Yesterday, the Federal Trade Commission announced on its blog a renewed commitment to “fully enforcing the law against illegal use and sharing of highly sensitive data”:
The misuse of mobile location and health information – including reproductive health data – exposes consumers to significant harm. Criminals can use location or health data to facilitate phishing scams or commit identity theft. Stalkers and other criminals can use location or health data to inflict physical and emotional injury. The exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms. Those are just a few of the potential injuries – harms that are exacerbated by the exploitation of information gleaned through commercial surveillance.
The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy. We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.
This blog post comes on the heels of President Joe Biden signing an executive order urging the FTC to use its authority to help combat surveillance of reproductive care based on user’s online activities and app usage.
The post highlighted the opacity of the marketplace for this supposedly anonymized data. Consumers are often left in the dark about who has access to their data and what is being done with it. The FTC emphasized that it will use the full scope of its authority if it uncovers illegal conduct that exploits consumers’ location or health data.
What Should Tech Companies And Data Brokers Do?
The blog post highlights a few considerations for companies to consider if they are involved in the collection of this type of user data.
Be aware of all applicable federal and state laws.
There are numerous federal and state laws protecting sensitive data. The post highlights Section 5 of the FTC Act, the Safeguards Rule, the Health Breach Notification Rule, and the COPPA Rule.
Be transparent about anonymization of data.
Untrue claims of anonymizing or aggregating data will be deemed a deceptive practice that is directly in violation of the FTC Act. This isn’t merely a warning against intentionally lying about anonymous data. The FTC pointed to research showing “anonymized” user data can easily be tied to specific users, particularly when it involves location data. Claiming your users’ data is anonymous when it can be re-identified like this would run afoul of the FTC Act.
Don’t over-collect, indefinitely retain, or misuse consumer data.
Misusing consumer data, not respecting their wishes of deleting their data, or collecting data in contravention of laws like the COPPA Rule will net you a call from the FTC.
What’s Next?
The Dobbs decision is extremely fresh so it may be awhile before we see the full extent of what the Biden administration will attempt to do to mitigate its effects. This guidance statement is based on already existing enforcement powers. It will be interesting to see if Biden will seek to extend the FTC’s reach to allow it to take more incisive actions to combat the threats to women’s health and location data.