The Federal Trade Commission investigates and brings action against numerous companies for their violations of privacy regulations, from unlawful collection of data to illegal sharing of data with third parties, to improper advertising activities. Companies within the United States are required to comply not only with state privacy regulations but also with other consumer-protecting laws like HIPAA and COPPA, as the FTC takes strict action against companies that violate any law that hampers an individual's privacy.

In this article, we will be taking a closer look at cases of privacy violations that demanded the attention of the FTC, results of the investigations, fines, and key takeaways with the intention of serving as a reference for companies and data privacy and information governance professionals within the U.S.

1. Microsoft Xbox | FTC | June 2023

Microsoft's XBOX Live was found in violation of COPPA for their collection and retention of children's data, for which it was fined $20 million.

Summary: Microsoft's online gaming network, Xbox Live, was found to have violated Children's Online Privacy Protection Act, COPPA, for their methods of collecting personal information of children and the duration for which it was retained. FTC found that Microsoft violated COPPA in the following ways: -

• Violation of direct notice: Microsoft first collected data from users below the age of 13, a requirement to set up an account, only then did it inform their parents and ask for consent for the same, violating the mandatory provision of direct notice.

• Violation of online provision: Microsoft did not provide an appropriate privacy notice meeting the requirements of COPPA. Their privacy notice left out important details about the kind of information collected, its purpose, and most importantly, how parents can request to stop collection and delete collected information.

• Violation of retention requirements: FTC also found that the company retained children's data for years unnecessarily.

Outcome: In addition to the $20 million fine, Microsoft will also have to change their privacy practices to comply with COPPA. Further, if data is disclosed to video game publishers, it must be mentioned that the data belongs to a child so that the third party may also comply with COPPA.

Key Takeaways: Informed consent from parents must be obtained prior to the collection of any data from users ages 13 and below. Comprehensive privacy notices must be made easily available with provisions to opt out and delete collected data. COPPA applies to online services in addition to websites and apps. COPPA has a wide definition of personal information, including avatars, biometrics, health data, etc.

Link to full resource: $20 million FTC settlement addresses Microsoft Xbox illegal collection of kids' data: A game changer for COPPA compliance | Federal Trade Commission

2. Ring| FTC | May 2023

FTC imposed a $5.8 million fine on Ring for its numerous violations of user's privacy and security

Summary: Doorbell video camera company Ring is used by millions of homes as a measure of security. However, it was found that the company violated its user's privacy and security in numerous ways.

• Ring employees viewed personal videos of customers and other employees.

• The third-party contractor was allowed access to customer videos.

• Personal information about customers' videos was disclosed to interested parties.

• Security risks were left unaddressed, which led to data breaches.

• The camera's two-way communication was used to harass and threaten customers.

• Customers' videos were used to develop facial recognition algorithms without their consent.

Outcome: In addition to the penalty, the order includes that Ring

• Must refrain from misinterpreting the extent to which videos and other personal information are accessible and to whom.

• Must delete all video data used for research collected during the time that consent was not properly obtained.

• Must have appropriate security measures should be put in place to limit the 'human review' of customer videos to necessary situations which have been outlined.

• Must conduct thorough employee training.

• Notify consumers and the FTC of any shortcomings in video access practices and security incidents.

Key Takeaways: Appropriate security measures should be in place to always safeguard users' privacy from all possible threats. Privacy training should be conducted at every level to ensure that employees understand and promote privacy.

Link to full resource: Not home alone: FTC says Ring's lax practices led to disturbing violations of users' privacy and security | Federal Trade Commission

3. 1Health.io Inc | FTC | June 2023

FTC ordered 1Health to change their privacy practices after it was found that their privacy policy was changed retroactively, and data was left unsecured, among other violations.

Summary: Genetic testing company 1Health was found violating consumer privacy by retaining information, including DNA information, for longer than necessary, for changing its privacy program retroactively to include more third parties to share data with without notifying consumers or obtaining their consent. Further, information was stored in a publicly accessible cloud storage service without any encryption, restrictions, or monitoring of that data.

Outcome: A $75,000 penalty has been imposed on the company. They have also been ordered:

• Not to share data with third parties without affirmative express consent from consumers.

• That any company purchasing 1Health business in any amount must abide by the order of the FTC.

• To notify FTC of any breaches and unauthorized disclosure of client health data.

• To employ a security program that combats overcomes all the security issues previously overlooked.

Key Takeaways: Consumers should be notified of any changes in privacy policies, and affirmative express consent must be obtained should there be any change in how data is collected, processed, and shared.

Link to full resource: FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy | Federal Trade Commission

4. Amazon | FTC | May 2023

The FTC and DOJ found Amazon in violation of COPPA for retaining kids' Alexa voice for longer than necessary and for not following through on parents' deletion requests.

Summary: The Department of Justice filed a complaint on behalf of the FTC, where it was found that voice recordings and geolocation data collected by Alexa voice assistant were retained for a number of years and used to improve its algorithm program. Even when parents requested to have that data deleted, Amazon failed to do so effectively. It was found that geolocation was also retained for longer than necessary.

