Privacy laws often differ in questions of enforcement. Many state laws, such as California’s Consumer Privacy Act (CCPA) and California Privacy Protection Agency (CPRA) generally require that the attorney general bring action. Other privacy state laws might also provide for a so-called “private right of action”, which means that affected individuals are permitted to file suit. On the federal level, the FTC has broad enforcement authorities under section 5(a) of the FTC Act that prohibits “unfair or deceptive” trade practices.  

There are three recent cases (Credit Karma, Kochava and Roomster) that highlight the uptick in FTC litigation of violation of data privacy rights, and improper means of soliciting personal information.  

In light of these recent developments, here’s our Top 5 Measures to Improve Compliance and Mitigate Risk: 

1) Minimise Data Collection  

Businesses should only collect data that is necessary to provide services, take reasonable steps to secure the data, and delete it when there is no longer a legitimate business need to retain it.  

2) Make Data Privacy Defaults Easily Accessible/Changeable  

Businesses should make it easy for people to access their privacy settings and change cookie storage preferences at any time.  

3) Deploy Methods to Limiting Sale, Sharing, and Use of Personal Information  

Feature a Do Not Sell or Share My Personal Information Link: Businesses must feature a Do Not Sell or Share My Personal Information Link on their website for users to opt out of third-party sales.   

Limit the Use of My Sensitive Personal Information: Businesses must provide a clear and conspicuous link on the internet homepages titled Limit the Use of Sensitive Personal Information that enables a consumer, or a person authorised by the consumer, to limit the use or disclosure of the consumer’s sensitive personal information to those uses authorised by the CCPA/CPRA.  

Use a Single Link for Both Opt-Outs: Instead of two separate links, businesses can use a single link to allow consumers to opt out of the sale or sharing of personal information and to limit the use or disclosure of the consumer’s sensitive personal information.  

Opt-Out Requests or Change of Use of Product or Service: Businesses must present the terms of any financial incentive offered pursuant to the CCPA/CPRA for the retention, use, sale, or sharing of the consumer’s personal information.  

Alternatively, businesses do not need to provide links if they use an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on certain technical specifications, that indicates the consumer’s intent to opt out of the business’ sale or sharing of the consumer’s personal information, or to limit the use or disclosure of the consumer’s sensitive personal information, or both. This means that businesses who already respect the consumer’s wishes by technical means do not need to provide the consumer with more options than necessary.  

4) Provide Notice of the Categories of Information Collected  

Businesses must provide a notice at or before the point of collection informing the consumer of the categories of personal information the company collects and for what purpose.   

5) Respond to Requests of Disclosure or Deletion  

There are three main points of compliance for the disclosure or deletion of information.   

First, businesses must provide consumers the records of their personal information that was collected about the consumer if they request disclosure or deletion of this information, including sources, commercial purposes, and categories of third parties with whom it has been shared if a consumer requests this information.   

Second, businesses must respond within 10 days of receiving the request for disclosure or deletion with information on how the request will be processed, and substantive responses must be given within 45 days of the request.   

Third, businesses must include a way for a customer to make a deletion request, and then a way for them to agree to their person information to be deleted.  

Key takeaways  

When it comes to FTC enforcement action, prevention is certainly better than cure. Having experienced and global data protection and privacy support is key in navigating complex rules and building the trust of consumers and key stakeholders. 

For support on data protection and privacy-related matters, please contact us at dpo@hewardmills.com.  

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.