Life After Dobbs: FTC Now Plans to “Vigorously Enforce the Law” Against Illegal Use and Sharing of Highly Sensitive Data
The Federal Trade Commission (FTC) recently announced plans to crack down on the illegal use and sharing of sensitive data in response to the recent Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (Dobbs).
What Led to this Announcement?
The recent Dobbs decision not only impacted abortion rights, but also included provisions diminishing constitutional privacy protections. Given this impact on privacy, the FTC has moved to ensure that businesses take steps to protect highly sensitive data. As a first step, the FTC released an announcement that not only reinforces the widespread role of sensitive data in our lives, but also states its plans to fully enforce the law against illegal use and sharing of highly sensitive data.
The Growing Use of Highly Sensitive Data:
According to the FTC, among the most sensitive categories of data are a person’s precise location and health data. These data points can be used to reveal employment, sleep patterns, religious practices, medical appointments, blood sugar, fitness, and even menstrual cycle data. As technology continues to advance, smartphones, cars, and other technological devices derive these—and other—categories of sensitive data. And while technological developments provide undeniable benefits, the FTC flags that “there is a behind-the-scenes irony” in that “data that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers.” These strangers are adtech and data broker companies that collect, combine, sell, and/or monetize data. The data paired with artificial intelligence algorithms can make determinations such as which consumers are expectant parents. The FTC has flagged a concern that the ability to make such determinations and practices such as this may be harmful.
The FTC’s Plans to Fight Back:
The FTC plans to vigorously enforce laws such as the Safeguards Rule (protecting covered financial data), the Health Breach Notification Rule (protecting covered health data), the Children’s Online Privacy Protection Act Rule (protecting covered children’s data), and other state and federal laws that govern the collection, use, and sharing of sensitive data. The FTC specifically flagged that companies should:
Secure the data. Utilize appropriate technical and organizational measures to protect sensitive data.
Avoid overly broad security claims. Of note, companies should avoid making claims that data is “anonymous” unless said data cannot be re-identified. Such claims can be viewed as a deceptive trade practice in violation of the FTC Act when untrue. Research has shown that “anonymized” data can often be re-identified, so these claims present a slippery slope. One set of researchers demonstrated that it was possible to identify 95% of a dataset of 1.5 million individuals by using four location points with timestamps.
Keep their promises. As discussed in our recent alert, the FTC is cracking down on companies that misrepresent how personal data will be used.
These are but a few considerations for companies that process sensitive data in a post-Dobbs world. The FTC will, undoubtedly, continue to watch for best practices and work to push transparency.
As the FTC prepares to increase its enforcement activity against the illegal use and sharing of highly sensitive data, companies should regularly review their data privacy and security practices. In particular, companies should avoid making false statements about how they handle data and ensure that they are clear about data practices when communicating with consumers.