FTC Commits to Enforcement Against Illegal Use and Sharing of Sensitive Data
On July 11, 2022, the Federal Trade Commission (“FTC” or “Commission”) released a business blog announcing that the Commission was “committed to fully enforcing” the law against illegal use and sharing of “highly sensitive” location, health, and other data.
Specifically, the FTC notes that, among the many other formats for tracking and obtaining a consumer’s personal information, smartphone and mobile device users have recently begun to “actively generate their own sensitive data, including by using apps to test their blood sugar, record their sleep patterns, monitor their blood pressure, or track their fitness, or sharing face and other biometric information to use app or device features.”
These forms of information tracking are placed on the marketplace of buyers, sellers, sharers, creators and users of mobile operating systems that provide data collecting mechanisms, mobile application publishers and developers of software development kit (“SDK”) “that embed tools in mobile apps to collect location information and provide the data to third parties.” In this marketplace, a consumer’s personal and sensitive data can be transferred to multiple parties and used for any purpose by marketers, researchers, and government agencies.
The blog identifies several instances in which the FTC or other governmental officials have had to enforce against improper use and collection of mobile location and health information. The FTC affirms its commitment to “using the full scope of its legal authorities to protect consumers’ privacy . . . enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data” and continue to “provide a roadmap for firms seeking to comply with the law.”
The FTC provides the following guidance organizations should consider “when thinking about the collection of confidential consumer information, including location and health data”:
Sensitive data is protected by numerous federal and state laws governing the “collection, use, and sharing of sensitive consumer data, including many enforced by the Commission.”
Avoid making claims that data is “anonymous” or “has been anonymized” in response to Consumers’ privacy concerns as such a response is often considered to be a deceptive trade practice that will violate the FTC Act, if untrue.
Avoid over-collection, indefinite retention, or misuse of consumer data; the FTC has made clear that it “does not tolerate” these practices.