Legal Implications of Data Collection at Airports (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42   35 sures should be adapted to the unique air travel environment.”263 nature of regulatory agencies to accept, and in some cases even While the Guidance Document addresses a range of operational direct, that collection. Both nationally and internationally, gov- issues; it contains principles directly related to a range of data ernment authorities are grappling with health privacy concerns collection activities. on one hand and public health and economic realities on the The first of the principles relating to data collection concerns other. Collection of health data by airports or airport stake­ airline collection of complete and current passenger and crew holders that would have once been unimaginable is now on the contact information prior to international flight departures. cusp of routine. Of course, this evolution does not mean that That information is to be provided in an electronic format to the privacy concerns regarding data are no longer relevant, but U.S. government for further dissemination to destination U.S. that other interests weigh in favor of mitigating those concerns health authorities before departure.264 This principle is consis- and reducing protections. tent with a February 20, 2020, HHS interim final rule requiring any airline with a flight arriving in the United States to collect VI. FEDERAL ENFORCEMENT ACTIVITIES AND passenger and crew contact information and provide it to the OTHER FEDERAL INITIATIVES U.S. government within 24 hours of an order by the Centers for In addition to actual legislation, airports must consider other Disease Control and Prevention (CDC) Director.265 government activities that implicate the legal framework asso- The second principle related to data collection states that air- ciated with privacy protections. These other activities include lines should implement health attestations from passengers to executive branch actions and the activities of Congress in devel- reinforce the expectation that passengers will not travel when ill oping future legislation. or when they are at a higher risk of developing and/or spread- ing COVID-19.266 The Guidance recommends this principle but A. FTC Enforcement Activity and the Creation of does not require it.267 The third principle related to data collection states that air- “Privacy Common Law” lines and airports may need to consider the use of temperature The FTC is empowered to address challenges to competition screening to meet destination requirements or requirements of in the marketplace through Section 5 of the Federal Trade Com- local health authorities.268 This principle cautions that some per- mission Act (FTCA).273 The agency pursues Section 5 enforce- sons with chronic, non-COVID related health issues may have ment actions under theories of deceptive or unfair practices. an elevated body temperature and that policies should be im- Through this authority, the agency has taken many enforcement plemented to ensure that such persons are not unfairly blocked actions to protect privacy in the United States to include cases from travel if their illness does not threaten public health.269 involving failures to implement reasonable data security prac- This principle also notes that pre-travel temperature screening tices or general privacy concerns.274 In 2020, FTC enforcement of passengers should be done in accordance with the protocols focused on privacy and data security cases and targeted social of the relevant health authorities.270 It further instructs that if an media companies, mobile app developers, data brokers, ad tech airport, airline, or other authority271 makes the decision that it industry participants, retailers, and companies operating in the will bar those with temperatures over a certain threshold from internet of things environment. Most often, this process in- flying, the policy should be transparent, posted in advance, and volves the initiation of a complaint by the FTC and the respon- all passengers should be directly notified of the policy before dent company entering into a settlement with a consent order. making a decision on whether to fly.272 Considering these prin- Over the years, the FTC has cataloged many enforcement ciples is important when developing a policy for pre-travel tem- ­actions. Solove and Hartzog argue this compilation of agency perature testing of passengers. actions has created a form of privacy common law.275 As the The development of these principles demonstrates both the FTC publishes complaints and settlements and adheres to them fluid nature of data collection in the airport context and the fluid in its subsequent enforcement actions, practitioners in the field use those settlements to advise their clients. Thus, a kind of con- trolling law develops.276 263   Id. at 4. 264   Id. at 15. 265   Id. at 15-16. 273   15 USC § 45(a). 266   Id. at 20. 274   See, e.g., Privacy and Data Security Update: 2019, F.T.C. (Feb. 267   Id. 2020), at 8, https://www.ftc.gov/reports/privacy-data-security- update-2019. The FTC publishes annual updates with respect to its 268   Id. at 21. activities regarding data privacy and security. 269   Id. at 21-22. 275  Daniel Solove & Woodrow Hartzog, The FTC and the New 270   Id. at 22. ­Common Law of Privacy, 114 Columbia L. Rev. 583, 620-25 (2014). 271   It is noteworthy that the Guidance Document leaves open the 276   Solove and Hartzog devote significant attention to the issue of possibility that a temperature check of passengers may be conducted by the paucity of federal court decisions in this area, and the importance of an “other authority” without identifying that authority any further. It is FTC settlement (or cease and desist) orders. While not precedent like a an open question as to whether the TSA has such authority under the judicial decision, given the circumstances these decisions are viewed in broad terms of 49 U.S.C. §§ 114 (f)(4) and (16). the privacy practice community as having precedential value. See id. at 272   Id. 620-25. 

