Last month, amidst the furor around its proposal to ban the use of non-compete agreements,[1] the Federal Trade Commission (“FTC”) announced the settlement of cases involving Fintech and EdTech companies with similarities to its decision in October 2022 involving online delivery platform, Drizly, that promised “a 100% chance of far-reaching” impacts.[2]
On January 23, the FTC finalized its investigation of Credit Karma, which used data innovation techniques referred to as “dark patterns” to allegedly swindle consumers into believing they were pre-approved for credit cards only to find out later they weren’t even close to qualifying, which in some cases led to lowered credit scores.
Credit Karma is the FTC’s second major decision involving dark patterns – aka digital design tricks – following its September 2022 report on strategies used by retailers “to get consumers to part with their money or data”[3] through online subscription services. Credit Karma has agreed to pay $3 million that will be disbursed to the allegedly swindled consumers.
The first major decision occurred in December 2022 when the FTC announced proposed settlements against Epic Games in a case where users were charged for virtual merchandise without their consent. The proposed settlements include the payment of over $500 million, including $275 million for violating the Children’s Online Privacy Protection Act.
On January 27, the FTC finalized its investigation of Chegg, an online education provider that experienced four separate data breaches between 2017 and 2020. The case was notable not only for the multiple breaches but also the types of personal information that were compromised, which included passwords that had been stored in plaintext.
In addition to the usual requirements in settlements involving alleged data security violations – maintenance of an incident response plan, risk assessments, and implementation of a written security program – the FTC’s order requires Chegg to also adopt data minimization policies, including a retention schedule that sets forth:
(1) the purpose or purposes for which each type of Covered Information is collected; (2) the specific business needs for retaining each type of Covered Information; and (3) a set timeframe for deletion of each type of Covered Information.
While the above decisions suggest the FTC has been on a tear lately, it is not unprecedented or unexpected. In 2019, in the span of two days in July the FTC announced a $700 million settlement with a national credit bureau and a $5 billion settlement with Facebook for alleged data privacy and security violations.
In October 2021, after being confirmed as the FTC’s new chair, Commissioner Lina Khan declared: “Policing data privacy and security is now a mainstay of the FTC’s work” and “we must update our approach to keep pace with new learning technologies and technological shifts.”[4]
Indeed, as outlined on February 7 by Polsinelli Health Care lawyer Iliana Peters, the FTC’s updated approach was on display two weeks ago when it announced a $1.5 million civil penalty order under its Health Breach Notification Rule against a health care entity that failed to notify of a breach related to the use of website tracking, marketing, and advertising technologies.[5]
With the advent of data innovation technologies such as ChatGPT, the surge in new types of data privacy lawsuits involving web tracking tools,[6] and the increased crackdown on the use of dark patterns, it is worthwhile for all organizations that handle personal information to be vigilant and flexible with their data programs.