RESPECT YOUR DATA

Limit and protect the data you collect, retain, and use.
Protecting your users’ privacy requires you to be thoughtful about the data you collect and hold, and how you use it. By carefully considering the costs and benefits of collecting data and by properly safeguarding the information that you do collect, you prevent privacy harms and increase consumer trust in your company. 
CAREFULLY HANDLE ANY DATA THAT YOUR USERS MIGHT CONSIDER SENSITIVE.
Mishaps with information like credit card or financial records, passwords, physical or mental health records, and many other types of sensitive data can have major consequences both for users and your company. Taking special steps to protect this information can protect you and your users from harm.
Case Study

The FTC Called, Consumers Want Their Privacy Back: Amazon Ring allowed Employees to Spy on Customers in Intimate Spaces

The FTC took Amazon Ring to task for compromising people’s privacy by giving employee and contractors unnecessary and unrestricted access to sensitive video information and failing to provide notice or consent for access, and failing to secure its devices from hacks.

The FTC took Amazon Ring to task for compromising people’s privacy by giving employee and contractors unnecessary and unrestricted access to sensitive video information and failing to provide notice or consent for access, and failing to secure its devices from hacks. It was revealed that a single employee had spent several months in 2017 watching thousands of video recordings without consent, including many that occurred in “intimate spaces” of the home. Ring was ordered in 2023 to delete information, models, and algorithms derived from unlawfully viewed videos and implement a privacy and security program with stringent controls. 

 

+ read more
Case Study

Premom Broke Privacy Promises in a Post-Roe World

The FTC sued Premom—an ovulation tracking app—for breaking “its promises and compromis[ing] consumer privacy” by deceptively sharing personal information

The FTC sued Premom—an ovulation tracking app—for breaking “its promises and compromis[ing] consumer privacy” by deceptively sharing personal information and violating the FTC’s Health Breach Notification Rule by failing to notify users of these unauthorized disclosures. Contrary to Premom’s direct promise not to share personal information with third parties without user consent, the company integrated software development kits from third party marketing firms, which shared information that could associate fertility or pregnancies to a specific individual. Premom also failed to properly encrypt the information it shared with third parties. Easy Healthcare—who owns Premom— agreed to pay $200,000 in fines and is banned from sharing personal information with third parties for advertising.

 

+ read more
Case Study

Texas Lassos Meta for Illicit Collection of Biometric Information

Meta was forced pay $1.4 billion to settle a lawsuit brought by t

Meta was forced pay $1.4 billion to settle a lawsuit brought by the Texas Attorney General alleging that the company had covertly captured biometric information from Facebook users without their knowledge or consent. The settlement also requires the company to halt the “practice of capturing and using the personal biometric data of millions of Texans without the authorization required by law.” This settlement is the largest to stem from Meta’s photo facial recognition feature, but it is not the only one, with the company also settling a class action in Illinois for $650 million involving the same practices. A similar Texas state biometric privacy lawsuit against Google is ongoing.  

+ read more
IDENTIFY AND COMPLY WITH SPECIFIC LEGAL REQUIREMENTS FOR THE DATA YOU COLLECT.

If your product handles certain types of information or information from people who live in different places, you may be subject to specific federal and state legal requirements. For example:

  • Any service that deals with electronic communications may be subject to the Electronic Communications Privacy Act and the California Electronic Communications Privacy Act (CalECPA).
  • Services that are designed for health care providers and related entities may be subject to the Health Insurance Portability and Accountability Act.
  • Video content services may be subject to the Video Privacy Protection Act.
  • Book providers are subject to the California Reader Privacy Act.
  • CCPA
  • Websites and services that knowingly collect personal information from or that are “directed to children” under 13 may be subject to the Children’s Online Privacy Protection Act.
  • Other laws may apply if your service handles financial records, consumer credit information, government records, motor vehicle records, or student education records.
  • California has many privacy laws that provide special rights and require specific disclosures to be made by companies on their websites. These include the CCPA, Shine the Light, Reader Privacy Act, etc.
Case Study

Alexa – Don’t Store Children’s Voices

Amazon had to pay $25 million dollars for improperly collecting children’s voice recordings and  geolocation information through its Alexa devices, misleading parents about privacy protections, and failing to honor deletion requests.

Amazon had to pay $25 million dollars for improperly collecting children’s voice recordings and  geolocation information through its Alexa devices, misleading parents about privacy protections, and failing to honor deletion requests. The DOJ and FTC took action against Amazon for violating the Children’s Online Privacy Protection Act. In addition to the monetary settlement, Amazon must also delete inactive child accounts, stop using certain sensitive information to train its algorithms, stop misrepresenting its privacy policies, and notify its users about the FTC-DOJ action.

 

+ read more
Case Study

Microsoft Pays $20M for Improperly Collecting and Retaining Children’s Information

Microsoft was slapped with $20 million in fines in 2023 to settle FTC charges that it violated the Children’s Online Privacy Protection Act (COPPA).

Microsoft was slapped with $20 million in fines in 2023 to settle FTC charges that it violated the Children’s Online Privacy Protection Act (COPPA). The FTC charged Microsoft with violating COPPA and the FTC Act by collecting personal information from children using the company’s Xbox Live online service and related products, collecting this personal information without parent consent, and storing the information longer than reasonably necessary. In addition to paying the large fine, Microsoft needs to bolster protections for children’s information, including requiring parental consent prior to collection and implementing a system to delete all collected information within two weeks of collection.

+ read more

“The law is clear: the personal information of children is off limits, and the FTC will continue to investigate companies like Recolor that break or bend the law,” said Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection, 2021.

Share This:

Related Content

From the Primer

Do You Collect and Use Only the Data You Need?

Collecting and retaining large amounts of user data—especially if that data has nothing...+ Read more