Category Archives: FTC Enforcement Actions

Google to Pay $22.5 Million Record Fine to FTC over Safari Tracking

Google agreed to pay a record $22.5 million to settle claims levied by the Federal Trade Commission (FTC) that Google violated an earlier privacy settlement it had with the agency.

Google placed advertising tracking cookies on the computers of Apple’s Safari browser who visited sites within Google’s advertising network for several months in 2011 and 2012. (Safari is the browser used in Macs, iPhones and iPads. Google’s ad network is DoubleClick.) This misled consumers who were assured that they were automatically opted out of tracking because Safari’s default setting blocks most cookies coming from third parties.

The Commission said Google’s misrepresentation to Safari users broke the terms of a 2011 FTC settlement decree relating to privacy problems with Google’s now defunct Buzz social networking tool. Google did not admit to violating the 2011 decree, but agreed to disable all the tracking cookies it said it would not place on consumers’ computers.

Jon Leibowitz, Chairman of the FTC, reaffirmed the Commission’s commitment to enforce consumer privacy rights, saying “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

Congress Probes Leading Data Brokers on Dossiers

On Tuesday, the Congressional Privacy Caucus sent inquiry letters to nine of the largest data brokers regarding their privacy practices, including how they collect, analyze and sell consumer information.  Data brokers are organizations that compile data on consumers and sell that data to third parties for marketing and other purposes.  “By combining data from numerous offline and online sources, data brokers have developed hidden dossiers on almost every US consumer,” the letters said.  This practice is worrisome to privacy advocates and particularly the Federal Trade Commission (FTC), which has been candid in its statements and in its March report on consumer privacy, stating that the FTC intends to crack down on these unregulated data aggregators.  The settlement with Spokeo last month is reportedly the first with others to follow this year. The Privacy Caucus, co-chaired by Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas), seems to be weighing legislative action to demand oversight and industry accountability.  Companies receiving the letter were Axciom, Epsilon (Alliance Data Systems), Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac, Markle and Meredith Corp.  The companies have until August 15 to respond.

Data Broker Spokeo to Pay $800,000 Under FTC Settlement

Online data broker Spokeo agreed to pay $800,000 to settle Federal Trade Commission (FTC) charges that it marketed information profiles on millions of consumers to companies that used them for employment screening, without taking necessary steps to protect consumers.  This misuse of data violated federal law, specifically the Fair Credit Reporting Act (FCRA), because Spokeo operated as a consumer reporting agency but it failed to disclose the source of its data or give consumers the chance to correct inaccurate information, among other things.  The conduct occurred between 2008 and 2010 when the company marketed the data on a subscription basis.  The settlement was announced by the FTC on June 12, 2012.

Spokeo is a data aggregator, merging personal information it collects about consumers from online and offline data sources to create detailed individual profiles of consumers.  A profile might include name, address, age range, email address, ethnicity, religion, photos, hobbies, and participation on social networking sites.  Spokeo describes itself as a “people search engine.”

This case is important because it’s the first FTC case to address the sale of Internet and social media data for employment screening.  The FTC also accused Spokeo of posting deceptive endorsements of their services on news and technology websites and blogs “portraying the endorsements as independent when in reality they were created by Spokeo’s own employees.”  These misleading endorsements violated the Federal Trade Commission Act.

RockYou to Settle with FTC Over Massive Data Breach

The social networking and gaming site RockYou.com was hacked in December 2009 and suffered a severe data breach, which exposed personal information including email addresses, passwords and photos of 32 million users.  Of that 32 million, 179,000 were children.  The situation went from bad to worse for RockYou when the hacker posted on the Internet a snippet of the data he obtained, showing that RockYou’s user account data were stored in plain text in its database and not encrypted.  Unencrypted personal information is basically like catnip to a hacker and from a risk perspective, the company was in deep trouble. Compounding its problems, RockYou handled the communication to its users and the public horribly and this incident was a public relations disaster for the company.

The magnitude of the data breach drew the attention of the Federal Trade Commission (FTC).  The FTC is the federal agency responsible for enforcing laws that protect online consumers.  The FTC is especially proactive when the personal information of children is compromised.  RockYou is one company on a growing list of companies that the FTC has aggressively pursued for violating the Children’s Online Privacy Protection Act, known as COPPA, which the FTC enforces.  In short, COPPA requires that before a website collects, uses or shares personal information it receives from a child under 13, the website operator must get verified parental consent (commonly referred to as “email plus” verification method).  The rule also requires websites to post a clear, understandable and complete privacy policy on their site.

Here, the FTC investigated and found that RockYou’s information security practices were deceptive, posing a significant risk to consumers and that the company had violated COPPA by gathering personal information from kids under 13 over a two-year period without obtaining the mandatory parental consent.  In addition, the company failed to spell out in its posted privacy policy how the information it collected would be used or shared.  Finally, RockYou was faulted for not maintaining reasonable security procedures to prevent breaches like the one that occurred.  The FTC came down hard on RockYou for its mistakes.  According to a proposed settlement order with the FTC announced on March 27, 2012, RockYou must pay a $250,000 penalty for COPPA violations, implement a data security program, and submit to security audits every other year for 20 years.  In addition, the company it is barred from any further violation of COPPA and prohibited from making deceptive claims regarding privacy and data security. 

The takeaways?  This is a story about the consequences of a company’s deceptive business practices, failed data security program and clearly a lack of preparedness when faced with a large scale data breach.  Aside from the $250,000 fine and attorneys’ fees the company must pay, the other economic costs here are lost business costs and the widespread damage to RockYou’s reputation and brand caused by this catastrophic breach.

Nolo’s Privacy Matters Blog Premieres!

Welcome to Privacy Matters, a Nolo blog devoted to information privacy and data security issues as they relate to small businesses and consumers.  Information privacy covers the rules that apply to the gathering and handling of “personal information” — in other words information that can be traced to a particular individual, like geolocation information, credit information, or health records. 

Privacy law varies by industry, state, country, transaction and customer and is complicated.  Through blog posts and an ongoing series of Nolo primer articles, I hope to provide general, useful information about fundamental privacy principles and best practices that Internet, technology and bricks and mortar businesses need to be aware of, as this area of law can be a field of landmines for the unknowing.

Class action lawsuits and Federal Trade Commission enforcement actions against tech titans like Facebook and Google, and high-profile data breaches jeopardizing that private data of millions of individuals and tarnishing the reputations of scores of companies like Sony, Heartland Payments Systems and RSA Security — have thrust privacy onto the front pages.  It’s important for small business owners to recognize that the same rules that have gotten large companies into trouble apply to small businesses as well.  When it comes to privacy, an once of prevention is, in fact, worth a pound of cure.