On February 25, 2020, the Federal Trade Commission released its 2019 Privacy and Security Update summarizing the year’s privacy and data security enforcement actions. And, by all accounts, it was a busy year for the privacy enforcement community.

Privacy Enforcement Actions

The most significant FTC enforcement action in 2019 – in fact, the largest consumer privacy fine ever imposed on any company in the world – was the Commission’s $5 billion penalty against a social networking site. The FTC alleged that the company misrepresented how user data was used, the control users had over their own personal information, and failed to create or maintain a reasonable privacy program. Among the concerns cited, the FTC noted that the company deceptively used phone numbers provided by users for two-factor authentication for targeted advertisements. The settlement was included organizational measures to address those concerns, and ensure the protection of user data through corporate board level oversight and organizational enhancements in the company’s handling of consumer’s information.

The FTC also focused on data security in 2019. In its $575 million settlement against Equifax, the FTC was joined by the Consumer Financial Protection Bureau and 50 states and territories to address the 2017 data breach that impacted approximately 147 million consumers. The settlement includes payment of $300 million to establish a fund providing credit monitoring services for effected consumers. Beginning January 2020, Equifax will now provide all U.S. consumers with six free credit reports per year, in addition to the one free report per year that Equifax and other credit reporting agencies previously provided. Other cases included a software company that helps auto dealers with inventory management, and a smart home products manufacturer that failed to reasonably secure its wireless routers and Internet-connected cameras.

Deceptive spam was also an area of focus. In its $1.5 million settlement against Effen Ads, LLC (iCloudWorx), the FTC alleged that the company deployed misleading “from” lines and links to websites that falsely claimed favorable reviews from various news sources, and deceptive subject lines with celebrity endorsements.

Finally, kids’ privacy remained an enforcement priority. The FTC reached a $5.7 million settlement with Musical.ly (now known as TikTok), a video social networking app known for its karaoke selfie clips, for illegally collecting personal information about kids under 13 years of age in violation of the Children’s Online Privacy Protection Act (COPPA). The FTC also secured a $170 million settlement against a video streaming site for illegally collecting personal information from children without verified parental consent. This penalty stands as the largest sum the FTC has obtained since COPPA was enacted in 1998.

Other Enforcement Actions

Four top mobile carriers in the US also face enforcement actions by the Federal Communications Commissions, and fines nearing $200 million, for improperly sharing customer location data. And enforcement of the EU-U.S. Privacy shield framework continued this year, with 13 cases brought against companies that allegedly made false promises of compliance with the Privacy Shield framework. Our recent Connect on Tech post summarizes recent FTC enforcement actions against five companies for false claims of Privacy Shield certification.