36    ACRP LRD 42 1. Deceptive Practice Cases are courts to determine when a practice is ‘deceptive’” and “the Commission’s judgment is to be given great weight by reviewing FTC characterizes deceptive practices as actions likely to courts.”285 mislead consumers acting reasonably under the circumstances The court expressly rejected an assertion by Fanning that and that are material to consumers.277 Deceptive practices have misrepresentations were not actionable because they were not resulted in enforcement actions for failure to meet several types contained in company advertisements. The court noted “[w]e of promises to include, failing to maintain confidentiality or see no reason why it would not be a deceptive act or practice refrain from disclosing information to third parties; collecting to place misrepresentations on websites if those misrepresenta- data inconsistent with company privacy policies; failing to pro- tions affect[ed] [consumers’] choice of, or conduct regarding the vide adequate security for personal data; and disclosing identi- website.”286 fication information.278 This ruling in Fanning should cause airports and airport Inadequate notice has also resulted in deception-based stakeholders to examine the content of their websites very care- ­actions.279 Enforcement actions have involved failures to dis- fully to ensure the accuracy of the information, particularly with close the complete nature of tracking activities: respect to representations about user data. • Failure to disclose the complete nature of activity track- b. United States v. Facebook287 ing: In re Sears Holdings Management Corp.;280 While the FTC has very limited ability under Section 5 of the • Failure to disclose full sharing features and defaults of file FTCA to assess fines and penalties, 2019 saw a major settlement sharing software: FTC v. Frostwire;281 and with Facebook, resulting in remedial measures and the imposi- • Failure to disclose the existence of “man in the middle” tion of $5 billion in fines and penalties. The Facebook settlement software on preloaded on laptop computers capable of resolves issues that stretch back almost a decade to a 2012 settle- accessing sensitive personal information: In the matter of ment between Facebook and the FTC. Lenovo (United States) Inc.282 The initial complaint concerned Facebook’s privacy settings and the operation of the “Privacy Wizard.” The FTC found that Additionally, deception cases have included allegations of Facebook’s practices allowed third parties access to personal failure to provide adequate data security. Those allegations have data about Facebook users. Facebook agreed to remedy those also been coupled with data security claims. deficiencies, but it ultimately failed to do so. a. Fanning v. FTC283 In the wake of revelations about data access through ­Facebook by Cambridge Analytica,288 the FTC issued a new In Fanning, the First Circuit affirmed an FTC action for complaint alleging violation of the 2012 order. The new com- decep­tion against the founder of jerk.com, a website offering plaint made additional allegations of deceptive conduct through reputation management series. The FTC concluded that repre- the use of consumer phone numbers gathered in connection sentations on the website concerning the number of people as- with two-factor authentication practices. In the settlement sisted by jerk.com was deceptive. announced in July 2019, the FTC contended that that “[t]he With respect to the standard of review of FTC decisions, magnitude of this penalty resets the baseline for privacy cases— the Fanning Court cited FTC v. Colgate Palmolive,284 to con- including for any future violation by Facebook—and sends a clude that “the Commission is often in a better position than strong message to every company in America that collects con- sumers’ data: where the FTC has the authority to seek penalties, 277   Id. at 1-2. Material means it would likely affect the consumer’s it will use that a­ uthority aggressively.”289 In addition to the fine conduct or decisions about a product or service. and penalty, Facebook agreed to the acceptance of substantial 278   Id. at 629. remedial measures. Those measures included: 279 For a detailed discussion of inadequate notice cases, see, Daniel Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia L. Rev. 583, 634-636 (2014). 280   Id. at 634 n. 243; In re Sears Holdings Management Corp., Compl., 285   871 F.3d. at 170. No. C-4264, at 1 (F.T.C. Aug. 31, 2009) (“Sears Complaint”), http://www. 286   Id. at 170 (citing Kraft, Inc. v. FTC, 970 F.2d 311, 322 (7th. Cir. ftc.gov/sites/default/files/documents/cases/2009/09/090604searscmpt. 1992). pdf. 287   No. 19-2184 (TJK), 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. 23, 281 Solove & Hartzog, supra n. 279, at p. 634 n.250, FTC v. ­Frostwire, 2020). LLC, Compl., No. 1:11-cv-23643, at 19 (S.D. Fla. Oct. 12, 2011) 288   A related complaint against Cambridge Analytica was resolved (“­Frostwire Complaint”), http:/www.ftc.gov/sites/default/files/­ in 2019. In the Matter of Cambridge Analytica, LLC, Compl., No. 9383 documents/cases/2011/10/111011 frostwirecmpt.pdf. (Dec. 5, 2018), https://www.ftc.gov/system/files/documents/cases/ 282   See Statement of Acting Chairman Maureen K. Ohlhausen, In the d09389_comm_final_opinionpublic.pdf. matter of Lenovo (United States) Inc., F.T.C. (Sept. 5, 2017), https://www. 289   Statement of Chairman Joe Simons and Commissioners Noah ftc.gov/system/files/documents/public_statements/1250833/ Joshua Phillips and Christine S. Wilson In re Facebook, Inc., F.T.C., (July 1523134lenovomkostatement.pdf. 24, 2019), at 2, https://www.ftc.gov/system/files/documents/public_ 283   821 F.3d 164 (1st Cir. 2016). statements/1536946/092_3184_facebook_majority_statement_7-24-19. 284   360 U.S. 374 (1965). pdf. 

