In the last article, we discussed FTCA § 5 enforcement actions. This article describes the consent orders that often result from FTC complaints alleging unfair or deceptive practices or other unlawful acts in the realm of privacy and data protection. While consent orders do not require an admission of guilt, they generally prohibit the conduct which gave rise to the initial complaint, require defendants obtain express consent from consumers to partake in similar future action, expand FTC authority to expedite consequences for subsequent violations, and lay out the requirements for a mandated privacy program.
For example, the FTC recently brought a complaint against television manufacturer, VIZIO, for collecting and selling information about consumers’ television viewing habits without express consent from said consumers. The complaint alleged both unfair practices and deceptive practices on VIZIO’s part. The FTC alleged that VIZIO unlawfully used viewing data for the purposes of (1) audience measurement, (2) analyzing advertising effectiveness, and (3) targeted advertising.
Ultimately, VIZIO agreed to a consent order. In that consent order, VIZIO agreed to pay $2.2M in fines and to establish and maintain a privacy program. While fines are less common, FTC consent orders typically establish a privacy program, which can be used as an outline for companies who wish to voluntarily establish a comprehensive privacy and data protection strategy.
Though these privacy programs vary based on the complexity of the companies and details of offenses giving rise to the orders, they typically have a twenty-year term and several other features in common. First, the program requires that an internal team establish and maintain a risk mitigation program, which necessitates employee training and risk consideration in future product development. This team is responsible for maintaining the program as technology changes and new concerns arise.
Second, the internal team’s program is subject to third-party assessment. The assessment primarily considers the appropriateness and effectiveness of established privacy controls. For example, VIZIO’s order requires the third-party assessor, once approved by the FTC, to conduct an initial six-month assessment, and biennial assessments thereafter.
Third, defendants frequently agree to provide the FTC with compliance reporting. The reporting includes general information about the business and details how the company maintains compliance with the ordered privacy program. Furthermore, defendants typically agree to report any change in the company’s status that may impact the privacy program, including, but not limited to bankruptcy filings, mergers, and acquisitions.
Finally, consent orders generally require defendants to maintain records related to consumer data custodianship. The VIZIO order mandates a five-year record retention period. Moreover, the defendant is obliged to provide records and compliance information to the FTC upon request.
While consent orders outline reasonable procedures for a data privacy program for most companies, some specific business activities that implicate privacy and data protection concerns are subject to other federal legislation, though the activities may be neither unfair nor deceptive. The next article discusses three of these Acts.