By Nate Scherer, American Consumer Institute
In a world in which economic participation increasingly requires the use of technology, data privacy is more important than ever before. Every day, Americans are asked to share their personal information with a growing number of businesses in exchange for access to services that weren’t widely available even 30 years ago. This information enables companies to provide everything from online learning and telehealth to grocery deliveries and video communications technology.
However, sharing personal information presents opportunities for abuse. Information like a home address, social security number or geolocation data can be used to commit fraud, steal a person’s identity or track their whereabouts. Consumers deserve to know that their personal information is safe from those who would use it for ill.
In a growing number of cases, companies are falling far short of these standards. This environment raises questions over what role the Federal Trade Commission (FTC) should play in regulating data collection and bringing enforcement action against companies that fail to provide minimum data security.
The answers are complex, but several recent FTC actions against companies with questionable privacy practices serve as a useful benchmark. In August the agency filed a lawsuit against Idaho software company Kochava alleging that the company sells customer “geolocation data from hundreds of millions of mobile devices.” While geolocation data can be useful to customers who provide it for services like Google Maps, bad actors can easily abuse it. The FTC notes this data can be used to trace a person’s movement “to and from sensitive locations.”
Until at least June 2022, Kochava allowed virtually anyone to obtain large amounts of personal data and use it without penalty. The result was a significant risk that bad actors could exploit this data to expose unknowing victims to “stigma, discrimination, physical violence, emotional distress, and other harms.”
As noted in the FTC’s official complaint, Kochava itself acknowledges that it provides customers access to “rich geo data spanning billions of devices globally.” The company even offers suggestions for how best use this data such as for “Household Mapping,” where users can track the location of a personal device to the owner’s likely home.
What makes these admissions particularly noteworthy is that users are frequently unaware of “who has collected their location data and how it is being used.”
Kochava also provides users with a false sense of security by advertising on its website that it’s an industry leader in data security. That, according to the FTC, violates Section 5(s) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Therefore, any potential benefits that Kochava’s services may provide consumers don’t outweigh the dangers its data practices pose to people’s personal wellbeing.
Other recent examples of justified FTC action include finalized orders against education technology provider Chegg Inc. and online alcohol marketplace Drizly. In both cases, the FTC found that these companies failed to take adequate steps to protect consumer data, which consequently led to significant security breaches.
Chegg Inc. was found to be storing users’ and employees’ personal data on third party networks and databases while using antiquated encryption software. The company also consistently failed to require “multi-factor authentication” for account access or monitor unauthorized attempts to export user personal information, and it produced misleading statements about the state of data security, among a multitude of other shortcomings. As a result, the company experienced four severe data breaches, which led to the exposure of roughly 40 million users’ and employees’ personal information.
Drizly, on the other hand, failed to take appropriate action to remedy FTC concerns about the company’s security vulnerabilities, leading to an eventual data breach of 2.5 million consumers. Like Chegg Inc., Drizly also practiced lazy data security and falsely reassured customers that their data was safe.
The details of each case reveal that both Chegg Inc. and Drizly were in violation of the FTC Act. Both companies falsely advertised that they had secure data practices when they did not. Therefore, the FTC’s enforcement actions were appropriate and proportional.
The FTC has recently expressed interest in expanding enforcement powers over commercial surveillance and lax data security. Last August, the agency announced it was “exploring new rules to crack down on harmful practices” and would be seeking public comment on whether such rules are needed to “protect people’s privacy.” In addition, the agency indicated that “enforcement of the FTC Act alone” may not be enough to protect consumers from emerging threats and that additional powers may be necessary. Such powers may include the ability to impose “financial penalties for first-time violations.”
Such an expansion of power poses a potential danger to the FTC, which has a checkered history of pushing boundaries. The agency already possesses considerable power, as exemplified by the FTC Act, which it has utilized to “bring hundreds of enforcement actions” against companies for privacy and data violations.
It may well be the case that emerging technologies present unique challenges to consumer welfare, particularly in the realm of data privacy. Therefore, it’s possible that that these challenges require new rules. However, any new rules should be proposed by an act of Congress, not federal agencies like the FTC. Anything less may result in government overreach and produce unintended consequences like a less competitive market and diminished consumer choice.
Nate Scherer is a Policy Analyst with the American Consumer Institute, a nonprofit education and research organization. For more information about the Institute, visit us on www.TheAmericanConsumer.Org or follow us on Twitter @ConsumerPal.