Since the start of the year, the Federal Trade Commission (FTC) has brought actions against – and reached proposed settlements with[1] – three business ventures engaged in the collection, use and sharing of certain consumer information.
data privacy
In Amended Complaint, FTC Alleges Kochava, a Data Broker, Is Collecting, Using and Disclosing “Massive Amounts” of Precise Geolocation Data
The Federal Trade Commission (FTC) has long expressed a concern about the potential misuse of location data. For example, in a 2022 blog post, “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” the agency termed the entire location data ecosystem “opaque” and has investigated the practices and brought enforcement actions against mobile app operators and data brokers with respect to sensitive data.
One such FTC enforcement began with an August 2022 complaint against Kochava, Inc. (“Kochava”), a digital marketing and analytics firm, seeking an order halting Kochava’s alleged acquisition and downstream sale of “massive amounts” of precise geolocation data collected from consumers’ mobile devices. In that complaint, the FTC alleged that Kochava, in its role as a data broker, collects a wealth of information about consumers and their mobile devices by, among other means, purchasing data from outside entities to sell to its own customers. Among other things, the FTC alleged that the location data provided by Kochava to its customers was not anonymized and that it was possible, using third party services, to use the geolocation data combined with other information to identify a mobile device user or owner.
In May 2023, an Idaho district court granted Kochava’s motion to dismiss the FTC’s complaint, with leave to amend. Subsequently, the FTC filed an amended complaint, and Kochava requested that the court keep the amended complaint under seal, which it did until it could rule on the merits of the parties’ arguments.
On November 3, 2023, the court granted the FTC’s motion to unseal the amended complaint, finding no “compelling reason” to keep the amended complaint under seal and rejecting Kochava’s arguments that the amended complaint’s allegations were “knowingly false” or “misleading.” (FTC v. Kochava Inc., No. 22-00377 (D. Idaho Nov. 3, 2023)). As a result, the FTC’s amended complaint has been unsealed to the public.
Amazon’s Recent Acquisitions Highlight the Value of Consumer Data (and the Evolving Privacy Issues)
Roughly two weeks apart, on July 21, 2022 and August 5, 2022, respectively, Amazon made headlines for agreeing to acquire One Medical, “a human-centered and technology-powered primary care organization,” for approximately $3.9 billion and iRobot, a global consumer robot company, known for its creation of the Roomba vacuum,…
FTC Sues Data Provider over the Collection and Sale of Geolocation Data
On August 29, 2022, the Federal Trade Commission (FTC) announced that it had filed a complaint against Kochava, Inc. (“Kochava”), a digital marketing and analytics firm, seeking an order halting Kochava’s alleged acquisition and downstream sale of “massive amounts” of precise geolocation data collected from consumers’ mobile devices.
The complaint alleges that the data is collected in a format that would allow third parties to track consumers’ movements to and from sensitive locations, including those related to reproductive health, places of worship, and their private residences, among others. The FTC alleged that “consumers have no insight into how this data is used” and that they do not typically know that inferences about them and their behaviors will be drawn from this information. The FTC claimed that the sale or license of this sensitive data, which could present an “unwarranted intrusion” into personal privacy, was an unfair business practice under Section 5 of the FTC Act.
Businesses That Use Consumer Data or Data Products (Everyone?) Take Heed: FTC Moves Ahead with Rulemaking Process on “Commercial Surveillance” Practices
On August 11, 2022, the Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking (ANPR) and announced it was exploring a rulemaking process to “crack down on harmful commercial surveillance” and lax data security. The agency defines commercial surveillance as “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.”
The FTC View
The FTC has not released any proposed rules but seeks public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect consumer data privacy. As part of the ANPR, and before setting out a host of questions for public comment, the FTC offers its take on the opaque ecosystem surrounding the collection of mobile data and personal information (which the FTC asserts is often done without consumers’ full understanding). The FTC discusses the subsequent sharing and sale of information to data aggregators and brokers that then sell data access or data analysis products to marketers, researchers, or other businesses interested in gaining insights from alternative data sources. The agency argues that based on news reporting, published research and its own enforcement actions, the benefits of the current consumer data marketplace may be outweighed by “harmful commercial surveillance and lax data security practices,” thus potentially requiring rules to protect consumers and to offer more regulatory clarity to companies beyond the FTC’s case-by-case enforcement. As FTC Chair Lina Khan said in her statement accompanying the ANPR: “[T]he growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used —means that potentially unlawful practices may be prevalent, with case-by-case enforcement failing to adequately deter lawbreaking or remedy the resulting harms.”
FTC Invitation for Comment
After describing the FTC view on the issues, the Commission invites public comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. Within the ANPR are a myriad of questions (too numerous to list here; a fact sheet is available here and the press release also offers a breakdown). Though, perhaps the multimillion-dollar questions asked by the agency are: Which kinds of data should be subject to a potential privacy rule? To what extent, if at all, should a new regulation impose limitations on companies’ collection, use, and retention of consumer data?
