Key Takeaways: As expressly identified in a joint statement issued by the FTC Commissioners in January 2024, the FTC’s recent enforcement actions demonstrate that “sensitive data triggers heightened privacy obligations and a default presumption against its sharing or sale.”^[1] For example, the X-Mode and InMarket consent orders “highlighted the sensitivity of geolocation data”, while the Avast order shows that “people’s browsing records” will also be considered sensitive.^[2]

Moreover, the FTC’s enforcement action against Blackbaud establishes the FTC’s willingness to use Section 5 of the FTC Act to pursue enforcement where there is a “failure to implement and enforce reasonable data retention practices… [and] to accurately communicate the scope and severity of the breach in its notification to customers.”^[3]

Introduction

In the absence of a comprehensive national data privacy law, the Federal Trade Commission (“FTC”) is currently the primary mechanism for enforcement of issues related to data privacy and security in the United States. Under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce”, the FTC has long asserted jurisdiction over a range of commercial conduct that pertains to consumer data use. Additionally, the FTC enforces a range of privacy and data security laws, including the Fair Credit Reporting Act, the CAN-SPAM Act of 2003, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act. The FTC enforces these statutes and their associated regulations by using administrative complaints to obtain settlement agreements and consent orders.

The FTC has issued several consent orders and settlements, as well as new guidance regarding compliance with federal data privacy and cybersecurity obligations. These enforcement actions demonstrate the FTC’s stance that companies’ obligations to consumers are heightened when it comes to selling consumer data and managing sensitive data such as browsing records and location data. Additionally, companies are expected to use reasonable cybersecurity safeguards and notify consumers in the event of data breaches.

The Avast Settlement

On February 22, 2024, the FTC announced a settlement with software provider Avast in connection with Avast’s alleged deceptive data collection and sales practices.^[4] The FTC took issue with three aspects of Avast’s conduct. First, the FTC alleged that Avast engaged in deceptive conduct by misrepresenting its data practices. Specifically, the company represented to users that its products would protect their privacy and prevent tracking, while the company simultaneously collected and sold vast amounts of consumers' browsing data, including highly sensitive information. The second allegation pertained to data anonymization. Avast claimed that prior to selling consumer data to third parties, it would anonymize the data by removing identifying information. However, this claim was misleading because the resold data contained location data, timestamps, and other unique identifiers. Finally, the FTC alleged that Avast did not obtain proper consent from users before collecting and selling their browsing data.

In exchange for the FTC’s decision to discontinue administrative action, Avast agreed to pay a monetary penalty of $16.5 million. Additionally, Avast is prohibited from selling or licensing any browsing data collected through its branded products for advertising purposes. Before selling or licensing browsing data from non-Avast products for advertising, Avast must now obtain explicit and unambiguous consent from each user. Moreover, the company is obligated to delete all web browsing information transferred to its subsidiary, Jumpshot, as well as any products or algorithms derived from such data. Finally, Avast must notify the consumers affected by its conduct and implement a robust privacy program that addresses the specific concerns raised by the FTC.

The InMarket Settlement

On May 1, 2024, the FTC announced that it had finalized a settlement agreement and consent order with InMarket Media (“InMarket”), a Texas-based data aggregator, regarding InMarket’s practices of collecting and using consumers' location data.^[5]

The FTC pursued administrative action against InMarket in response to practices that the agency deemed to be unfair and deceptive. The FTC alleged that InMarket failed to obtain informed consent from users of its own apps and from users of third-party apps that incorporated InMarket's software development kit (“SDK”) because InMarket did not fully inform users about how their location data would be used and the fact that it would be combined with other data for the purpose of targeted advertising. InMarket also did not ensure that third-party apps using InMarket’s SDK obtained informed consent from users. InMarket allegedly used the location data to categorize consumers based on sensitive information like their visits to religious institutions or health clinics and then targeted consumers with advertising based on these categorizations. InMarket retained location data for five years after collection, which the FTC argued increases the risk of data breaches and data misuse.

