Lessons from FTC Enforcement on Security Language in Privacy Notices


Some Background

The FTC has finalized its order against Drizly, a popular alcohol delivery app, for failing to implement reasonable data security measures, despite representations that it did so in its privacy notice. This stern reprimand from the FTC has reinforced its commitment to privacy compliance, and its holding Drizly’s CEO personally accountable for the data security failures of the company has, understandably, sparked worry for many business leaders. 

In this blog post, VeraSafe examines the FTC’s approach in privacy matters, including the Drizly action. We explore what businesses can do to mitigate their risk and avoid similar enforcement actions by reviewing the best practices for privacy notices (also known as privacy policies) in light of various similar cases. By examining the FTC’s standpoint in these cases, we aim to provide guidance on how businesses should phrase their privacy notices to protect themselves from potential enforcement actions.

Key Takeaways (TL;DR)

  • The FTC relies on Section 5(a) of the Federal Trade Commission Act (FTC Act) to institute privacy enforcement actions. This section prohibits any  unfair or deceptive acts or practices in or affecting commerce.
  • Businesses that choose to include specific and detailed language about security measures in their privacy notice must live up to those promises to avoid being held liable for deception by the FTC. However, this also means that the privacy notice must be frequently updated, which can be a time-consuming task with a high risk for errors. 
  • On the other side, some businesses choose to not address security measures in their privacy notices at all, as applicable laws may not require them to include such disclosures. However, this approach does not necessarily protect a business from FTC scrutiny under the “unfair…acts or practices” prong of Section 5(a), and the lack of transparency can also harm trust with consumers. 
  • To avoid these issues, VeraSafe recommends taking a middle ground approach.  This involves describing and implementing industry standard security practices in general but useful terms. VeraSafe has the know-how and resources to assist you and your business with crafting a privacy notice that balances these considerations and minimizes the risk of FTC enforcement.

FTC’s Approach to Deceptive Acts or Practices: Are Specific or General Statements More Risky?

The FTC’s approach to deceptive acts and practices is essentially rooted in misrepresentation. This means that if a company makes a representation (or promise) about its data practices and standards, but then fails to implement those practices or meet those standards, the FTC may consider this deceptive. These representations are usually made in the company’s privacy notice.

The question is, can having more general language in a privacy notice, or omitting detailed data security practices language altogether, shield your business from the FTC finding deceptive acts or practices?

To answer this question, theVeraSafe privacy and data protection consulting team analyzed several recent FTC enforcement actions. We found that the representations in privacy notices that were considered deceptive by the FTC used varying language, ranging from detailing very specific measures to general and vague statements.

Examples of enforcement actions where very specific language was used are:

  • Zoom, regarding statements around its use of end-to-end encryption and the level of encryption used. Since at least June 2016, Zoom had represented in its app, on its website, in its security guides, in its HIPAA Compliance Guide, on blog posts, and in direct communications with customers that it offered end-to-end encryption to secure video conference communications between hosts and attendees during Zoom meetings. Further, Zoom made numerous prominent claims (on the security page of its website, in its security guide, online help center and blog posts, etc.) that it encrypted Zoom meetings by using 256-bit encryption.     
  • Drizly, regarding statements about 128-bit encryption, firewalls and SSL. Drizly’s Privacy Policy in effect from September 1, 2016 until approximately October 1, 2019, included the following statement: “Security. All information we collect is securely stored within our database, and we use standard, industry-wide, commercially reasonable security practices such as 128-bit encryption, firewalls and SSL (Secure Socket Layers).” Drizly’s Privacy Policy in effect after October 1, 2019 contained similar language: “Security. We use standard security practices such as encryption and firewalls to protect the information we collect from you”; and
  • CafePress, regarding statements about use of encryption, firewalls, limited access, and other controls. For example, from June 2018 until in or around February 2020, Residual Pumpkin (doing business as CafePress) stated the following in its privacy policy on the www.cafepress.com website: “We do our best to provide you with a safe and convenient shopping experience. Our Websites incorporate physical, technical, and administrative safeguards to protect the confidentiality of the information we collect through the Websites, including the use of encryption, firewalls, limited access and other controls where appropriate.”

Examples of enforcement actions where vague and general language was used are:

  • Chegg Inc, who, from March 2017 to January 2020, stated in its privacy notice that “Chegg takes commercially reasonable security measures to protect the Personal Information submitted to us, both during transmission and once we receive it.” From January 2020 to the date of the complaint, Chegg’s privacy notice stated: “We take steps to ensure that your information is treated securely and in accordance with this privacy notice.”
  • Tapplock Inc, who stated in its privacy notice, accessible online to its U.S. customers, that, “To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.”