Settlement in Plaid Fintech Data Case
On August 5, 2021, a proposed class action settlement was reached in the closely-watched privacy action against fintech services company Plaid Inc. (“Plaid”). The settlement features a $58 million settlement fund and certain injunctive relief that would make changes to Plaid’s methods of notice and consumer data collection, including provisions requiring the deletion of certain banking transaction data. (In re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal. Memorandum of Points for Proposed Settlement Aug. 5, 2021)). The settlement is still subject to court approval.
Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts. The consolidated actions involve claims surrounding Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent. Plaintiffs’ complaint also contended that at no time were users ever given conspicuous notice or meaningfully prompted to read through Plaid’s privacy policy indicating that Plaid receives and retains access to their financial institution account login credentials or uses their credentials to collect and sell their banking information. As we wrote about back in May 2021, the California district court, in deciding Plaid’s motion to dismiss, trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, but allowed other state law privacy claims to go forward.
Plaid Federal Electronic Surveillance Claims Dropped, Privacy Claims Survive
On April 30, 2021 a California district court trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, from a highly-visible, ongoing putative class action against fintech services company Plaid Inc. (“Plaid”), but allowed other state law privacy claims to go forward. The lawsuit involves Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent (Cottle v. Plaid Inc., No. 20-3056 (N.D. Cal. Apr. 30, 2021).
The court’s decision did not delve deeply in the merits of the CFAA claim, as it was dismissed on procedural grounds; similarly, resolution of the major issues of the case about invasion of privacy and the adequacy of consent to access consumers’ bank accounts and collect/aggregate data was not achieved at this early stage of the litigation. Thus, this case is just beginning and is certainly one to watch to see how the unsettled areas of mobile privacy and CFAA “unauthorized access” are further developed.
Reflections on 2019 in Technology Law, and a Peek into 2020
It is that time of year when we look back to see what tech-law issues took up most of our time this year and look ahead to see what the emerging issues are for 2020.
Data: The Issues of the Year
Data presented a wide variety of challenging legal issues in 2019. Data is solidly entrenched as a key asset in our economy, and as a result, the issues around it demanded a significant level of attention.
- Clearly, privacy and data security-related data issues were dominant in 2019. The GDPR, CCPA and other privacy regulations garnered much consideration and resources, and with GDPR enforcement ongoing and CCPA enforcement right around the corner, the coming year will be an important one to watch. As data generation and collection technologies continued to evolve, privacy issues evolved as well. In 2019, we saw many novel issues involving mobile, biometric and connected cars. Facial recognition technology generated a fair amount of litigation, and presented concerns regarding the possibility of intrusive governmental surveillance (prompting some municipalities, such as San Francisco, to ban its use by government agencies).
- Because data has proven to be so valuable, innovators continue to develop new and sometimes controversial technological approaches to collecting data. The legal issues abound. For example, in the past year, we have been advising on the implications of an ongoing dispute between the City Attorney of Los Angeles and an app operator over geolocation data collection, as well as a settlement between the FTC and a personal email management service over access to “e-receipt” data. We have entertained multiple questions from clients about the unsettled legal terrain surrounding web scraping and have been closely following developments in this area, including the blockbuster hiQ Ninth Circuit ruling from earlier this year. As usual, the pace of technological innovation has outpaced the ability for the law to keep up.
- Data security is now regularly a boardroom and courtroom issue, with data breaches, phishing, ransomware attacks and identity theft (and cyberinsurance) the norm. Meanwhile, consumers are experiencing deeper and deeper “breach fatigue” with every breach notice they receive. While the U.S. government has not yet been able to put into place general national data security legislation, states and certain regulators are acting to compel data collectors to take reasonable measures to protect consumer information (e.g., New York’s newly-enacted SHIELD Act) and IoT device manufacturers to equip connected devices with certain security features appropriate to the nature and function of the devices secure (e.g., California’s IoT security law, which becomes effective January 1, 2020). Class actions over data breaches and security lapses are filed regularly, with mixed results.
- Many organizations have focused on the opportunistic issues associated with new and emerging sources of data. They seek to use “big data” – either sourced externally or generated internally – to advance their operations. They are focused on understanding the sources of the data and their lawful rights to use such data. They are examining new revenue opportunities offered by the data, including the expansion of existing lines, the identification of customer trends or the creation of new businesses (including licensing anonymized data to others).
- Moreover, data was a key asset in many corporate transactions in 2019. Across the board in M&A, private equity, capital markets, finance and some real estate transactions, data was the subject of key deal points, sometimes intensive diligence, and often difficult negotiations. Consumer data has even become a national security issue, as the Committee on Foreign Investment in the United States (CFIUS), expanded under a 2018 law, began to scrutinize more and more technology deals involving foreign investment, including those involving sensitive personal data.
- For more information about developments over the past year on data-related issues, and to keep abreast on new developments in the future, you may want to subscribe to Proskauer’s privacy blog, privacylaw.proskauer.com. You may also want to review our Practical Law article “Trends in Privacy and Data Security:2018” and get a hold of our update that will publish in winter 2020.
I am not going out on a limb in saying that 2020 and beyond promise many interesting developments in “big data,” privacy and data security.