This consent order marks the first time that the FTC has prohibited a party from selling, sharing, or licensing any precise location data. In addition to this prohibition, InMarket must delete all previously collected location data (unless it obtains consent or anonymizes the data) and provide clear mechanisms for users to withdraw consent for data collection and request deletion of their data. Additionally, the company can now only collect location data from its apps with users' informed consent and is prohibited from using, selling, or targeting consumers based on sensitive location data like visits to religious institutions or health clinics. Finally, InMarket is required to implement a robust privacy program protecting user data and establish a data retention schedule.

The X-Mode Settlement

On April 12, 2024, the FTC finalized a consent order with data broker X-Mode Social (“X-Mode”) and its successor Outlogic LLC stemming from the entities’ sale of sensitive user location data.^[6] This consent order follows the settlement that was reached in January 2024, which marked the first ever FTC settlement of this kind with a data broker. Specifically, the FTC alleged that X-Mode sold precise location data that identified users' visits to sensitive locations like religious institutions and healthcare clinics. The FTC raised concerns about the lack of proper safeguards to prevent misuse of this data by third parties, potentially revealing private information about individuals.

In exchange for settlement, X-Mode and Outlogic agreed to cease selling or sharing sensitive location data, delete previously collected data and related products, implement measures to prevent future connections between users and sensitive locations, and provide clear methods for users to withdraw consent and request data deletion. Significantly, the entities also agreed to delete or destroy all customer location data previously collected, including any products developed from this data, unless the entities are able to ensure the data has been anonymized.

The Blackbaud Settlement

On February 1, 2024, the FTC reached a settlement with South Carolina-based Blackbaud Inc. (“Blackbaud”), a company providing software services to various organizations including nonprofits, healthcare institutions, and others.^[7] The settlement stems from charges that Blackbaud's inadequate security measures enabled a hacker to breach its network and access the personal data of millions of consumers, including sensitive information like Social Security and bank account numbers.

According to the FTC's complaint, Blackbaud failed to implement appropriate safeguards to protect the vast amount of personal data it stores as part of its services. Despite assurances to customers about its data security practices, Blackbaud allegedly neglected to fulfill these promises by failing to monitor for attempted network intrusions by hackers, segment its data to make unauthorized access more difficult, delete unnecessary data no longer required for its services, implement multi-factor authentication effectively, or regularly test, review, and assess its security controls.

The complaint further alleges that Blackbaud allowed employees to use weak or identical passwords, further compromising data security. These failures resulted in a hacker gaining access to a customer’s Blackbaud-hosted database in early 2020. The attacker reportedly exploited existing vulnerabilities and local administrator accounts to move freely across Blackbaud’s systems, even creating new administrator accounts. The breach remained undetected by Blackbaud for three months, allowing the hacker to steal a significant amount of unencrypted sensitive consumer data belonging to Blackbaud's customers.

Beyond the lack of encryption and adequate firewalls, the FTC also raised concerns about Blackbaud's data retention practices. The company allegedly held onto data for much longer than necessary, including information from former customers. When the breach was finally discovered, Blackbaud reportedly paid a ransom of $250,000 in Bitcoin to the hacker, who threatened to expose the stolen data. However, the FTC alleges that Blackbaud never verified whether the hacker actually deleted the stolen data.

The FTC’s complaint also criticizes Blackbaud for waiting nearly two months to inform its customers about the breach and then misleading them about the extent of the data theft. Customers were initially told they did not need to take any action, despite Blackbaud knowing as early as July 2020 that the hacker had obtained sensitive information including Social Security numbers. This delay, according to the FTC, prevented consumers from taking steps to protect themselves from potential identity theft and other harm.

As part of the settlement, Blackbaud is required to delete any personal data it no longer needs to provide services to its customers. Additionally, the company is prohibited from misrepresenting its data security and retention practices in the future. The FTC also mandated that Blackbaud develop a comprehensive information security program to address the identified shortcomings, along with implementing a data retention schedule outlining why data is retained and when it will be deleted. Finally, the settlement requires Blackbaud to notify the FTC of any future data breaches reported to other local, state, or federal agencies.