Outcome: In addition to the $25 million civil penalty, Amazon:

• Is prohibited from using data – geolocation, children's voice data, and other voice data that have been requested to be deleted for the creation or improvement of any product.

• Should delete inactive Alexa accounts of minors.

• Should inform users of their retention policies and practices.

• Refrain from misrepresenting their privacy practices in their policies.

Key Takeaways: Data should only be retained for the duration of its necessity. Users should be informed of the company's retention and deletion policies. DSA requests should be honored effectively.

Link to full resource: FTC and DOJ Charge Amazon with Violating Children's Privacy Law by Keeping Kids' Alexa Voice Recordings Forever and Undermining Parents' Deletion Requests | Federal Trade Commission

5. GoodRx | FTC | February 2023

GoodRx is to pay a $1.5 million fine for sharing sensitive health information with companies like Facebook and Google and failing to disclose the same to consumers.

Summary: The California-based digital health platform, GoodRx, provides healthcare services and helps consumers find deals on prescription medication. The FTC found that GoodRx violated the FTC Act by

1. Sharing personal health information with Facebook, Google, etc

2. Used personal health information for targeting advertising purposes

3. Failed to limit third-party use of personal health information

4. Misrepresented its HIPAA Compliance

5. Failed to implement policies to protect sensitive personal health information

Outcome: In addition to the $1.5 million penalty imposed on GoodRx, the FTC ordered that GoodRx: -

1. Cease the sharing of health data for advertising purposes

2. Obtain consent for sharing of other data

3. Direct third parties to delete the health data that was shared

4. Practice data retention

5. Set up a privacy program

Key takeaways: Companies should refrain from sharing sensitive information, such as health data, with third parties. Consent should be obtained before sharing other categories of data.

Link to full resource: FTC Enforcement Action to Bar GoodRx from Sharing Consumers' Sensitive Health Info for Advertising | Federal Trade Commission

6. Epic Games | FTC | December 2022

Fortnite maker Epic Games was fined $520 million for violating children's privacy rights by using deceptive measures to encourage users to make purchases.

Summary: The Federal Trade Commission found Epic Games in violation of the Children's Online Privacy Protection Act (COPPA) for employing dark patterns and billing practices to trick users into making unintentional purchases. Fortnite's confusing button configuration caused unwanted charges. Further, the FTC addressed Epic Games' live text and voice communication features that exposed children to online harassment and abuse.

Outcome: The $520 million fine imposed was divided into two settlements. The COPPA fine amounted to $275 million, and the FTC fine amounted to $245 million for 'dark patterns and billing practices.

Key Takeaways: Processes employed should be clear, informed, and transparent. Dark patterns should be avoided at all costs. Strong practices should be put in place to safeguard the rights of children.

Link to further resource: FTC fines Fortnite maker Epic Games $520M over children's privacy and item shop charges | TechCrunch

7. Drizly | FTC | October 2022

For their lax security measures, exposing the data of around 2.5 million consumers, FTC took action against Drizly and its CEO James Cory Rellas.

Summary: Online alcohol marketplace Drizly faced a data breach exposing the data of around 2.5 million consumers. The security issues were disclosed to the company and the CEO two years prior to the issue, but no steps were taken to resolve them. FTC found that:

• Basic security measures were not employed.

• Critical data was stored on an unsecured platform.

• Data security measures were lax, and the network was not monitored for threats.

Outcome: In the proposed order against Drizly and Rellas, the requirements outlined were as follows:

• Unnecessary data should be destroyed.

• Only necessary data should be collected.

• Appropriate security programs should be put in place.

Key Takeaways: Appropriate security measures must be put in place to prevent data breaches and hacks. Corrective measures apply not only to companies but also to individuals wherever the Commission feels necessary.

Link to full resource: FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers | Federal Trade Commission

8. Twitter | FTC | May 2022

Twitter was fined a penalty of $150 million by the FTC for deceiving consumers into providing personal information, which was then used to serve targeted advertisements.

Summary: The Federal Trade Commission found that from 2013 up to 2019, Twitter convinced users to provide personal information such as phone numbers and email addresses under the pretense of collecting it for security purposes such as MFA and account recovery. In addition to the claim of collecting data to 'Safeguard your account,' Twitter used this data to serve users targeted advertisements.

Outcome: In addition to the penalty, Twitter was ordered

1. Not to use phone numbers and email addresses to serve ads

2. To inform customers about their processes and should allow them to turn off personalized ads

3. To provide MFA that does not require a phone number to be provided

4. To enhance their privacy program and strengthen their security program.

Key Takeaways: Misguided practices to collect and use personal data should be avoided. Data collected for one reason cannot be used for another, especially without proper informed consent.

Link to full resource: Twitter to pay $150 million penalty for allegedly breaking its privacy promises – again | Federal Trade Commission (ftc.gov)