It appears that the FTC views not only specific statements, but also general ones, as potentially deceptive. To determine whether general statements are deceptive, the FTC uses its interpretative powers to determine what kind of security practices were required by the general statement and compares this against what measures the company in question actually implemented (or failed to implement). Therefore, diluting the wording of a privacy notice will not necessarily reduce the risk of an FTC enforcement action based on deceptive practices. But, what happens if a company chooses not to address data security practices in their privacy notices at all?

FTC’s Approach to Unfair Acts or Practices: The Risks of Omitting Language on Data Security

We have found that companies cannot avoid FTC enforcement actions by omitting language addressing data security in their privacy notices. The FTC’s enforcement actions against Skymed, InfoTrax and Lightyear illustrate this point, as the findings in these cases were not based on specific representations made by each company, rather solely on its “unfair” data security practices.

  • Skymed: The FTC noted that Skymed engaged in a number of practices that failed to provide reasonable security for the personal information it collected, including, among others, failing to “develop, implement, or maintain written organizational information security standards, policies, procedures, or practices”. Skymed also failed to provide guidance to employees and contractors regarding data security, encrypt personal data on its network and databases, assess risks, implement a policy, procedure, or practice for inventorying and deleting personal data that is no longer necessary, and use data loss prevention tools.
  • InfoTrax: From at least 2014 through March 2016, InfoTrax engaged in a number of unreasonable data security practices, including failure to have a systematic process for inventorying and deleting consumers’ personal information stored on InfoTrax’s network that was no longer necessary, adequately assess risk posed; detect malicious file uploads by implementing protections such as adequate input validation; adequately limit the locations to which third parties could upload unknown files on InfoTrax’s network, adequately segment InfoTrax’s network, and implement safeguards to detect anomalous activity and/or cybersecurity events, secure consumers’ personal information, including consumers’ SSNs, payment card information, bank account information and authentication credentials such as user IDs and passwords, which InfoTrax stored in clear, readable text on InfoTrax’s network.
  • Lightyear: Until at least June 2017, Lightyear engaged in a number of practices that failed to provide reasonable security for the personal information stored on its network. Among other things, Lightyear “failed to develop, implement, or maintain a written organizational information security policy.” Lightyear also failed to: provide guidance to employees and contractors regarding data security, assess risks, use readily available security measures to monitor its systems; impose reasonable data access controls, encrypt personal data and have a reasonable process to select, install, secure and inventory devices with access to personal information. 

The FTC found that these data security practices (or lack thereof) were unfair as they caused, or were likely to cause, substantial injury to consumers that was not outweighed by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers themselves. 

Meeting FTC Standards for Data Security: What Can Be Done to Protect Your Business and Consumers?

In sum, choosing  to include specific, detailed language about security measures in your privacy notices means that you must adhere to these standards to avoid being held liable for “deceptive acts or practices” by the FTC. Including specific language in your privacy notice will also require you to frequently update it to ensure it is current and accurately reflects your data security practices. This can be a burdensome task, which is often prone to error. 

While businesses are not always legally required to include information about their security practices in privacy notices, omitting this information will not necessarily protect them from potential FTC scrutiny under the “unfair acts or practices” provision. Further, not including this information does not foster transparency and trust with your consumers about how you protect their personal data, and this may damage your customers’ trust in your business. 

The takeaway from the VeraSafe privacy and data protection practice group’s review of FTC enforcement activity is that the FTC expects businesses to adhere to market standards, including: 

  • Implementing information security policies, procedures and practices, including a data retention schedule;
  • Ensuring that personal data is not stored in plain, readable text;
  • Training employees and third-party contractors on data security;
  • Appointing a senior person to oversee the company’s information security program and practices;
  • Conducting regular risk assessments;
  • Having a policy, procedure or practice in place for inventorying and deleting unnecessary personal data; and
  • Adhering to industry standards for passwords and access control (such as requiring unique and complex passwords and multi-factor authentication).

Implementing these measures and clearly describing them appropriately in your privacy notice is an important responsibility, and VeraSafe has the know-how and resources to help your business do this correctly. Please contact us via our website to discuss how we can help!

Contact VeraSafe to discuss your data security management and privacy program today.