On January 11, 2021 the Federal Trade Commission (FTC) issued a Consent Order that has major implications for data privacy enforcement. In the Matter of Everalbum, Inc. involved misrepresentations made by operators of a photo storage application. After an FTC investigation, the agency and Everalbum came to an agreement which would require deletion of misused biometric information as well as valuable models and algorithms developed using such data. In order to rectify the harm caused by Everalbum, the Consent Order went beyond simple deletion and required the company disgorge itself from benefits generated with misused sensitive data. If this case is any indication, disgorgement is likely to become one of the main enforcement tools used by the FTC to disincentivize deceptive practices in the data processing industry. This article will discuss the Everalbum case and disgorgement, hopefully allowing companies to gain a better appreciation for the risks they face when misusing data.
What is Disgorgement?
Disgorgement is a type of penalty where a company is ordered to get rid of any benefit that the business gained from an unlawful practice. Traditionally the FTC has sought disgorgement in cases where a deceptive business practice results in profits. The FTC may order a company to disgorge itself from profits obtained under deceptive or false pretenses, adding a major disincentive for future deceptive practices. In the context of data privacy, however, the FTC is likely to seek the disgorgement of non-monetary benefits similar to the models and algorithms developed by Everalbum. Assets of this nature are often more valuable than the data itself, and disgorgement can result in years of work being scraped.
What did Everalbum do that resulted in an FTC investigation?
Everalbum, Inc. operates Ever, a cloud-based photo storage and organization application available globally on mobile platforms. In 2017, Everalbum added a feature to the app which, by default, integrated facial-recognition software that processed user uploaded content. While the “Help” section on Everalbum’s website indicated that facial recognition could be disabled in the app, users outside of the EU, Texas, Illinois, and Washington did not have the ability to disable facial recognition. Millions of user uploaded photos were then used by Everalbum without consent to train facial-recognition software. Additionally, if a user sought to disable their account the notice indicated that all uploaded content would be deleted. However, instead of deleting content upon a request to disable a user account, Everalbum retained user data indefinitely.
The FTC investigated Everalbum for misleading users in violation of the FTC Act § 5 prohibition against unfair or deceptive practices. The parties negotiated a consent order which mandated the following: a prohibition on future misrepresentations; notice and affirmative consent before processing future biometric information; a timeline for the deletion of categories of data; a recordkeeping and compliance monitoring program; and disgorgement of any models or algorithms developed in whole or in part using biometric information unlawfully used and collected. This last point is particularly important since Everalbum was required to delete valuable assets that were developed with misused data in addition to the data itself. The company had been developing these models and algorithms since it first integrated facial-recognition software in 2017. Nearly all of the company’s analytics work was undone by poor data management practices.
What does Everalbum mean for the future of data privacy enforcement?
The FTC is looking to use disgorgement in future enforcement actions. In a speech delivered on February 10, 2021, acting chair of the FTC, Rebecca Slaughter, stated that the Commission should require companies “to disgorge not only the ill-gotten data, but also the benefits” derived from such data. She sighted the Everalbum cases as an example of how the Commission could employ disgorgement to prevent companies from using deceptive practices to process user data. Expect future disgorgements to occur where companies have misused customer data to develop additional useful assets.
How can companies avoid disgorgement?
In addition to fines and injunctive relief, disgorgement will become an important tool for future FTC enforcement actions. Companies must be aware of the remedies an enforcement agency like the FTC have at their disposal in order to fully grasp the risks associated with misusing data. This is particularly true where a company must disgorge itself from valuable assets that may represent years of work. At Ardent Privacy we believe that Data Mapping and Data Minimization are of the utmost importance to adhere to data privacy regulations. We are developing technology that harnesses the power of artificial intelligence to stay ahead of changes in data privacy enforcement. Our privacy by design solutions aim to reduce the risks associated with unwieldy and unmonitored data inventories. Strong data management practices are the best strategy to demonstrate due diligence and avoid penalties.
About Ardent Privacy:
Ardent Privacy is an “Enterprise Data Minimization and Privacy Technology” solutions provider based in the National Capital region in the United States. Ardent solutions enable companies for privacy compliance in meaningful way by taking data driven approach to security and makes journey to cloud cost efficient, secure, and compliant. It empowers enterprises to efficiently comply with new data privacy regulations including CDPA (Virginia), CCPA (California), HIPPA (Healthcare), FISMA, and GDPR (Europe). Using machine learning and artificial intelligence, Ardent solutions identify, inventory, map and minimize data in enterprises to reduce privacy and compliance risk in their digital transformation and journey to the cloud.
Visit https://ardentprivacy.ai/data-security-resources/library/ for more resources.