topics addressed.
  • Issuing reports and surveys. In February 2018, the FTC issued a report on mobile security updates, as well as an overview of key takeaways from a December 2017 workshop examining possible non-financial harm resulting from privacy and security incidents.
  • Consumer education and business guidance. The FTC launched a national education campaign to help small business owners address common cyber threats. In addition, FTC staff routinely address privacy and data security issues on the FTC’s consumer and business blogs.
  • International engagement. This includes enforcement cooperation and international privacy and data security policy development.

Key Takeaways. In 2018, the FTC pursued enforcement actions across a spectrum of privacy and data security issues, with continued prioritization of children’s and financial privacy and Do Not Call. The agency also continued its reliance on other tools to promote consumer privacy and data security compliance, particularly for emerging technologies such as IoT and AI. The report confirms the FTC’s continued commitment of resources to privacy and data security matters and suggests that its activity in this area will only continue to grow.