FTC YEAR IN REVIEW: An interesting read for CIPP/US candidates
On January 8, the Federal Trade Commission (FTC), the American privacy watchdog, published its annual report for 2019. From the report, large fines were imposed in three different areas of attention. The information (lessons) in the report is an interesting read for candidates preparing for the CIPP/US exam. Below we’ll briefly discuss the highlights of this annual report.
1. In the area of Consumer Privacy, FTC imposed Facebook a civil fine of $5 billion. This record fine is as a result of breaking an earlier promise on user privacy and about information sharing. Some steps have been taken, but according to the FTC, it is not enough. The main reason for the fine is that even if users selected the most restrictive settings, Facebook still made consumers’ personal data accessible to companies that developed apps used by consumers’ friends.
It involves information such as relationship details, their religious and political views, and their work history. According to the FTC, the setting – to ensure users’ privacy preferences would be honored – was hidden. The FTC states that: “In the face of consumers’ intent to limit information sharing to a select few, Facebook ignored them and shared it broadly. Facebook did that despite its privacy promises, despite consumers’ efforts to protect their privacy, and despite the terms of the 2012 order.”
In addition, the FTC has initiated various cases that concern false or misleading representations about business compliance with the EU-U.S. Privacy Shield Framework.
2. In the area of Online Privacy for Children, a record $170 million fine was imposed on YouTube (Google) in September. The bottom line is that Google knew that many of its services were used by children. According to the Children’s Online Privacy Protection Act (COPPA), you may not simply collect information from children under the age of 13 and/or offer them targeted advertisements without parental consent. Although YouTube knew that many children use the platform, YouTube did not actively ensure that the requirements of COPPA were complied with and, on the contrary, violated it by offering advertisements.
According to the FTC, not enough information was provided by YouTube, and data was collected without permission. That is not allowed because, before collecting personal information from kids under 13, COPPA-covered companies must get verifiable parental consent.
3. In the area of Data Security, it is important that promises about security are kept. Furthermore, it is vital that organizations take reasonable steps to protect sensitive personal information. Equinax did not do that and therefore received a fine of $575 million. What is it about? Equifax Inc. is one of the three largest consumer credit reporting agencies in the world. Equifax has a lot of sensitive information. In March 2017, Equinax was alerted by the US government to a vulnerability in the company’s website. Due to the use of old detection software, this vulnerability was patched four months later.
However, before the patch up, hackers have exploited the vulnerability. Good network segmentation was not applied, so hackers gained access to the database of the website and their underlying network. According to Equifax’s forensic analysis, hackers have been able to steal 147 million names and dates of birth, 145 million Social Security numbers, and 209,000 credit and debit card numbers and expiration dates. The FTC Act and the Gramm-Leach-Bliley Safeguards Rule have been violated due to insufficient security measures. According to the FTC, the lessons that can be learned from this include: Companies must patch their software, segment their network, and be on the lookout for intruders. According to the regulator, those are the security basics for businesses of any size.
Read the full report here.