Listen to this article
Increased data privacy enforcement means businesses should be paying attention to their own data collection practices and data privacy risks.
Companies including Sephora and Apple recently reached significant financial settlements over data privacy issues. And law enforcement agencies like the Federal Trade Commission are looking to boost data privacy enforcement with additional rulemaking.
Data privacy enforcement is not new. Yet the number of enforcers including states, local governments and consumers empowered by privacy laws is growing, meaning an uptick in enforcement and settlements, said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals in Washington, D.C.
Cobun Zweifel-KeeganManaging director, International Association of Privacy Professionals
"There are more regulators out there with specific rules that they're able to enforce against companies and make sure that those best practices are evolving to keep up with these new rules," he said.
Implications for businesses
Sephora, a multinational French beauty products company with U.S. headquarters in San Francisco, settled a lawsuit in August filed by the state of California after allegations that the company collected consumer geolocation data, information about what products consumers viewed online and other personal identifiers that the company sold to third parties. California, a state that has the most stringent data privacy law on the books, fined Sephora $1.2 million.
Apple settled a class action lawsuit in August regarding its iCloud service for a breach of contract for storing customer data on third-party servers instead of Apple servers. Apple agreed to a $14.8 million settlement. Also in August, Meta, Facebook's parent company, reportedly agreed to settle the Northern District of California lawsuit alleging Facebook illegally shared user data with U.K.-based data firm Cambridge Analytica.
Recent data privacy settlements highlight risks when collecting personal data. Chris McClean, global lead for digital ethics at IT consulting firm Avanade, recommends that businesses conduct a risk assessment and consider the reputational, financial and operational damage should that data be compromised or released in a manner that breaks data privacy laws.
"These are all data points if you're thinking about what is the risk related to privacy, if you have any kind of consumer data or personal data," McClean said.
As enforcers and consumers become more attuned to data privacy rights, Zweifel-Keegan said businesses should shift the way data privacy is handled within the organization.
Instead of simply providing users with proper notice about what is happening to their data and choices for what to do with it, Zweifel-Keegan said consumers and data privacy enforcers want to see more businesses providing default data privacy settings, as well as practicing data privacy principles such as data minimization and reducing the amount of actual data collected to only that needed for a specific business purpose.
"Every week it becomes clearer that those companies that are not engaged in keeping up with the best practices are going to be potentially subject to scrutiny," Zweifel-Keegan said.
FTC's data privacy enforcement authority
The FTC wants to increase its enforcement abilities when it comes to data privacy as the agency considers rules that would address data security practices and commercial surveillance, or when a business collects, analyzes and profits from personal data.
During an FTC forum Thursday, FTC Chair Lina Khan said the new rules would provide clarity on data practices that are unfair or deceptive -- clarity that may also play out in the FTC's current lawsuit against data broker Kochava.
In August, the FTC sued Kochava for selling geolocation data that could track users' movements to sensitive locations such as reproductive health clinics, domestic violence shelters and places of worship.
Zweifel-Keegan said Kochava "forced" the FTC's hand when it sued the FTC in August, asserting the FTC's jurisdiction was invalid. In its lawsuit, Kochava counters the FTC's allegations, claiming that the kind of consumer tracking the FTC believes Kochava's data collection allows can't be done or tied to a consumer's specific location.
Kochava contests that its actions fall under the FTC's prohibition on consumer unfairness, which the commission defines as an act that "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition."
The FTC's enforcement authority for consumer protection is allowed when prohibited actions, deemed "unfair or deceptive acts or practices," occur. In most FTC cases related to data privacy, the agency focuses on the "deception part of their enforcement authority," which is a concrete step or practice by a company that could mislead a consumer, Zweifel-Keegan said.
That's not what the agency is alleging in the Kochava case, he said. Instead, Zweifel-Keegan said the FTC is alleging that Kochava's business practice of selling geolocation data is unfair to consumers, which is murkier than a concrete deception case in that it's alleging it could cause consumer harm rather than pointing out specific harms caused.
"Regardless of how it turns out, it will inform not just what the best practices are for privacy, but also what the bounds of the FTC's authority are because this is bringing to the foreground some questions that have never been fully resolved in law about how the FTC is meant to approach its unfairness jurisdiction," Zweifel-Keegan said.
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.