In a clear message to all companies collecting individual data, the Federal Trade Commission (FTC) has reaffirmed its commitment to harshly enforce illegal breaches of sensitive information.
The FTC notes in a blog post there's a litany of information that can be collected to categorise and identify people’s medical histories, which has potential for dangerous exploitation particularly in the case of consumers seeking abortions.
2021 Gartner critical capabilities for data integration tools
How to identify the right tool in support of your data management solutions
In light of the recent ruling by the Supreme Court to overrule Roe v Wade, the decision which had protected the right to choose to have an abortion, misuse of sensitive data is a point of fierce discussion.
The regulator cited cases such as that of Copley Advertising LLC as early examples of what could be a growing trend. The company had been utilizing location data to identify people entering within a certain range of clinics offering abortion in several states, and then targeting them with anti-abortion advertising.
It has since reached a settlement with the Massachusetts Attorney General for misuse of geofencing for advertising purposes.
New health data strategy to consult public on NHS data use UK unveils Data Reform Bill, scrapping parts of GDPR and promising £1 billion in savings FTC threatens legal action against companies failing to patch Log4Shell
Striking a tough tone against potentially unethical firms, the FTC further outlined its powers to not only fine companies in breach of data protection legislation, but also require them to delete data they have collected as well as any models made with the data.
People’s information can be collected and misused in more ways than one, and the post is careful to focus on the potential for information that consumers willingly track — such as blood sugar level, menstrual cycle, sleep patterns and contraceptive use — in addition to less flagged data points such as location.
Unlike the EU and UK, the US has no central data protection legislation, nor is there an explicit right to privacy within the US constitution. Instead, a range of laws and constitutional rulings cover consumers’ right to privacy, making up a complex tradition of protections that vary state-by-state.
Currently, some of the widest such legislation includes rules that the FTC enforces such as the Health Breach Notifications Rule, which states that “vendors of personal health records and related entities to notify consumers following a breach involving unsecured information”. Violation of the rule can result in a fine if up to $46,517 per violation per day.
Many rights groups argue these rules are inadequate and subject to loopholes such as legitimate sale of information to third-party brokers. The non-profit organisation Planned Parenthood has called for a federal data protection law to codify regulation of such data into law and prevent misuse by advertisers. Biometric data law is a particularly contentious issue, with similar calls within the UK right now for more transparent consumer protections around what data companies can track, and why.
In the post, the FTC specifically warns against misleading claims of ‘anonymization’ by companies, pointing out that such data can frequently be re-identified. Knowingly making such false claims to placate customer concerns around privacy will trigger FTC intervention, it asserts.
“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy. We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data,” stated the agency in the blog post.
“The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”
