We’ve summed up some of the FTC’s enforcement actions since January 1 of this year. Scroll through for details about the alleged wrongdoing or jump to the bottom to read our key takeaways.
Some Privacy-Related FTC Enforcement Actions So Far In 2024
Avast to Pay $16.5 Million in Consumer Redress for Broken Privacy Promises
Avast, a company known for its antivirus software, promised to protect users from unwanted online tracking while, in fact, it collected and sold extensive browsing data from users without their consent. The FTC alleges that Avast’s actions were deceptive and that the company profited by exploiting the very data they claimed to protect.
The FTC has proposed an order against Avast requiring it to pay a $16.5 million in customer redress. It will also be prohibited from selling or licensing web browsing data.
Blackbaud Required to Remedy Lax Security Practices and Delete Data it No Longer Needs
Blackbaud, a software company serving nonprofits, experienced a major data breach due to poor security practices, including weak encryption. The hacker stole sensitive data including Social Security numbers and bank account details of millions of consumers.
Under the proposed order Blackbaud will be required to delete the personal data it does not need and implement a comprehensive information security program, including clear data retention and deletion schedules.
Intuit Restrained from Deceptive Advertising
The FTC alleged that Intuit, the company behind TurboTax, deceptively advertised its tax filing software as “free.” In reality, only a small fraction of consumers were eligible for the free version, while the majority weren’t.
The order against Intuit prohibits it from claiming products or services are free unless such are free for all consumers or it clearly discloses the percentage of consumers that qualify for the free version.
Multiple Geographic Location Enforcement Actions
The FTC announced two proposed orders against data brokers for illegally collecting and selling consumers’ precise location information. This data could reveal sensitive details like where people worship, go to school, or seek medical treatment.
Now, the two proposed orders are open for public comment and will be finalized later but to summarize:
- InMarket Media, a data aggregator located in Texas, allegedly obtained swathes of data without consumers’ knowledge, or understanding and sold it to advertisers. The FTC considers this a deceptive practice and a violation of consumer privacy. It achieved this by embedding precise location-collecting software in hundreds of apps which were then downloaded to more than 400 million unique devices from 2017 onwards.
- X-Mode Social and Outlogic, another data broker, secretly collected and sold precise location data from consumers’ smartphones (again, through apps) without their knowledge or consent. The FTC alleges that this constitutes unfair and deceptive business practices, and the proposed order will prohibit X-Mode sharing or selling any sensitive location data.
Key Takeaways for Businesses From The 2024 FTC Enforcement Actions
Show Restraint with Location Data
The FTC highlighted in its January press release about the X-Mode Social enforcement action that the unauthorized and illegal trafficking in location data is a key concern for consumers and the FTC. It also noted that “Just because your business has access to location information doesn’t mean you’re free to use it any way you choose”.
Transparently Disclose How You are Using Data
If you intend to sell or share the personal data you collect from your customers, make it clear to them, get consent, and give them control over how the data is used.
Think Twice Before Using ‘Free’ to Entice Consumers
The FTC Press Release about the enforcement against Intuit highlights that “Free” remains a powerful draw for consumers, but like any other advertising representation, the claim must be truthful.” It goes on to highlight that burying significant caveats about if or when a product is free in the fine print or other inconspicuous disclosures is not sufficient. Any modifications to the offer must be effective.
The takeaway here is to make sure you’re transparent in your pricing and your offer and to not bury important disclosures about a product in the fine print.
Secure Your Data Adequately
Your cybersecurity maturity must match the sensitivity of the data you collect. If you collect (or plan to collect) sensitive personal information, you must implement robust cybersecurity measures. If you cannot afford adequate cybersecurity infrastructure or do not have the knowledge, do not collect the data.
If you need assistance implementing a stronger privacy program at your company, reach out. Our privacy attorneys are available to help.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