ACRP LRD 42   37 • Ceasing misrepresentation on several privacy matters; garding data security. During the FTC investigation, a second • Greater privacy and data security controls over third- breach occurred in 2016. That breach involved driver and pas- party applications; senger data and was not disclosed to the FTC. Uber allegedly • Enforcement of platform terms against application paid the hackers $100,000 in connection with the data breach. ­developers; A tentative settlement was reached in 2017, but when the 2016 • Deletion or deidentification of user data after account data breach was revealed to the FTC, it insisted on a revised closure; ­order.294 • Extension of privacy protections to other Facebook owned This revised order was entered in October, 2018. It required products and services (e.g., WhatsApp and ­Instagram); Uber take the following measures: • Limits on collection and use of biometric information; • Development of a comprehensive data security program • Stop misrepresentation with respect to data privacy and with obligations for authentication access control and data security measures ­encryption; and • Establish a privacy program with the following features: • Several measures for enhancing privacy governance o Designated employee(s) responsible for the privacy within Facebook; program o Appointment of an independent board of director- o Identification of privacy risks level committee to address privacy issues; o Design and implementation of control measures o Appointment of a corporate officer responsible for o Reasonable steps to select and retain service providers privacy who can only be removed by majority vote of to implement the program the ne privacy committee; o Establishment of measures to evaluate and adjust the o Regular independent assessments of privacy practices privacy program. submitted to the FTC; • Initiate initial and biennial privacy assessments iden- o Reporting of violations and certain data breaches to tifying privacy control measures and certifying their the FTC; and ­effectiveness o Reporting and recordkeeping obligations to the FTC • Third-Party Privacy Assessment for a period of 20 years. certified by the Privacy Officer and CEO.290 • Required reporting for subsequent breaches.295 In its public statement announcing settlement with Face- 2. Unfair Practice Cases book, the FTC confidently noted: Enforcement of unfair practices requires a showing that the This penalty raises the bar for civil penalties in future matters involv- action causes or is likely to cause substantial injury that is not ing privacy violations. Moreover, the Commission designed the Or- reasonably avoidable by consumers and said injury is not out- der’s sweeping injunctive relief not only to punish future violations, weighed by benefits to consumers or competition.296 The unfair but more importantly to implement dramatic privacy transparency practice theory was derived from industry standard practices. and oversight changes at Facebook, thereby decreasing the likelihood that those violations will occur in the first place.291 Two Circuit Courts of Appeal have addressed the FTC’s exercise of jurisdiction under an unfair practice theory. Those The U.S. District Court for the District of Columbia entered decisions seem to generally affirm the FTC practice. Examin- the order settling the case on April 23, 2020.292 ing both cases offers an understanding of areas examined by the c. In the Matter of Uber Technologies293 FTC in its data security investigations and limitations on FTC In the context of a case related to transportation services, the efforts. FTC entered an opinion and order against Uber Technologies a. FTC v. Wyndham Worldwide Corp297 for misrepresentations regarding data security in connection In Wyndham, the Third Circuit directly addressed a chal- with the company’s delivery of ride share services. The action lenge298 to the FTC enforcement authority for cybersecurity was brought after a 2014 data breach involving access to Uber failures on the part of Wyndham, a worldwide hotel chain. The driver information. The action noted misrepresentations re- 290  U.S. v. Facebook, No. 19-2184 (TJK), 2020 U.S. Dist. LEXIS 294   In the Matter of Uber Techs, Inc., Compl., No. C-4662 (Oct. 25, 2018), 72162 (D.D.C. Apr. 23, 2020). https://www.ftc.gov/system/files/documents/cases/152_3054_c-4662_ 291   Statement of Chairman Joe Simons and Commissioners Noah uber_technologies_revised_complaint.pdf. Joshua Phillips and Christine S. Wilson In re Facebook, Inc., F.T.C., (July 295   In the Matter of Uber Techs, Inc., F.T.C., No. C-4662 (Oct. 25, 24, 2019), at 8, https://www.ftc.gov/system/files/documents/public_ 2018), https://www.ftc.gov/system/files/documents/cases/1523054_ statements/1536946/092_3184_facebook_majority_­statement_7-24-19. uber_technologies_revised_decision_and_order.pdf. pdf. 296   15 U.S.C. § 45(n). 