FTC Warns Over Improper Data Collection : Development & Analytics
On September 18th, 2023
the Federal Trade Commission( FTC ) sent a letter to five tax preparation companies over possible unfair and deceptive practices. These letters state that data collection for marketing and advertising purposes, when gathered in a confidential context, could be a violation that could subject the company to a fine. An overview of this action can be found in the press release.
We can see from the Recipients of the Noticethat this includes:
The Lampo Group, LLC d/b/a Ramsey Solutions
Note: Just because a company got a letter, does not mean they (at this point) have done anything wrong.
However the letter also put those companies on notice.
Receipt of this notice of penalty offenses puts you and your company on notice that engaging in the conduct described therein could subject you and your company to civil penalties of up to $50,120per violation. We are aware of information suggesting that you have engaged in or are engaging in deceptive or unfair conduct. You should take prompt action, including by reviewing all your practices, to ensure any deceptive or unlawful claims cease and are removed or corrected, as appropriate, and any other required disclosures are made. https://www.ftc.gov/system/files/ftc_gov/pdf/NPO-Misuse-Information-Collected-Confidential-Contexts-Cover-Letter_0.pdf
At the same time, the FTCpublished a blog post about the what it expects. It states that at minimum, companies which get confidential data need to get a consumers affirmative express consent prior to using that data for any purpose other what the consumer explicitly requested. The following paragraph has some examples worth noting:
[T]he Commission considers it an unfair or deceptive act or practice to use tracking technologies such as pixels, cookies, APIs, or SDKs to amass, analyze, infer, and transfer information collected in a Confidential Context for the purposes described in the prior paragraph without firstobtaining affirmative express consent. It is also an unfair or deceptive practice to misrepresent or omit material facts regarding the use or confidentiality of information collected in a Confidential Context through tracking technologies such as pixels, cookies, or SDKs. https://www.ftc.gov/business-guidance/blog/2023/09/companies-warned-about-consequences-loose-use-consumers-confidential-data
The blog is also quick to call out that:
So it could be reasoned that the FTCis likely expecting some sort of overt banner, widget, dialog, or popup to be shown to the user prior to the collection taking place. It may also be a good idea to have a consent system of record – so it can be shown that a specific user actually did consent to the data usage.
Any company dealing with confidential contexts will want to take note of this warning. They’ll need to evaluate their data collection, determine if consent is needed and either build in systems to request such consent, or remove the offending technology. By the look of the letter, the FTCexpects quick action, and there will be no further warnings.