Analysis
When Federal Trade Commission (FTC) Chair Lina Khan was appointed to the position by President Joe Biden in 2021, there was a flood of support and calls for the agency to take data privacy seriously and crack down on companies with lax standards.
The agency’s actions in 2022 signal that it heard the calls, and even more data privacy enforcement looks like it is on the horizon.
In October of last year, the FTC also took action against the education technology provider Chegg for “lax data security practices” that “exposed sensitive information about millions of its customers and employees.” The agency said Chegg didn’t fix its data security problems despite having four security breaches since 2017. The proposed order against Chegg would require it to beef up its security, limit what the company can collect and retain, use multi-factor authentication, and allow users to delete their data.
Earlier this week, the FTC finalized an order with Drizly, the alcohol delivery app, over “security failures” the agency said led to a data breach that exposed the personal information of 2.5 million customers.
The FTC’s complaint, which was announced in October last year, claimed Drizly’s CEO was alerted to the vulnerabilities prior to the data breach in 2020 but didn’t take action to protect the data. The recently agreed to order requires Drizly to destroy any personal data it collected that isn’t necessary and must refrain from collecting or storing personal information on customers unless it is for specific purposes, according to the FTC.
In a joint statement, Khan and FTC Commissioner Alvaro Bedoya made it clear that the Drizly action “should … put other market participants on notice.”
Why it matters
While those two actions were just two examples, it’s clear that the agency has more plans in the coming years.
Last summer, the FTC announced that it would open up comments on an Advance Notice of Proposed Rulemaking on commercial surveillance and lax data security. The agency said it hoped the public would comment on the “harms stemming from commercial surveillance” and “whether new rules are needed to protect people’s privacy and information.”
More than 1,000 comments were submitted to the agency from the public, civil rights groups, and internet rights groups.
“Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like,” Khan said when the commenting period opened.
0 Comments