292  U.S. v. Facebook, No. 19-2184 (TJK), 2020 U.S. Dist. LEXIS 297   799 F.3d 236 (3d Cir. 2015). 72162 (D.D.C. Apr. 23, 2020). 298   The FTC in Wyndham alleged that the company’s failure to pro- 293   In the Matter of Uber Techs, Inc., F.T.C., No. C-4662 (Oct. 25, vide for proper data security was actionable as both an unfair practice 2018), https://www.ftc.gov/system/files/documents/cases/1523054_ as well as a deceptive practice. However, only the issue of unfair practice uber_technologies_revised_decision_and_order.pdf. was brought before the Third Circuit. Id. at 240. 

38    ACRP LRD 42 Wyndham chain suffered data breaches in 2008 and 2009 when velops and issues cease and desist orders. A review of the deci- personal and financial information about customers was stolen sion should provide an understanding of FTC expectations for resulting in over $10.6 million in fraudulent charges. The FTC proper data security. Complaint alleged that “at least since April 2008, Wyndham With respect to its facts, the LabMD case involved an FTC engaged in unfair cybersecurity practices that, taken together, action under Section 5 of the FTCA alleging a failure of a medi- unreasonably and unnecessarily exposed consumers’ personal cal testing laboratory to implement sufficient measures to safe- data to unauthorized access and theft.”299 guard data. The FTC recognized that LabMD did maintain a The FTC specifically noted that the following deficiencies in data security program that included “a compliance program, Wyndham’s data security practices evidenced an unfair practice training, firewalls, network monitoring, password controls, violation: access controls, antivirus, and security-related inspections.”302 Despite those measures, however, the billing manager at ­ • Storing payment card information in clear readable text; LabMD, apparently in violation of the policy, downloaded a • Use of easily guessed passwords; peer-to-peer file sharing application. Use of that application re- • Failure to use available security measures (like firewalls sulted in a public exposure of the personal and health informa- limiting access between properties); tion of 9,300 p ­ atients.303 • Allowing network connections without adequate security The information was discovered by a third-party security (with outdated operating systems and network connec- company that hoped to get business from LabMD to fix this tions using default passwords); problem. After LabMD rejected the security company’s ­repeated • Inadequate restriction of third-party vendor access to work proposals, the security company turned information over network systems; to a research partner at Dartmouth who published an article on • Failure to take reasonable measures to prevent or detect data security in health care. The company also turned the ex- unauthorized access; and posed records over to the FTC.304 • Failure to follow proper incident response procedures.300 In 2013, after an extensive investigation, the FTC issued a complaint against LabMD alleging inadequate security. Some of Moving to dismiss the FTC Complaint, Wyndham claimed the deficiencies noted by the FTC included: that it did not have sufficient notice that the alleged deficiencies formed the basis of an unfair practice claim under Section 5 of • Absence of a comprehensive security plan; the FTCA. • Absence of measures to identify commonly known or The Third Circuit concluded that the FTC had stated suf- reasonably foreseeable threats; ficient basis to maintain an unfair practice in with respect to • In adequate measures to prevent unnecessary employee Wyndham’s data handling practices. The Court concluded that access; sufficient notice of Section 5’s coverage of cybersecurity could • Failure to train staff on the importance of safeguarding have been gleaned from the FTC’s prior enforcement actions. information; Those actions constituted sufficient notice to Wyndham of the • Failure to require security measures for employee remote potential application of unfair practice jurisdiction for poor access to data; cyber­security practices. • Failure to maintain and update operating systems; and The Wyndham decision demonstrates the potential liability • Failure to employ available measures to prevent or detect for failing to properly manage data security. Airports looking unauthorized access (including the installation of un­ to develop these types of programs should look at the grow- authorized applications).305 ing body of FTC enforcement actions to understand what types of measures are reasonably expected to ensure that col- While the Eleventh