September 26, 2022

Volume XII, Number 269


September 23, 2022

Subscribe to Latest Legal News and Analysis

Life After Dobbs: FTC Now Plans to “Vigorously Enforce the Law” Against Illegal Use and Sharing of Highly Sensitive Data

The Federal Trade Commission (FTC) recently announced plans to crack down on the illegal use and sharing of sensitive data in response to the recent Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (Dobbs).

What Led to this Announcement?  

The recent Dobbs decision not only impacted abortion rights, but also included provisions diminishing constitutional privacy protections. Given this impact on privacy, the FTC has moved to ensure that businesses take steps to protect highly sensitive data. As a first step, the FTC released an announcement that not only reinforces the widespread role of sensitive data in our lives, but also states its plans to fully enforce the law against illegal use and sharing of highly sensitive data.

The Growing Use of Highly Sensitive Data:

According to the FTC, among the most sensitive categories of data are a person’s precise location and health data. These data points can be used to reveal employment, sleep patterns, religious practices, medical appointments, blood sugar, fitness, and even menstrual cycle data. As technology continues to advance, smartphones, cars, and other technological devices derive these—and other—categories of sensitive data. And while technological developments provide undeniable benefits, the FTC flags that “there is a behind-the-scenes irony” in that “data that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers.” These strangers are adtech and data broker companies that collect, combine, sell, and/or monetize data. The data paired with artificial intelligence algorithms can make determinations such as which consumers are expectant parents. The FTC has flagged a concern that the ability to make such determinations and practices such as this may be harmful.

The FTC’s Plans to Fight Back:

The FTC plans to vigorously enforce laws such as the Safeguards Rule (protecting covered financial data), the Health Breach Notification Rule (protecting covered health data), the Children’s Online Privacy Protection Act Rule (protecting covered children’s data), and other state and federal laws that govern the collection, use, and sharing of sensitive data. The FTC specifically flagged that companies should:

  • Secure the data. Utilize appropriate technical and organizational measures to protect sensitive data.

  • Avoid overly broad security claims. Of note, companies should avoid making claims that data is “anonymous” unless said data cannot be re-identified. Such claims can be viewed as a deceptive trade practice in violation of the FTC Act when untrue. Research has shown that “anonymized” data can often be re-identified, so these claims present a slippery slope. One set of researchers demonstrated that it was possible to identify 95% of a dataset of 1.5 million individuals by using four location points with timestamps.

  • Keep their promises. As discussed in our recent alert, the FTC is cracking down on companies that misrepresent how personal data will be used.

These are but a few considerations for companies that process sensitive data in a post-Dobbs world. The FTC will, undoubtedly, continue to watch for best practices and work to push transparency.

Primary Takeaway:

As the FTC prepares to increase its enforcement activity against the illegal use and sharing of highly sensitive data, companies should regularly review their data privacy and security practices. In particular, companies should avoid making false statements about how they handle data and ensure that they are clear about data practices when communicating with consumers.

© 2022 ArentFox Schiff LLPNational Law Review, Volume XII, Number 203

About this Author

Eva J. Pulliam Attorney Brand Protection Arent Fox Schiff Washington DC

Eva splits her time between Washington and San Francisco and concentrates her practice on brand protection: protecting data, brand image, and brand names. She advises clients across numerous industries on best practices in the areas of data privacy, advertising and marketing, and trademark. Household names, tech giants and startups, non-profits, and other innovative organizations call on Eva to guide them through product development and brand management. 

In the privacy space, Eva counsels clients around data collection, use, and transfer, as...

Christine Chong Privacy Attorney ArentFox Schiff San Francisco

As an Associate on the privacy, cybersecurity, and data protection team, Christine helps clients with regulatory compliance, data breach response, technology transactions, vendor contracting, marketing initiatives, and external and internal-facing policies. Her clients include international consumer products, e-commerce, manufacturing, data analytics services, retail and technology businesses, and not-for-profit organizations. 

Christine regularly advises on ethical data use, machine learning and artificial intelligence, vendor contracting, and...

Destiny Planter Attorney Copyright Law ArentFox Schiff Washington DC

Prior to joining ArentFox Schiff, Destiny was awarded the Frances Phillips Fellowship. She used this opportunity to work with the African Network for the Prevention and Protection against Child Abuse and Neglect and volunteer in orphanages in Kenya and Ghana. She then joined the Carolina College Advising Corps at Ben L. Smith High School in Greensboro, North Carolina, where she worked to increase the rates of college enrollment and completion among low-income, first-generation college and underrepresented high school students.

While in law...