The U.S. Federal Trade Commission was created on September 26, 1914, when President Woodrow Wilson signed into law the Federal Trade Commission Act. The FTC opened its doors about six months later, on March 16, 1915.
The FTC’s primary charters are the Federal Trade Commission Act of 1914 and the Clayton Antitrust Act of 1914. The mission of the FTC is to protect the public from deceptive business practices and unfair methods of competition “through law enforcement, advocacy, research, and education.”
The FTC is organized into eight divisions: Privacy and Identity Protection, Consumer & Business Education, Advertising Practices, Marketing Practices, Financial Practices, Consumer Response & Operations, Litigation Technology & Analysis, and the all-important Enforcement division—because regulations don’t mean much without some sharp teeth.
The FTC plays a vital role in ensuring the security and privacy of personally identifiable information that is collected, processed, and stored by organizations in virtually every area of commerce. Among the organizations governed by the FTC Act are those dealing in alcohol, tobacco, appliances, automobiles, clothing, textiles, jewelry, finance, franchises, real estate, mortgages, non-profits, and certain other commercial enterprises.
The FTC role in cybersecurity and privacy is similar to the HHS Office for Civil Rights, which enforces compliance with the HIPPA Security and Privacy Rules.
The FTC Division of Privacy and Identity Protection oversees “issues related to consumer privacy, credit reporting, identity theft, and information security,” according to its webpage. It enforces the statutes and rules within its jurisdiction, engages in outreach and policy development, and educates consumers and businesses about emerging privacy, credit reporting, and information security issues. This division researches and reports on privacy and security issues, and provides online assistance for victims of identity theft. Following are four laws enforced by the Privacy and Identity Protection division.
The FTC uses a variety of tools to protect the privacy of customer data. Its primary method is to bring enforcement actions “to stop violations of the law and require companies to take affirmative steps to remediate their unlawful behavior.”
Remediation requirements may include implementation of comprehensive privacy and security programs, expert independent assessments every two years, compensation to consumers, return of illegal profits, deletion of illegally obtained consumer information, and other remedies.
Two primary actions form the backbone of the FTC enforcement process: the Administrative Complaint and the Final Order.
In all of its privacy and data security work, the FTC goal is to “protect consumers’ personal information and ensure that consumers have the confidence to take advantage of the many benefits of products offered in the marketplace.”
One of the FTC’s roles is to enable refunds to consumers who have been deceived or defrauded. As just one of countless examples, in April 2023 the FTC announced a $1.1 million consumer refund.
In 2022, the FTC sent the first payments to more than 224,000 distributors of AdvoCare products who were defrauded in an illegal pyramid scheme operated by AdvoCare. The initial payment totals $149 million, for an average check value of $665.15, with more reportedly on the way. As the FTC Refunds chart indicates, in 2022 alone almost two million individuals had cashed their FTC payments.
The FTC takes its protective role very seriously and has opened hundreds of privacy and data security cases in the past few years. Below are just two examples of the ten total FTC Administrative Complaints—related specifically to data privacy and security violations—that were resolved or modified in 2023 and 2022.
On June 16, 2023, the FTC announced that genetic testing firm 1Health.io had failed to protect the privacy and security of DNA data it was entrusted with. The company had been known as VitaGene, Inc. before changing its name in 2020, after an independent researcher exposed the company’s poor security.
The FTC Complaint charges that the company (1) left sensitive genetic and health data unsecured, (2) deceived customers about their ability to have their data deleted, and (3) retroactively expanded the types of third parties it shares individual’s data with to include supermarket chains and nutrition and supplement manufacturers, without notifying consumers who had previously shared personal data with the company or obtaining their consent to share such sensitive information.
Under the terms of the settlement described in the FTC’s proposed Final Oder, 1Health must meet these requirements:
The required remediation actions address cybersecurity, privacy, and identity protection—issues that fall clearly within the domain of the Federal Trade Commission and its Enforcement division.
In May 2022, the FTC charged Twitter, Inc. with deceptively using account security data for targeted advertising, citing that the company asked users to provide phone numbers and email addresses to protect their accounts, but then allowed advertisers to use this data to target specific users, at Twitter’s profit. This deception violated a ten-year-old FTC order, from 2011, that explicitly prohibited the company from misrepresenting its privacy and security practices.
A modified order and proposed settlement were announced in June 2023, in which Twitter would be required to pay a $150 million penalty and be banned from profiting from data it collects deceptively. Among numerous other requirements, the proposed settlement also mandates that Twitter implement a Privacy and Security Program “to protect the privacy, security, confidentiality, and integrity of the data it collects, maintains, uses, discloses, or allows access to.”
At a high level, the Privacy and Security Program requirements include:
The settlement includes pages of highly detailed requirements supporting these five mandates. This 2022 charge remains open and the case is ongoing. In light of recent ownership changes at Twitter, and the resulting organizational cleansing process, it will be interesting to learn how this case is finally resolved. Any agreed resolution will be posted on the FTC website.
The FTC role in cybersecurity and data privacy is a crucial one, not just for U.S. consumers but also for U.S. businesses. The Federal Trade Commission works steadily and quietly investigating consumer complaints against deceitful or fraudulent businesses. The FTC files charges in the form of Administrative Complaints and settles violations in its Final Orders.
Of vital importance, the FTC is empowered to impose civil monetary penalties upon violators and also to mandate remedial actions that strengthen their cybersecurity and privacy safeguards for individually identifiable consumer information.
Businesses who are subject to the FTC Act, the GLBA, and certain other laws should familiarize themselves with the details of those regulations to ensure they are adequately protecting customer data. A security risk assessment is always the best way to begin.
Learn more about cybersecurity by becoming a sponsor of Cybersecurity Awareness Month. This October marks the 20th year the National Cybersecurity Alliance has promoted cybersecurity in this manner. Join 24By7Security and thousands of other organizations in supporting this vital initiative!