Circuit assumed for purposes of its deci- lections of personal data are properly protected. Failure to do sion in LabMD that the deficiencies in LabMD’s data security so may result in liability for unfair practices under the FTC’s program constituted an unfair practice, it was not persuaded enforcement of Section 5 of the FTCA. that the cease and desist order had sufficient specificity to guide the actions of LabMD to compliance. In response, the FTC has b. LabMD, Inc. v. FTC301 changed its practice with respect to consent agreements to settle The LabMD case offers some interesting insights into the such actions. workings of the FTC with respect to unfair practice claims. In In a statement issued on January 6, 2020, the Director of the that case, the Eleventh Circuit concluded that provisions of the FTC’s Bureau of Consumer Protection announced new policies FTC’s cease and desist order with respect to an administrative on settlements that provided more specific guidance for compa- finding of inadequate security were unenforceable because they lacked specificity. This case caused the FTC to revise how it de- 302   Id. at 1224 n.4. (quotations omitted). 299   Id. (quotations omitted). 303   Id. at 1224. 300   Id. at 240-41. 304   Id. at 1225. 301   894 F. 3d 1221 (11th Cir. 2018). 305   Id. at 1226 n.8. 

ACRP LRD 42   39 nies.306 The guidance was developed in response to the LabMD Shield in 2020, it is unclear what enforcement authority FTC decision with information gathered in public hearings held will have concerning those previously certified agreements form in December 2018. Improved orders should provide greater registered organizations. ­specificity. d. Joint State and Federal Deceptive and Unfair They continue to require that the company implement a compre- Practice Enforcement. hensive, process-based data security program, and they require the company to implement specific safeguards to address the problems The FTC has acted in coordinated efforts with some state alleged in the complaint. Examples have included yearly employee attorneys general. Two settlements in 2017 demonstrate those training, access controls, monitoring systems for data security inci- joint activities. A particularly good example is In the Matter of dents, patch management systems, and encryption. These require- ments not only make the FTC’s expectations clearer to companies, Lenovo (United States) Inc.310 This case involved settlement of but also improve order enforceability.307 an action taken in conjunction with actions brought by 32 state Attorneys General. Similarly, in the settlement in FTC v. Vizio, In addition to providing more specific guidance, the FTC is Inc.,311 the FTC in conjunction with the Attorney General /of also seeking to strengthen governance by requiring third-­party New Jersey alleging that software in Vizio televisions that moni- assessors in its orders to evaluate compliance. This external tored viewing habits was problematic. The matter was settled assess­ment is thought to enhance accountability. Additionally, with a district court entry of a consent decree and a $2.2 million the new orders will seek to raise the issue of data protection to dollar fine.312 the Board and C-Suite level of organizations.308 Review of the FTC guidance and consent orders informs air- e. Additional FTC Privacy Enforcement Activity and ports and airport stakeholders of the measures the FTC views Rulemaking Authority as critical to adequate data security programs. Consideration of In addition to its enforcement authority under Section 5 of and compliance with these measures is necessary to avoid costly the FTCA, the FTC has authority for enforcement of several liability. other acts313 including the GLBA314 and the Children Online Pri- c. Enforcement of International Privacy F ­ rameworks: vacy Protection Act of 1998 (COPPA).315 While GLBA generally EU-U.S. Privacy Shield (formerly Safe H ­ arbor), would not apply to airports or their stakeholders, some of the Swiss-U.S. Privacy Shield and the Asia-Pacific FTC’s enforcement is in conjunction with these statutes. For air- ­Economic Cooperation Cross-Border Privacy Rules ports, COPPA enforcement would be relevant only in circum- (APEC CBPR). stances where the airport or airport stakeholders seek to gather information without parental consent from children under the Section 5 of the FTCA is also used as a basis for enforce- age of 13. ment of certain international agreements with respect to privacy protections. The provisions of those agreements are more fully f. In re Equifax Inc. Customer Data Sec. Breach outlined in Section XII of this paper. Privacy Shield and APC Litigation316 CBPR agreements involve self-certification by companies in This case demonstrates