Two of the Federal Trade Commission’s (FTC’s) most recent data security settlements include new requirements that go beyond previous data security settlements. The new provisions (1) require that a senior corporate officer provide to the FTC annual certifications of compliance and (2) specifically prohibit making misrepresentations to the third parties conducting required assessments. A statement accompanying these settlements noted that the FTC has instructed staff to examine whether its privacy and data security orders could be strengthened and improved.
In an active week of FTC announcements, the agency on March 26, 2019, announced four major settlements with entities that were responsible for billions of illegal robocalls made to consumers nationwide. The entities targeted by the agency initiated illegal robocalls across a number of industries – they pitched auto warranties, debt-relief services, home security systems, fake charities, and Google search results services. These settlements resolved FTC allegations that the defendants had violated the FTC Act and the FTC’s Telemarketing Sales Rule.
In Veterans of America, the FTC’s complaint against Travis Deloy Peterson alleged that he “created and used a series of corporate entities and fictitious business names that sound like veterans’ charities to operate a telemarketing scheme that used robocalls to trick generous Americans into giving their vehicles or other valuable property to him” since at least 2012. The settlement includes a monetary judgment of $541,032.10 and would permanently ban defendant Peterson or his employees or contractors from soliciting charitable contributions, making misrepresentation in advertising or promoting any good or service, initiating robocalls, and engaging in deceptive and abusive telemarketing.
Following congressional hearings last month on potential federal data privacy legislation − Hearing on Policy Principles for a Federal Data Privacy Framework in the United States before the Senate Committee on Commerce, Science, and Transportation; Hearing on Improving Data Security at Consumer Reporting Agencies before the House Subcommittee on Economic and Consumer Policy − the Federal Trade Commission (FTC) on March 26, 2019, announced the initiation of a study concerning the privacy policies, procedures, and practices of seven internet service providers (ISPs). The FTC has used this process in other industries or areas of focus to gather information that it may later share in a public report.
As part of the FTC’s Hearings on Competition and Consumer Protection in the 21st Century, the Commission will hold a two-day hearing on April 9–10 at the Constitution Center (400 7th Street SW in Washington D.C.). The FTC has received 40 comments already and will continue receiving comments until May 31, 2019.
The Federal Trade Commission (FTC) issued two Notices of Proposed Rulemaking (NPRMs) seeking comment on proposed amendments to the Gramm–Leach–Bliley Act (GLBA) Safeguards Rule and Privacy Rule. The comments are due 60 days after the NPRM is published in the Federal Register. The NPRMs accomplish two things. First, they address comments received several years ago when the FTC sought review of these rules pursuant to its periodic review of FTC rules and guides. Second, it proposes to amend both rules and seeks comments on those amendments.
The GAO recently concluded a comprehensive analysis of the U.S. federal regulatory landscape with respect to internet privacy, specifically focusing on FTC and FCC enforcement actions and authorities. GAO interviewed representatives from industry, consumer advocacy groups, academia, FTC and FCC staff, former FTC and FCC commissioners, and officials from other agencies. (See page 40 of the GAO report for a complete list of those interviewed.) GAO recommends that Congress consider developing comprehensive legislation on internet privacy that would enhance existing consumer protections and provide flexibility to address a rapidly evolving privacy environment.