The Year in Privacy 2018
From the European Union General Data Protection Regulation (GDPR) and the Cambridge Analytica controversy, to California’s GDPR-like privacy law and other state legislative efforts, the year 2018 brought an unprecedented focus on consumer privacy, big data and compliance.
Several states have either passed or bolstered cybersecurity legislation aimed at protecting consumer privacy that performance marketers should be become familiar with. In addition to the broad-sweeping California Consumer Privacy Act of 2018, Colorado amended its data breach notification law and enacted various data security requirements. Vermont enacted the nation’s first data broker legislation that regulates data brokers that buy and sell personal information. Ohio created a “safe harbor” from certain types of tort-based data breach liability for covered entities that implement a qualifying cybersecurity program.
Internationally, the big story of 2018 was the General Data Protection Regulation. The law radically modified the European Union’s data protection framework and sent ripples across the business operations of the marketing community. The GDPR has inspired similar legislation and proposals in countries such as Brazil and India.
In December 2018, the European Commission published its report on the EU-U.S. Privacy Shield, which appeared to be in serious jeopardy just a few months prior. At least for now, reports are that the Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to the United States. The precarious nature of the Privacy Shield has, of course, led the Federal Trade Commission to take a much more active, public approach to enforcing the EU-U.S. Privacy Shield framework. The story of 2019 will most likely be Brexit and the state of UK data protection law.
The Federal Trade Commission’s recent “Hearings on Competition and Consumer Protection in the 21st Century” leave no doubt that the agency will continue to focus on cybersecurity, and the intersection of privacy and competition. This also includes efforts to advance consumer privacy regulatory authority for itself under the “deception” and “unfairness” prongs of the FTC Act, and to secure comprehensive federal data security legislation that would provide it with rulemaking authority and/or the ability to levy civil penalties.
Late last year, the FTC provided some insight into its current privacy and data protection policies. In response to a Request for Comment made by the U.S. Department of Commerce’s National Telecommunications and Information Administration, the agency acknowledged that the rapidly evolving technological landscape requires flexible legal regulatory tactics that weigh the interests of individual rights and the need for unfettered innovation.
In fact, the FTC has recently gone on record, stating that any new privacy or data protection legislation should balance consumers’ legitimate concerns about the collection, use and dissemination of their data with the need for unambiguous legislation that advances technological growth. All said and done, the FTC seeks to ensure that companies maintain reasonable data security protocols.
According to the its 2017 Privacy and Data Security Update, the FTC has initiated more than 60 enforcement actions, ranging from unreasonable data security practices to misleading disclosures. Of course, these figures do not take into account confidential investigations that may have been resolved out of the public eye.
The Federal Trade Commission and state attorneys general alike, expect transparency and conspicuous notice when it comes to consumer data use and information practices. Privacy policies alone are no longer sufficient when it comes to disclosing how consumer data is collected and used. Succinct consumer-oriented disclosures at the point of collection that comply with applicable legal regulatory requirements are a must.
Not only do ineffective or misleading privacy disclosures often result in regulatory action, so does the failure to provide consumers with choice and control over how their information is used. The FTC has acknowledged its awareness that if consumers were opted out of online advertisements by default, the likely result would include the loss of advertiser-funded online content. It has also acknowledged that, by contrast, choice is important when the risk of harm might significantly increase, such as where the data is sensitive (e.g., children, financial and health information, etc.).
These concerns are perhaps most prominently recognized by FTC’s heightened interest in the lead generation ecosystem. The agency has unequivocally stated that consumer privacy is at the heart of lead generation and all those in the stream of commerce should act responsibly to ensure that data is used only for legitimate purposes that consumers would reasonably anticipate.
While the FTC appears much more sensitive to the need to foster competition and innovation, it will continue to utilize its FTC Act enforcement authority to hold business accountable for its privacy practices and promises.
Informational purposes only. Not legal advice.