FTC Warns Over Improper Data Collection : Development & Analytics

By admin

FTC
ORG

Warns Over Improper Data Collection

On

September 18th
DATE

,

2023
DATE


the Federal Trade Commission
ORG

(

FTC
ORG

) sent a letter to

five
CARDINAL

tax preparation companies over possible unfair and deceptive practices. These letters state that data collection for marketing and advertising purposes, when gathered in a confidential context, could be a violation that could subject the company to a fine. An overview of this action can be found in the press release.

We can see from

the Recipients of the Notice
WORK_OF_ART

that this includes:

H&R Block

Intuit

TaxAct

TaxSlayer


The Lampo Group
ORG

,

LLC
ORG

d/b/a Ramsey Solutions

Note: Just because a company got a letter, does not mean they (at this point) have done anything wrong.

However the letter also put those companies on notice.

Receipt of this notice of penalty offenses puts you and your company on notice that engaging in the conduct described therein could subject you and your company to civil penalties of

up to $50,120
MONEY

per violation. We are aware of information suggesting that you have engaged in or are engaging in deceptive or unfair conduct. You should take prompt action, including by reviewing all your practices, to ensure any deceptive or unlawful claims cease and are removed or corrected, as appropriate, and any other required disclosures are made. https://www.ftc.gov/system/files/ftc_gov/pdf/NPO-Misuse-Information-Collected-Confidential-Contexts-Cover-Letter_0.pdf

At the same time, the

FTC
ORG

published a blog post about the what it expects. It states that at minimum, companies which get confidential data need to get a consumers affirmative express consent prior to using that data for any purpose other what the consumer explicitly requested. The following paragraph has some examples worth noting:

[T]he Commission considers it an unfair or deceptive act or practice to use tracking technologies such as pixels, cookies, APIs, or SDKs to amass, analyze, infer, and transfer information collected in a Confidential Context for the purposes described in the prior paragraph without

first
ORDINAL

obtaining affirmative express consent. It is also an unfair or deceptive practice to misrepresent or omit material facts regarding the use or confidentiality of information collected in a

Confidential Context
ORG

through tracking technologies such as pixels, cookies, or SDKs. https://www.ftc.gov/business-guidance/blog/2023/09/companies-warned-about-consequences-loose-use-consumers-confidential-data

The blog is also quick to call out that:

Spoiler alert: burying something in your Privacy Policy or Terms of Service doesn’t meet the “clear and conspicuous” standard. https://www.ftc.gov/business-guidance/blog/2023/09/companies-warned-about-consequences-loose-use-consumers-confidential-data

So it could be reasoned that the

FTC
ORG

is likely expecting some sort of overt banner, widget, dialog, or popup to be shown to the user prior to the collection taking place. It may also be a good idea to have a consent system of record – so it can be shown that a specific user actually did consent to the data usage.

Next Steps

Any company dealing with confidential contexts will want to take note of this warning. They’ll need to evaluate their data collection, determine if consent is needed and either build in systems to request such consent, or remove the offending technology. By the look of the letter, the

FTC
ORG

expects quick action, and there will be no further warnings.