We’ve already seen how new FTC regulations for GLBA-regulated financial institutions require retention schedules and disposal of unnecessary data as essential data security controls. The FTC is now also taking that position for all businesses under Section 5 of the FTC Act, as seen in a slew of recent FTC data security enforcement actions.
Two years ago I summarized the history of FTC enforcement on this issue. For decades the FTC has enforced reasonable data security under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). The FTC has pursued inadequate security practices of both large and well-known businesses and of small and obscure companies. But the common theme is that the targeted business, according to the FTC, either deceptively or unfairly engaged in unreasonable data security practices for consumers’ personal information.
What was notable two years ago were the FTC’s Section 5 enforcement actions against InfoTrax Systems in late 2019 and SkyMed International in early 2021. In re InfoTrax Systems, L.C., No. C-4696 (F.T.C. December 30, 2019) (final complaint & consent order); In re SkyMed International, No. C-4732 (F.T.C. January 26, 2021) (final complaint & consent order). In each of these enforcement actions, the FTC alleged that the business “failed to have a policy, procedure, or practice for inventorying and deleting consumers’ personal information stored on [its] network that is no longer necessary….” And in each consent order the FTC required “[p]olicies, procedures, and technical measures to systematically inventory Personal Information in [its] control and delete Personal Information that is no longer necessary….”
I ended that 2021 post by observing “[i]f the FTC’s position in SkyMed and Infotrax takes hold more broadly, the repercussions for over-retention will be sweeping in scope.”
Sweeping indeed. In a flurry of 2022 and 2023 enforcement actions, the FTC has now doubled-down on its position that reasonable data security requires data retention schedules and disposal of unnecessary data:
- In re Residual Pumpkin Entity, LLC and Planetart, LLC (d/b/a CafePress), Nos. C-4768 & C-4769 (F.T.C. June 23, 2022)
Residual Pumpkin (and later its purchaser Planetart) operated the platform CafePress.com, on which consumers purchased customized t-shirts, coffee mugs, and similar merchandise from other consumers or “shopkeepers.” CafePress’s operators routinely collected information from consumers and shopkeepers——including names, email addresses, telephone numbers, birth dates, gender, photos, social media handles, security questions and answers, passwords, PayPal addresses, the last four digits and expiration dates of credit cards, and Social Security or tax identification numbers of shopkeepers, storing this sensitive personal information in clear text, except for passwords, which were encrypted.
In its 2021 Section 5 enforcement action complaint, the FTC alleged that CafePress’s operators failed to protect the personal information of buyers and sellers stored on its network and to adequately respond to multiple security breaches. Among other inadequate security practices, CafePress’s operators “created unnecessary risks to Personal Information by storing it indefinitely on its network without a business need.”
The FTC approved a settlement and consent agreement with CafePress’s operators on June 23, 2022. The consent order mandates that CafePress’s operators establish, implement, and maintain a comprehensive information security program to protects the privacy, security, confidentiality, and integrity of collected personal information, including “[p]olicies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures….” the FTC also assessed a civil penalty of $500,000.
- In re Drizly, LLC and James Cory Rellas, No. C-4780 (F.T.C. January 10, 2023)
Drizly, an Uber subsidiary, operates an e-commerce platform through which local retailers sell alcohol online to adult customers. The Drizly platform collects and stores both personal information that consumers provide and information that it automatically obtains from consumers’ computers and mobile devices.
In its 2022 Section 5 enforcement action complaint against both Drizly and its cofounder and CEO Rellas, the FTC alleged that data security failures led to a data breach exposing personal information of 2.5 million consumers. Among other alleged security failures, Drizly failed to “[h]ave a policy, procedure, or practice for inventorying and deleting consumers’ personal information stored on its network that was no longer necessary.”
The FTC finalized the settlement and consent agreement with Drizly and Rellas on January 10, 2023. The consent order mandates that Drizly destroy any collected personal data not necessary to provide products or services to consumers, to document and report to the Commission what data it destroyed, and to refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. And to punctuate the FTC’s resolve, the consent order also requires Rellas to implement an information security program at future companies if he moves to a business that collects consumer information from more than 25,000 individuals, or where he is a majority owner, CEO, or senior officer with information security responsibilities.
- In re Chegg, Inc., No. C-4782 (F.T.C. January 25, 2023) (complaint & consent order)
Chegg markets and sells direct-to-student educational products and services, primarily to high school and college students. Chegg collects sensitive personal information from users, such as information about users’ religious denomination, heritage, birthdate, parents’ income range, sexual orientation, and disabilities for Chegg’s scholarship search service, and users’ images and voice in connection with Chegg’s online tutoring services. As an employer, Chegg also collects such personal information as employees’ names, birth dates, Social Security numbers, and financial information.