The Globel Tel Link Settlement

On February 23, 2024, the FTC finalized its consent order with prison communications provider Global Tel Link Corp. (“Global Tel Link”) and two of its subsidiaries.^[8] The order resolves charges that the companies failed to adequately secure user data and inform affected individuals about a data breach.

According to the FTC's initial complaint, Global Tel Link and its subsidiaries did not implement appropriate safeguards to protect the sensitive personal information they collect from users of their services. This lack of security allowed unauthorized actors to gain access to unencrypted personal information stored in the cloud and used for testing purposes.

The FTC further alleges that Global Tel Link waited nearly nine months to notify affected customers about the breach and only contacted approximately 45,000 users. This number falls significantly short of the potential hundreds of thousands of customers who may have been impacted by the data breach.

Under the terms of the finalized order, Global Tel Link and its subsidiaries are prohibited from misrepresenting their data security practices in the future. Additionally, they are required to implement a comprehensive data security program that addresses the identified shortcomings. This program must include several key elements, such as deploying "change management" measures across all systems to reduce the risk of human error, utilizing multi-factor authentication to enhance security, and implementing procedures to minimize the amount of data collected and stored.

The order also mandates that Global Tel Link notify all users affected by the data breach who did not receive previous notification. These individuals will be offered credit monitoring and identity protection products to mitigate potential harm. Finally, the order requires Global Tel Link and its subsidiaries to implement procedures for notifying users of future security incidents that trigger any federal, state, or local breach reporting requirements.

Other FTC Developments

The FTC has joined the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), a significant development in international data privacy enforcement.^[9] The FTC will now collaborate with other privacy authorities worldwide participating in this international multilateral arrangement. This participation allows the FTC to share information and collaborate on investigations related to data privacy and security, provide assistance to other members in such investigations, and stay updated on evolving global privacy issues.

In essence, the FTC's participation in Global CAPE signifies its commitment to addressing the global nature of data privacy concerns by collaborating with international counterparts, effectively enforcing data privacy and security laws through international cooperation, and protecting consumer privacy in the increasingly interconnected global marketplace.

Koley Jessen will continue to monitor developments related to federal data privacy enforcement and advise as updates become available. If you have inquiries regarding your business’s compliance with the law or the necessary steps to take, please reach out to one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area for expert assistance.

^{Special thanks to law clerk Lukas Schnepel for his contributions}

^{[1] FTC, Joint Statement of FTC Commissioners In the Matter of Avast Limited (Feb. 21, 2024), available here.}

^[2] Id.

^{[3] FTC, Joint Statement of FTC Commissioners In the Matter of Blackbaud, Inc. (Feb. 1, 2024), available here.}

^{[4] FTC, FTC Order Will Ban Avast from Selling Browsing Data for Advertising Purposes, Require It to Pay $16.5 Million Over Charges the Firm Sold Browsing Data After Claiming Its Products Would Block Online Tracking (Feb. 22, 2024), available here.}

^{[5] FTC, FTC Order Will Ban InMarket from Selling Precise Consumer Location Data (Jan. 18, 2024), available here.}

^{[6] FTC, FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data (Jan. 9, 2024), available here.}

^{[7] FTC, FTC Order Will Require Blackbaud to Delete Unnecessary Data, Boost Safeguards to Settle Charges its Lax Security Practices Led to Data Breach (Feb. 1, 2024), available here.}

^{[8] FTC, FTC Finalizes Order with Global Tel Link Over Security Failures that Led to Breach of Sensitive Data (Feb. 23, 2024), available here.}

^{[9] FTC, FTC Signs on to Multilateral Arrangement to Bolster Cooperation on Privacy and Data Security Enforcement (Jan. 17, 2024), available here.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}