` US government enforcement in the absence of a comprehensive federal privacy law - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

US government enforcement in the absence of a comprehensive federal privacy law

us government enforcement

While the United States lacks a comprehensive federal data privacy law, the federal government has not remained idle. Recent legal developments and the proactive stance of regulatory bodies signal a significant shift in the protection of consumer privacy. Federal agencies are leveraging existing laws and regulatory frameworks to enforce protections for consumer data. What follows are only a few of the publicly known cases, many more are kept private.

Crunchyroll Settlement Spotlights Privacy Concerns

A noteworthy illustration of this shift in federal legislative thinking is the $13 million settlement reached in a class-action lawsuit against Sony’s Crunchyroll. The case, concluded in the Northern District of Illinois, emphasizes the importance of reinterpreting existing federal laws, particularly the Video Privacy Protection Act (VPPA), to reinforce data privacy. The VPPA, enacted in 1988, was endorsed during an era dominated by physical video media. Its principles have proven adaptable to the digital age. This settlement, occurring simultaneously with Crunchyroll’s announcement of a 24-hour news channel, serves as a poignant reminder of the critical need for robust privacy protections in an age where digital platforms handle vast amounts of personal data.

Facebook’s $5 Billion Penalty

On April 23, 2020, the U.S. District Court for the District of Columbia approved the United States’ motion to establish a stipulated order against Facebook, Inc. This legal action stemmed from a July 2019 complaint, wherein the government asserted that Facebook had violated a 2012 FTC Order and had engaged in new breaches of the FTC Act. These transgressions were related to Facebook’s alleged misrepresentation of how consumers could safeguard their personal data and the manner in which the company utilized such information.

The resulting settlement mandates Facebook to pay a substantial $5 billion civil penalty and introduces amendments to the 2012 FTC order. These amendments necessitate the implementation of comprehensive privacy measures, including the establishment of an independent assessor and a privacy committee to oversee compliance. Furthermore, the order requires privacy reviews for all Facebook-owned products and services, encompassing Instagram and WhatsApp. Notably, the social media giant must commit to annual compliance certifications, personally endorsed by Facebook CEO Mark Zuckerberg. The court, in its decision, rejected two motions to intervene in the case, filed by a data privacy advocacy group and a private individual. Facebook fulfilled the $5 billion penalty payment on April 29, 2020. This significant financial consequence is not merely punitive; it serves as a tangible indication of the government’s unwavering commitment to upholding and enforcing stringent privacy standards.

GoodRx has agreed to a $1.5 million fine

Digital health platform GoodRx has agreed to a $1.5 million fine in a groundbreaking enforcement action by the Federal Trade Commission (FTC), marking the first instance of such action. The California-based company allegedly shared sensitive consumer health information with advertisers, including data on prescription medications and health conditions, despite its privacy assurances. The FTC filed a complaint, accusing GoodRx of violating federal consumer protection laws and a rule overseeing unauthorized disclosures of personal health data. GoodRx shared information with major tech players, including Facebook and Google, as well as with advertising companies Criteo, Twilio, and Branch.

Since 2017, over 55 million consumers have used GoodRx’s platform for prescription drug discounts and telehealth services. In response, GoodRx stated that the settlement addresses an issue proactively resolved nearly three years ago. The case serves as a warning to companies using health information and technology firms engaged in targeted advertising based on user data. This marks the first time the FTC has enforced its health breach notification rule, signaling a proactive stance in safeguarding sensitive health data.

As part of the proposed court order, GoodRx would be required to instruct advertisers to delete improperly shared consumer health data. The order would permanently prohibit GoodRx from sharing health data for ads and mandate user consent for any data-sharing, pending court approval. GoodRx denied wrongdoing, asserting that the FTC’s complaint centered around a widely used tracking tool from Facebook known as the Pixel, which the company no longer employs. The FTC’s move underscores its commitment to preventing the misuse of sensitive consumer data, especially in the realm of health information.

FTC’s Vigilant Role in the Absence of Federal Privacy Laws

Amid the absence of comprehensive federal data privacy laws, the Federal Trade Commission (FTC) in emerging as a pivotal player in the realm of consumer privacy protection. Leveraging its authority, the FTC utilizes Section 5 of the FTC Act to enforce existing laws and combat deceptive or unfair practices related to consumer data. Recent enforcement actions by the FTC against companies for privacy-related violations underscore its commitment to addressing issues such as unauthorized access, inadequate data security measures, and deceptive privacy practices.

The educational role played by the FTC cannot be overstated. Providing guidance to businesses on best practices for data security and privacy, the commission advocates for transparent communication with consumers regarding data practices, the implementation of privacy-by-design principles, and effective responses to data breaches.

A Call for Comprehensive Legislation

While enforcing existing laws, the FTC consistently calls for the adoption of comprehensive federal privacy legislation. Urging Congress to pass laws that provide clearer guidelines on data protection, the commission seeks additional tools to regulate privacy practices effectively. Beyond enforcement and advocacy, the FTC scrutinizes potential mergers and acquisitions to prevent anticompetitive practices and assesses the impact on consumer privacy protections.

Recognizing the global nature of data flows, the FTC engages in international cooperation on privacy and data protection matters. Collaborating with international regulatory bodies and participating in forums dedicated to developing consistent global privacy standards, the FTC demonstrates a commitment to addressing challenges in the evolving digital landscape.

As legal developments continue to shape the privacy landscape, these actions by both the judicial system and regulatory bodies underscore a collective effort to fortify consumer privacy rights. While the legal framework evolves, the proactive stance of regulatory bodies like the FTC remains instrumental in establishing and enforcing privacy protections in the absence of a dedicated federal privacy law.

Clarip’s Data Privacy Governance Platform ensures transparency with users and compliance with all consumer privacy regulations. Clarip takes data privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust!

Contact us at www.clarip.com/privacy/contact or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Content:

Making the Case for Data Minimization
Automated Data Mapping
Data Discovery
Looking for Product Data Sheets?

The pixel
Show Buttons
Hide Buttons