On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
FTC Settlement Targets Deceptive Promises of Enhanced Privacy
The FTC has entered into a proposed settlement with a company that promised a consumer the ability to choose what information would appear when others searched for that person in the company's online service, but failed to provide the promised control. The proposed settlement announced by the FTC followed an investigation of US Search, a data broker that promised consumers that if they paid $10 for its "PrivacyLock" service, it would "lock their records" by excluding their information from search results. Instead, according to the FTC's complaint, PrivacyLock did not block consumers' names from showing up as an associate of someone else in a search for the other person's name; did not block consumers' information from appearing in a "reverse search" of their phone number or address, or in a search of their address in real estate records; did not work if the consumer changed addresses; and did not work if the consumer had multiple records (e.g., "John Smith" and "John T. Smith"). The consent decree, which is part of the proposed settlement, subject to a regulatory comment period, prohibits US Search from continuing to market any products claiming to ensure consumer privacy in such a manner and requires it to refund customers who paid for Privacy Lock.
This enforcement action comes on the heels of the FTC's Feburary settlement with ControlScan, another company that promoted a privacy-enhancing service but failed to live up to its promises. In that case, ControlScan purported to certify the privacy and data security practices of its clients' websites but failed to adequately verify those websites' actual privacy and security protections and displayed a certification date that did not reflect the actual date of its most recent security review. And last October, the FTC brought enforcement actions against six companies over misrepresentations that they were current with their certifications under the U.S.-EU Safe Harbor program, a privacy compliance program that provides assurance to European organizations that U.S. businesses to which they transfer personal data will treat that data in accordance with European privacy standards.
The FTC's activity in this area demonstrates the importance it places on promises of privacy and security by companies that directly sell and market privacy and security protections. Privacy enhancing services are obviously a good thing. But profiting from consumers' willingness to pay for protections by selling them knowingly or negligently false guarantees will trigger enforcement actions. Therefore, companies developing privacy certifications and technologies should take care to evaluate their marketing materials and to constantly evaluate their services to ensure that they do not fall short in their promises to consumers.
The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet...20 May 2016