Are Fines Enough? FTC Disgorgement Penalties for Privacy Violations, Explained
On January 11, 2021 the Federal Trade Commission (FTC) issued a Consent Order that has major implications for data privacy enforcement. In the Matter of Everalbum, Inc. involved misrepresentations made by operators of a photo storage application. After an FTC investigation, the agency and Everalbum came to an agreement which would require deletion of misused biometric information as well as valuable models and algorithms developed using such data. In order to rectify the harm caused by Everalbum, the Consent Order went beyond simple deletion and required the company disgorge itself from benefits generated with misused sensitive data. If this case is any indication, disgorgement is likely to become one of the main enforcement tools used by the FTC to disincentivize deceptive practices in the data processing industry. This article will discuss the Everalbum case and disgorgement, hopefully allowing companies to gain a better appreciation for the risks they face when misusing data.
What is Disgorgement?
Disgorgement is a type of penalty where a company is ordered to get rid of any benefit that the business gained from an unlawful practice. Traditionally the FTC has sought disgorgement in cases where a deceptive business practice results in profits. The FTC may order a company to disgorge itself from profits obtained under deceptive or false pretenses, adding a major disincentive for future deceptive practices. In the context of data privacy, however, the FTC is likely to seek the disgorgement of non-monetary benefits similar to the models and algorithms developed by Everalbum. Assets of this nature are often more valuable than the data itself, and disgorgement can result in years of work being scraped.
What did Everalbum do that resulted in an FTC investigation?
Everalbum, Inc. operates Ever, a cloud-based photo storage and organization application available globally on mobile platforms. In 2017, Everalbum added a feature to the app which, by default, integrated facial-recognition software that processed user uploaded content. While the “Help” section on Everalbum’s website indicated that facial recognition could be disabled in the app, users outside of the EU, Texas, Illinois, and Washington did not have the ability to disable facial recognition. Millions of user uploaded photos were then used by Everalbum without consent to train facial-recognition software. Additionally, if a user sought to disable their account the notice indicated that all uploaded content would be deleted. However, instead of deleting content upon a request to disable a user account, Everalbum retained user data indefinitely.
The FTC investigated Everalbum for misleading users in violation of the FTC Act § 5 prohibition against unfair or deceptive practices. The parties negotiated a consent order which mandated the following: a prohibition on future misrepresentations; notice and affirmative consent before processing future biometric information; a timeline for the deletion of categories of data; a recordkeeping and compliance monitoring program; and disgorgement of any models or algorithms developed in whole or in part using biometric information unlawfully used and collected. This last point is particularly important since Everalbum was required to delete valuable assets that were developed with misused data in addition to the data itself. The company had been developing these models and algorithms since it first integrated facial-recognition software in 2017. Nearly all of the company’s analytics work was undone by poor data management practices.
What does Everalbum mean for the future of data privacy enforcement?
The FTC is looking to use disgorgement in future enforcement actions. In a speech delivered on February 10, 2021, acting chair of the FTC, Rebecca Slaughter, stated that the Commission should require companies “to disgorge not only the ill-gotten data, but also the benefits” derived from such data. She sighted the Everalbum cases as an example of how the Commission could employ disgorgement to prevent companies from using deceptive practices to process user data. Expect future disgorgements to occur where companies have misused customer data to develop additional useful assets.
How can companies avoid disgorgement?
Everalbum is a good example of the types of data privacy enforcement actions the FTC is currently pursuing. In order to avoid disgorgement of valuable assets, companies must effectively manage their data inventory and demonstrate due diligence with regards to user data practices. When a company collects and processes user data it must, to the greatest extent possible, clearly explain how it intends to use such data. Data processing should adhere to the information disclosed in the company’s privacy policy. All statements made to consumers about their data must be truthful. Data subject rights available in one jurisdiction should be available for customers in other jurisdictions to avoid misleading statements about what rights the consumer has to their data. Companies must adhere to rigorous technological and administrative safety measures to protect user data, particularly sensitive biometric information. Data mapping technology should be used to fully grasp the scope of a company’s data footprint. Companies should also implement data minimization as a standard practice to avoid retaining data past its usefulness. These practices will help companies identify risks proactively and prevent misuse of user data.
Conclusion
In addition to fines and injunctive relief, disgorgement will become an important tool for future FTC enforcement actions. Companies must be aware of the remedies an enforcement agency like the FTC have at their disposal in order to fully grasp the risks associated with misusing data. This is particularly true where a company must disgorge itself from valuable assets that may represent years of work. At Ardent Privacy we believe that Data Mapping and Data Minimization are of the utmost importance to adhere to data privacy regulations. We are developing technology that harnesses the power of artificial intelligence to stay ahead of changes in data privacy enforcement. Our privacy by design solutions aim to reduce the risks associated with unwieldy and unmonitored data inventories. Strong data management practices are the best strategy to demonstrate due diligence and avoid penalties.
About Ardent Privacy
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information visit https://ardentprivacy.ai/and for more resources here.
Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.