By Jason Priebe and Danny Riley
Seyfarth Synopsis: Corporations face unprecedented challenges in safeguarding sensitive data and mitigating privacy risks in an era marked by the rapid proliferation of Internet of Things, or IoT, devices.
Recent developments, including federal and state regulators’ heightened focus on privacy enforcement, highlight the importance of proactive risk management, compliance and data governance. As IoT and smart devices continue to hit the marketplace, heightened scrutiny for businesses’ data governance practices follows.
The Federal Trade Commission’s recent technology blog, “Cars & Consumer Data: On Unlawful Collection & Use”[1] underscores the agency’s commitment to enforcing consumer protection laws. Despite their blog’s focus on the car industry, the FTC’s message extends to all businesses, emphasizing its vigilance against illegal — or “unfair and deceptive” — collection, use and disclosure of personal data.
Recent enforcement actions are a stark reminder of the FTC’s proactive stance in safeguarding consumer privacy.
Geolocation data is a prime example of sensitive information subject to enhanced protections under the Federal Trade Commission Act. Much like mobile phones, cars can reveal consumers’ persistent, precise locations, making them susceptible to privacy infringements.
In landmark cases against major car manufacturers and digital marketing companies, the FTC has demonstrated that collecting, using and disclosing location data can constitute unfair practices.
For instance, in the case of a car manufacturer collecting geolocation data — FTC v. Kochava Inc., filed in the U.S. District Court for the District of Idaho in 2022 — the FTC alleged that location data could track people’s visits to sensitive places like medical facilities or domestic abuse shelters, leading to restrictions on the sale of such sensitive information.
Similarly, the FTC has challenged numerous marketers and large organizations for the internal use of sensitive data for targeted advertising, resulting in corrective measures to protect consumer privacy.
The surreptitious disclosure of sensitive information is another area of concern addressed by the FTC. Companies with legitimate access to consumers’ data must ensure its use aligns with the intended purposes for collection.
Recent cases involving health tech companies underscore the risks associated with unauthorized data sharing.
For instance, in the FTC’s enforcement proceeding against online provider BetterHelp, In re: Betterhelp Inc. in July 2023, BetterHelp’s disclosure of consumers’ email addresses and health questionnaire information for advertising led to significant FTC action, including monetary settlements and bans on unauthorized data usage.[2]
Furthermore, the FTC’s scrutiny extends to using sensitive data for automated decisions. Companies leveraging consumer data in algorithms must uphold accountability for the outcomes of automated processes.
The FTC’s enforcement action against Rite Aid also exemplifies this, with allegations of improper enrollment in a facial recognition program leading to false-positive match alerts.[3]
The March stipulated order concluding the case of FTC v. Rite Aid, which was filed in
the U.S. District Court for the Eastern District of Pennsylvania, detailed Rite Aid’s failure to mitigate the risk of erroneous identifications and resulted in FTC-imposed sanctions, including a ban on facial recognition technology.
These enforcement actions signal the FTC’s unwavering commitment to protecting consumer privacy in an increasingly digitized world. As businesses navigate the complex data collection and usage landscape, adherence to FTC guidelines is paramount to mitigate regulatory risks and uphold consumer trust.
In addition to the threat of FTC regulations, corporations must navigate a complex web of state and federal privacy laws, including emerging legislation such as omnibus privacy laws and sector-specific regulations.
For instance, Illinois’ Biometric Information Privacy Act and California’s Invasion of Privacy Act, both of which boast statutory penalties, have resulted in significant fines, settlements and judgments in litigation for companies violating consumer privacy rights. By staying abreast of evolving legal requirements and implementing robust privacy compliance programs, corporations can enhance their resilience to regulatory challenges.
Corporations should conduct thorough risk assessments to identify potential vulnerabilities and privacy risks associated with IoT devices and connected technologies. For example, a multinational corporation recently discovered vulnerabilities in its IoT-enabled smart factory equipment, which exposed sensitive production data to unauthorized access.
By analyzing data transmission practices and local network protocols, corporations can mitigate the risk of data breaches and unauthorized access to sensitive information.
Practical measures, such as implementing encryption protocols and conducting regular security audits, can help corporations proactively address privacy concerns and safeguard consumer data.
All organizations must prioritize having their “house” in order concerning data governance. Establishing robust data governance practices is essential for preempting disasters. This involves synchronizing data governance, privacy, security and recordkeeping across the organization. Achieving this alignment requires extensive stakeholder synchronization and organizational buy-in.
Organizations can follow these top six data governance best practices to facilitate this process:
Know your data.
Thoroughly understand the types of data your organization collects, processes and stores. This includes personal data, financial information, intellectual property and other sensitive information. Deploy required notices at the point of collection, policy disclosures and consent processes where legally required.
Define data ownership.
Clearly define who within the organization is responsible for the different types of data and who has the authority to make decisions regarding its use and protection.
Implement access controls.
Restrict access to sensitive data to only those employees who require it to perform their job functions. Regularly review and update access permissions to ensure they align with business needs.
Establish data retention policies.
Create clear guidelines for how long different types of data should be retained and when it should be securely disposed of. Not only is this best practice, but privacy laws such as
the California Consumer Privacy Act and General Data Protection Regulation require it.
Conduct regular audits.
Regularly audit data usage, storage and access to ensure compliance with internal policies and external regulations.
Provide employee training.
Educate employees on the importance of data governance, privacy best practices, and their role in protecting sensitive information.
Deploy appropriate vendor management and controls.
Initiate a program to document and track where and why personal information for employees, applicants, customers and marketing contacts are shared with third-party service providers, and verify appropriate contractual protections are in place to address potential privacy compliance and data security issues.
Conclusion
By implementing these best practices, corporations can establish a solid foundation for effective data governance, ultimately enhancing their ability to navigate the evolving landscape of privacy regulations.
[1] https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/05/cars-consumer-data-unlawful-collection-use
[2] In the Matter of Betterhelp Inc et al., FTC (July 2023), https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook
[3] FTC v. Rite Aid Hdqtrs. Corp., E.D. Pa. (stipulated order entered March 8, 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/2023190_riteaid_complaint_filed.pdf.