Thought leadership

The FTC are cracking down on illegal data sharing

by Egress
Published on 16th Aug 2022

There’s a glimmer of good news amid the ever-evolving IT threat landscape – although it’s come about as a result of worrying illegal activity. Even though recent changes to data privacy laws have placed consumers in control of their personal information, the Federal Trade Commission (FTC) has found that some apps are, in fact, collecting data they don’t need. For example, tracking users when they’re not actively using the app and going against the permissions they have set.

As a result, and in a positive move for consumers, the FTC published a stern warning that it will take action against organizations using or sharing data illegally. Tony Pepper, Egress CEO, celebrates this promise, saying, “The FTC’s commitment to enforcing privacy laws across smart devices and apps is fantastic news for consumers, and any company found in violation can expect to face the consequences set out in the law they’ve broken, such as threat of injunction and financial penalties.”

The risks of data misuse

Some apps have not only been misusing personal data but have also been reidentifying individuals for financial gain. “For example, a health or fitness provider could use geo data combined with health app data to target specific individuals with local services or offers,” Pepper explains. 

The examples of data we’ve highlighted so far – location and health – are two of the most sensitive types, according to the author of FTC’s Location, health, and other sensitive information article, Kristin Cohen. She highlights how ironic it is that many of us are sharing delicate information with unknown entities, completely unaware of the risks we’re creating for ourselves. 

“The extent to which highly personal information that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers,” Cohen says. “These strangers participate in the often shadowy ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity. The marketplace for this information is opaque, and once a company has collected it, consumers often have no idea who has it or what’s being done with it.”

Cohen explains that misuse of location and health information “exposes consumers to significant harm,” including phishing scams and identity theft. Leaked location data can lead to stalking or robbery, and stolen health information can cause many other issues, including discrimination or stigma – especially if that information concerns reproductive health.

Real-world repercussions

Sharing data can be incredibly risky for users, and the concern isn’t merely theoretical – the FTC has dealt with multiple cases of an app illegally using data first-hand. Recently, the FTC settled a case with the Flo Health app – a popular menstruation tracker – after alleging that it shared personal information with third parties despite promises of privacy.

And there are even more real-world examples where sensitive information has been leveraged illegally. “Besides financial gain, the misuse of consumers’ personal information has been used to influence elections (Cambridge Analytica), persuade the judicial system (protests at the homes of Supreme Court Justices), and impact health choices,” Pepper adds. 

The FTC is on your side

This is why the FTC has promised to crack down on organizations breaking the rules, continuing the work it’s been doing behind the scenes to punish companies misusing information to protect consumers. “We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data,” promises Cohen. “The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”

Cohen’s advice is to bear in mind that sensitive data is protected by multiple federal and state laws, that claims of anonymity in data use can be deceptive, and, vitally, that the FTC won’t tolerate over-collection, indefinite retention, or misuse of consumer data. The FTC has already dealt with hundreds of cases for the sake of protecting individuals’ personal data, and some of these have led to substantial civil penalties.

Pepper, referring to the FTC’s commitment to the law, concludes: “The benefit to people is simple: consumer confidence that their data really is private and only ever used in ways they’ve consented to.”