Privacy violations, which used to be a relatively minor compliance issue for large corporations, have now become a much more serious concern. And a recent Federal Trade Commission case could be a sign of more aggressive enforcement practices to come.
Back in the early 2000s, privacy cases consisted mainly of actions brought by state regulators against fly-by-night operations that ran afoul of Do Not Call rules by placing large numbers of unwanted marketing robocalls. The data in Violation Tracker indicate that aggregate federal and state privacy penalties across the country were only a couple of million dollars per year.
Over the past decade, total agency privacy penalties have grown substantially, exceeding $50 million each year since 2016. The blockbuster cases fall into two major categories. The first involves corporations that were fined for allowing major breaches of their customers’ data to occur. For example, in 2018 Uber Technologies had to pay $148 million to settle a case brought by state attorneys general for a breach of data on 57 million customers and drivers—and for attempting to cover up the problem rather than reporting it to authorities.
The other category consists of cases in which corporations were directly responsible for the privacy violation. In 2019, for instance, Google and its sister company YouTube agreed to pay $136 million to the FTC and $34 million to New York State to settle allegations that the companies violated rules regarding the online collection of personal data on children.
This category also includes the largest privacy penalty of all—the $5 billion paid by Facebook to the FTC in 2019 for violating an earlier order by continuing to deceive users about their ability to control the privacy of their personal information.
Also in this category is a recent case handled by the FTC and the Department of Justice against WW International (formerly Weight Watchers International Inc.). The agencies are collecting $1.5 million in civil penalties from the company for violating the Children’s Online Privacy Protection Act in connection with their weight management service for children, Kurbo by WW. The government had alleged that WW collected personal data such as names and phone numbers as well as sensitive information such as weight from users as young as eight years old without parental consent.
In addition to the monetary penalty, the FTC took the unusual (but not unprecedented) step of requiring WW to delete their ill-gotten data and destroy any algorithms derived from it. As a blog post from the law firm Debevoise & Plimpton points out, this kind of punishment can have a major impact, given that a single tainted dataset may require the destruction of multiple algorithms.
Requiring corporate miscreants to destroy intellectual property is in line with the ideas recently proposed by Consumer Financial Protection Bureau director Rohit Chopra for using measures beyond monetary penalties in regulatory enforcement. Chopra called for forcing misbehaving companies to close or divest portions of their operations—and, in the most egregious cases, to lose their charters.
The moves by the FTC and the CFPB are signs that regulators are recognizing that aggressive new enforcement tools are needed to shake up large corporations that have grown too comfortable paying their way out of legal jeopardy.