Key Findings from the FTC’s 2023 Privacy & Security Update

April 22, 2024

The FTC recently released its 2023 Privacy & Data Security Update. The 38-page report contains nuggets of insight into FTC priorities and trends in its settlements, which we’ll outline below.  

Key Takeaways 

FTC Focus Areas 

The FTC report calls attention to its enforcement efforts in several key areas, including: 

  • Artificial intelligence.  
  • Health privacy.  
  • Geolocation tracking.  
  • Children’s privacy.  
  • Data security.  
  • Credit reporting and financial privacy.  
  • Spam calls and email.  

We highlighted some of these focus areas in our earlier coverage of the FTC enforcement so far this year.  

The takeaway here is that if your company is engaging in any poor privacy practices in these areas, you have a heightened risk of attracting the FTC’s attention. Given the cost of defending a regulatory action, it’s likely a good idea to tidy up your privacy practices.  

The Children’s Privacy Priority 

The FTC’s 2023 report notes that it has brought 42 COPPA cases, resulting in the collection of more than $523 million in civil penalties relating to children’s privacy. Given the extremely high penalties we’ve seen in the COPPA space in recent years, the civil penalty amount isn’t surprising. In fact, just one settlement against Epic Games resulted in a $275 million penalty for COPPA violations.  

Some key themes from the FTC’s 2023 report as they relate to COPPA enforcement include the following:  

  • Verifiable parental consent is still the key to COPPA; if you are collecting personal information from children’s under 13, you MUST notify their parent or guardian and get permission. 
  • Data minimization is also a priority. Many FTC settlement orders require companies to delete data that has been unlawfully collected from children and to limit data retention periods.  
  • COPPA applies to avatars, biometric data, and health information too.  
  • EdTech providers cannot push off their COPPA obligations onto school districts. While schools can provide consent on behalf of parents in some instances, the schools must be provided with complete information about what information will be collected and how it will be used or that consent isn’t valid. EdTech providers also remain responsible for all of COPPA’s other requirements such as data minimization, retention limits, and safeguarding children’s data.  

Read our earlier posts to learn more about COPPA compliance and consent collection for child users 

Data Security 

The FTC has brought 89 cases against companies that have engaged in misleading or deceptive practices relating to their protection of consumer personal data since 2000.  

There has been an extremely broad spectrum of activities and designs that have led to FTC commencing claims against companies. Some examples include: 

  • A  website purporting to offer high pay for positions, when the real purpose of the page was to gather data and sell it. This practice led to registrants receiving unwanted live and robocalls, numbering into the hundreds in some cases. 
  • A company which sold sham health care products purporting to be equivalent to a qualified health plan. Some consumers incurred hundreds of thousands of dollars in medical debt before finding out that the costs would not be covered.  
  • A top-three credit bureau framing marketing messages as important updates and not allowing individuals  to unsubscribe, in violation of the CAN-SPAM law.  
  • A company  using dark patterns to trick consumers into making a purchase to enter a sweepstakes or increase their odds of winning when no purchase was needed.  

Interestingly, the FTC brought personal action against the CEO in one of the matters summarized in the 2023 FTC report. In that matter, the FTC alleged that Drizly and its CEO James Cory Rellas were aware of serious security failures for two years before it led to the exposure of personal information of 2.5 million consumers. The FTC’s order in this case required the destruction of unnecessary data and the restriction of the types of data it can collect and retain. The company and its CEO must also implement and maintain specific security measures.  

If you need assistance with your company’s privacy program, reach out. Our experienced attorneys would love to help.  


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you