The FTC alleged In its Section 5 enforcement action complaint that Chegg’s poor data security practices resulted in four separate data breaches and the unauthorized publication of 40 million customers’ personal information. Among other alleged security lapses, Chegg “failed to have a policy, process, or procedure for inventorying and deleting users’ and employees’ personal information stored on Chegg’s network after that information is no longer necessary….”
On January 25, 2023, The FTC approved a settlement and consent agreement with Chegg. The consent order requires Chegg to establish, implement, and maintain, a comprehensive information security program that protects the security, availability, confidentiality, and integrity of specified personal information of customers under Respondent’s control, including, among other security controls, “[p]olicies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures….” The consent order further requires Chegg to:
“Document and adhere to a retention schedule for Covered Information [meaning types of consumer personal information as defined in the consent order]. Such schedule shall set forth: (1) the purpose or purposes for which each type of Covered Information is collected; (2) the specific business needs for retaining each type of Covered Information; and (3) a set timeframe for deletion of each type of Covered Information (absent any intervening deletion requests from consumers) that precludes indefinite retention of any Covered Information….”
The FTC is also honing in upon unnecessary data retention in its recent privacy enforcement actions under FTC Act Section 5, punctuated by millions of dollars in civil penalties:
- U.S. v. GoodRx Holdings, Inc., No. 3:23-cv-460 (N.D. Cal. February 23, 2023)
GoodRx Holdings, Inc. is a “consumer-focused digital healthcare platform” that advertises, distributes, and sells health-related products and services directly to consumers. The FTC investigated GoodRx’s sharing of customer personal and health information with third party social media platforms and advertisers, as violations of FTC Act Section 5 and also of the FTC’s Health Breach Notification Rule. The matter was resolved with a Stipulated Order for Permanent Injunction, Civil Penalty Judgment, and Other Relief filed in February 2023 in the United Stated District Court for the Northern District of California.
Among the order’s various requirements, GoodRx must identify and instruct all entities that received personal information of GoodRx’s customers to delete all such information wrongfully received from GoodRx and to confirm such deletion in writing. GoodRx must also establish, implement, and maintain a comprehensive privacy program that protects the privacy, security, availability, confidentiality, and integrity of the consumers’ personal information. One mandated safeguard for the privacy program is that GoodRx must establish and maintain a data retention policy that includes:
“a retention schedule that limits the retention of Covered Information for only as long as is reasonably necessary to fulfill the purpose for which the Covered Information was collected; provided, however, that such Covered Information need not be destroyed, and may be disclosed, to the extent requested by a government agency or required by law, regulation, or court order;” and
“a requirement that each Covered Business document, adhere to, and make publicly available … a retention schedule for Covered Information, setting forth: (1) the purposes for which such information is collected; (2) the specific business need for retaining each type of Covered Information; and (3) a set timeframe for Deletion of each type of Covered Information (absent any intervening Deletion requests from consumers) that precludes indefinite retention of any Covered Information.”
The Stipulated Order also assessed a civil penalty against GoodRx of $1,500,000.
- In re Betterhelp, Inc., File No. 2023169 (FTC March 2, 2023)
BetterHelp offers online counseling services. Consumers fill out a questionnaire with sensitive mental health information and also provide their name, email address, birth date, and other personal information. BetterHelp promised consumers that it would not use or disclose their personal health data except for limited purposes, such as to provide counseling services. But according to the FTC, BetterHelp provided consumers’ email addresses, IP addresses, and health questionnaire information to such social media platforms as Facebook, Snapchat, Criteo, and Pinterest for advertising purposes, which, along with other alleged data security and privacy program shortcomings, violated Section 5 of the FTC Act.
On March 2, 2023, the FTC approved a consent order with BetterHelp, subject to a thirty day public comment period. The terms of the consent order mirror those in GoodRx summarized above, including the requirement that BetterHelp instruct entities to delete customer information wrongfully received from BetterHelp and to confirm such deletion, and also the same requirements to document, adhere to, and publish a retention schedule for consumers’ personal information “that precludes indefinite retention of any Covered Information.”
The FTC also assessed a civil penalty against BetterHelp of $7,800,000.
The FTC is not being subtle about this. In case the message hasn’t landed, a February 2023 FTC blog post laid out three key elements for systemically addressing the security and privacy risks of complex data systems. Beyond multi-factor authentication and encrypted/ authenticated system connections, what is the third crucial element? You guessed it:
(3) Requiring companies to develop a data retention schedule, publish it, and then stick to it
A final provision is a requirement to develop a data retention schedule, publish it, and then stick to it. This embraces the premise that the most secure data is the data that’s not stored at all. Further, implementing this requirement inevitably requires companies to have a strong internal catalogue of all the data they store. This provides other benefits, such as ensuring that they’ll be able to comprehensively comply with requests from users to delete data and have the information needed to prioritize protections based on the types of data they’re storing.