Responding to FTC Data Privacy Investigations

Responding to FTC Data Privacy Investigations

Dealing with an FTC investigation into a potential data breach or privacy violation can be stressful and confusing. But having a plan and understanding the process can help make it more manageable. This article provides an overview of key things to know when responding to an FTC inquiry.

The FTC’s Authority

The FTC (Federal Trade Commission) is the main federal agency that oversees consumer privacy and data security in the U.S. Under Section 5 of the FTC Act, the FTC has the authority to take action against companies engaged in “unfair or deceptive acts or practices” [1]. This gives them broad powers to investigate and sue companies for privacy violations or breaches.

Some key privacy and security laws the FTC enforces include [2]:

• Health Breach Notification Rule – requires notification of breaches involving personal health records
• Safeguards Rule – requires financial companies to have a comprehensive information security program
• Children’s Online Privacy Protection Act (COPPA) – governs collection of data on children under 13

The FTC also expects companies to live up to the privacy promises they make to consumers. If you say you’ll safeguard data but fail to take reasonable security measures, the FTC may take action for deceptive practices [3].

The Investigation Process

If the FTC opens an investigation into your company, the first sign is usually a letter or phone call. This is followed by a Civil Investigative Demand (CID) requiring you to provide information or documents [4].

It’s important to carefully review the CID with experienced legal counsel. Focus on the “Subject of Investigation” section, which describes what the FTC is looking into. Is it investigating a specific breach incident? Reviewing your general data security practices? Understanding how you collect, use and share consumer data? Knowing the scope helps focus your response [5].

The FTC may also request interviews with employees or on-site inspections of facilities. While burdensome, it’s best to fully comply with FTC requests. Lack of cooperation can lead to subpoenas or false statement charges [6].

Getting Your House in Order

Before responding to FTC inquiries, it’s wise to conduct an internal review of your data practices. Assemble a team to audit your:

• Data collection policies and consent procedures
• Data retention and disposal practices
• Data security safeguards and controls
• Vendor management program
• Breach response plan
• Privacy policies and consumer notices

Identify any gaps that need to be addressed. It’s better to find issues yourself than have the FTC point them out .

Responding to FTC Requests

Once you receive a CID, you’ll need to gather the requested information. The FTC typically allows 30 days to respond. You can request an extension if needed [4].

Have your legal team review all materials before submitting to ensure responses are accurate, consistent and appropriate. Be cooperative, but protect privileged information. Answer questions transparently while putting your company’s actions in the most positive light.

Provide context to explain how your practices align with your specific business needs, resources and risk profile. Discuss improvements made and plans to enhance privacy and security going forward.

Potential Outcomes

There are several potential outcomes of an FTC investigation:

• No action – If no problems are identified, the inquiry may simply end.
• Settlement – The company agrees to take corrective actions, submit to audits and pay a fine.
• Litigation – The FTC sues the company in federal court for privacy/security violations.

Over 75% of FTC privacy cases end in settlement [3]. Settlement terms typically include:

• Implementing a comprehensive privacy/security program
• Getting independent audits every 2 years for 20 years
• No misrepresentations about privacy practices
• Paying a monetary penalty

Avoiding litigation saves legal expenses. But settlements still require time and money for compliance. And bad press around privacy violations can harm reputation and customer trust.

Best Practices for Avoiding Investigations

The best defense is having robust privacy and security practices to lower breach risks. Recommended actions include:

• Minimize data collection and retention periods
• Anonymize or encrypt personal information where possible
• Implement safeguards like access controls, network security, employee training
• Perform risk assessments and mitigate identified risks
• Have an incident response plan ready in case of a breach
• Honor opt-out requests and provide consumer choice
• Update privacy notices to accurately reflect data practices
• Vet service providers handling sensitive data

No program is perfect. But showing good faith efforts to protect consumer data can help avoid problems if the FTC comes calling.

Dealing with FTC inquiries is never fun. But understanding the process, cooperating fully and showing your privacy/security program in the best light can help lead to the most positive outcome. With some preparation and expert guidance, you can navigate investigations in a way that minimizes disruptions and maintains customer trust.

References

[1] https://www.ftc.gov/news-events/media-resources/truth-advertising/enforcement
[2] https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule
[3] https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises
[4] https://www.ftc.gov/about-ftc/foia/foia-reading-rooms/investigational-hearing-transcripts/guide-ftc-investigations
[5] https://www.afslaw.com/perspectives/privacy-counsel/tips-managing-the-response-ftc-civil-investigative-demand-privacy-and
[6] https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-civil-investigative-demands
https://www.loeb.com/en/insights/publications/2015/06/staying-out-of-the-ftcs-data-security-crosshairs