On January 8, the Federal Trade Commission, the American privacy watchdog, published its annual report for 2019. We see that in 2019 large fines were imposed in three different areas of attention. The lessons are interesting for candidates for the CIPP/US exam. Below we briefly discuss the highlights of this annual report.
1. In the area of Consumer Privacy, FTC imposed Facebook a civil fine of $ 5 billion dollars. This record fine is the result of breaking an earlier promise to make honest promises about user privacy and about sharing information. Some steps have been taken, but not enough according to the FTC. The main reason for the fine is that even if users selected the most restrictive settings, Facebook still made consumers’ personal data accessible to companies that developed apps used by consumers’ friends. It involves information such as relationship details, their religious and political views, their work history. According to the FTC the setting – to ensure users privacy preferences would be honored – was hidden. The FTC summarizes it simply: “In the face of consumers’ intent to limit information sharing to a select few, Facebook ignored them and shared it broadly. Facebook did that despite its privacy promises, despite consumers’ efforts to protect their privacy, and despite the terms of the 2012 order.”
In addition, the FTC has initiated various cases that concern false or misleading representations about business compliance with the EU-U.S. Privacy Shield Framework.
2. In the area of Online Privacy for Children, a record $ 170 million dollar fine was fined to YouTube (Google) in September. The bottom line is that Google knew that many of its services were used by children. According to the Children’s Online Privacy Protection Act (COPPA), you may not simply collect information from children under the age of 13 and/or offer them targeted advertisements without parental consent. Although YouTube knew that many children use the platform, YouTube did not actively ensure that the requirements of COPPA were complied with and, on the contrary, violated by offering advertisements. According to the FTC, not enough information was provided by Youtube and data was collected without permission. That is not allowed because, before collecting personal information from kids under 13, COPPA-covered companies must get verifiable parental consent.
3. In the area of Data Security it is important that promises about security are kept. Furthermore, it is important that organizations take reasonable steps to protect sensitive personal information. Equinax did not do that and therefore received a fine of $ 575 million dollars. What is it about? Equifax Inc. is one of the three largest consumer credit reporting agencies in the world. Equifax has a lot of sensitive information. In March 2017, Equinax was alerted by the US government to a vulnerability in the company website. Due to the use of old detection software, this vulnerability was patched 4 months later. In the meantime, hackers have exploited the vulnerability. Because good network segmentation had not been applied, hackers could not only gain access to the databases of the website, but also to the underlying network. According to Equifax’s forensic analysis, hackers have been able to steal 147 million names and dates of birth, 145 million Social Security numbers, and 209,000 credit and debit card numbers and expiration dates. The FTC Act and the Gramm-Leach-Bliley Safeguards Rule have been violated due to insufficient security measures. The lesson that can be learned from this according to the FTC: Patch your software. Segment your network. Monitor for intruders. According to the regulator, those are the security basics for businesses of any size.
Read the full report here.