This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
As mentioned earlier, The FTC enforces privacy and data security beyond its regulatory ambit for sector-specific privacy and security laws such as GLBA, FACTA, and COPPA. It does so under the authority of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). The FTC’s targeted businesses for Section 5 data security enforcement have ranged from the large and well-known to the small and obscure. But the common theme is that the business, according to the FTC, either deceptively or unfairly engaged in unreasonable and inadequate data security practices for consumers’ personal information (PI).
In several Section 5 enforcement proceedings before 2019 the FTC alleged that the combination of several inadequate data security practices “taken together,” and including retaining consumers’ PI beyond any business need, can collectively be an unfair trade practice under Section 5. Such past FTC data security matters mentioning over-retention include enforcement actions against BJ’s Wholesale Club, Inc., DSW Inc., Life is good, Inc., Ceridian Corporation, and Cbr Systems, Inc.
But in its recent Section 5 enforcement actions against InfoTrax Systems and SkyMed International, the FTC has changed its approach, elevating over-retention to be a core data security failure. In each of these cases, as it had in the past, the FTC alleged multiple data security lapses, including the failure to dispose of PI once “no longer necessary.” Yet the language of these recent complaints no longer uses the “taken together” language of the earlier enforcement actions, allowing over-retention of PI to stand on its own as an unreasonable data security practice. And the consent orders in these cases, unlike the FTC’s earlier enforcement matters, set forth the explicit, independent requirement that the respondents must have policies, procedures, and measures to delete PI once it is no longer necessary. Continue Reading Less data is more than ever: The FTC and the reasonable data security program