the FTC’s authority under both Sec- the United States looking to avail themselves of data protected tion 5 of the FTCA and the provisions of the GLBA. in foreign jurisdictions. The companies agree to follow privacy principles established in those agreements. Those provisions are frequently more stringent that those required by U.S. law. 310   See FTC, Lenovo Settles FTC Charges It Harmed Consumers with By virtue of the company’s self-certification and representation Preinstalled Software on Its Laptops that Harmed Consumers, F.T.C. (Sept. to follow privacy principles established by those frameworks, 5, 2017), https://www.ftc.gov/news-events/press-releases/2017/09/lenovo- the FTC can enforce those provisions to address misrepresen- settles-ftc-charges-it-harmed-consumers-preinstalled. tations under Section 5 of the FTCA. As of 2019. The FTC re- 311   FTC v. Vizio, Inc., Compl., No. 2-17-cv-00758, 2017 U.D. LEXIS ported initiating 75 actions for violations of these international 219381, (D.N.J. Feb. 6, 2017), https://www.ftc.gov/system/files/docu- agreements.309 A number of those actions were for companies ments/cases/170206_vizio_2017.02.06_complaint.pdf. that falsely indicated that they had self-certified participation. 312   VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions with- Considering the discontinuation of EU participation of Privacy out Users’ Consent, F.T.C. (Feb. 6, 2017), https://www.ftc.gov/news-events/ press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle- 306   See Andrew Smith, New and Improved FTC Data Security Orders: charges-it. Better Guidance for Companies, Better Protection for Consumers, FTC 313   As an example, the FTC has enforcement authority over the FCRA (2020), https://www.ftc.gov/news-events/blogs/business-blog/2020/01/ (section IV, Supra) bringing over 100 cases with $40 million in penalties. new-improved-ftc-data-security-orders-better-guidance (the statement See, FTC Use of Its Authorities to Protect Consumer Privacy and Security includes links to seven orders issued in 2019 utilizing the new format). F.T.C. (2020), at p. 7, https://www.ftc.gov/system/files/documents/reports/ 307   Id. reports-response-senate-appropriations-committee-report-116-111-ftcs- 308   Id. use-its-authorities-resources/­­p065404reportprivacydatasecurity.pdf. 309   FTC Use of Its Authorities to Protect Consumer Privacy and Security, 314   15 U.S.C. § 6801 et seq. F.T.C. (2020) at 2, https://www.ftc.gov/system/files/documents/reports/ 315   15 U.S.C. §§ 6501-6506. reports-response-senate-appropriations-committee-report-116-111-ftcs- 316   No. 1:17-md-2800-TWT, 2020 U.S. Dist. LEXIS 7841 (N.D. Ga. use-its-authorities-resources/p065404reportprivacydatasecurity.pdf. Jan. 13, 2020). 

40    ACRP LRD 42 The FTC’s complaint against Equifax alleged that the company failed B. Rulemaking Authority to secure the massive amount of personal information stored on its network. Among other things, the company allegedly failed to patch The FTC has rulemaking authority under COPPA and well-known software vulnerabilities, failed to segment its database GLBA to address privacy concerns. The Administrative Pro- servers, and stored Social Security numbers in unencrypted, plain cedures Act governs this rulemaking authority.321 The FTC also text. According to the complaint, these failures led to a breach that af- fected more than 147 million people, and exposed millions of names has limited rulemaking authority to regulate deceptive and un- and dates of birth, Social Security numbers, physical addresses, and fair trade practices under the provision of the Magnuson-Moss other personal information that could lead to identity theft and fraud. Warranty-FTC Improvement Act.322 Thus far, however, the FTC The settlement, which totals between $575 million and $700 million, has declined to exercise that rulemaking authority to address was part of a global resolution where Equifax settled matters with a privacy protections.323 consumer class action, the Consumer Financial Protection Bureau, and 50 states and territories.317 C. Advocacy and Education In addition to maintaining the action against Equifax under the provisions of Section 5 of the FTCA, the FTC also alleged In addition to the statutory and regulatory enforcement ac- violations of GLBA provisions that required firms to assess and tivities outlined above, the FTC engages in several activities that address foreseeable risks to the protection of personal data.318 are designed to strengthen consumer rights and privacy protec- While the GLBA protections only extend to financial institu- tions. These activities include tions, the data protection failures also punishable under Section 5 of the FTCA offer examples of data protection failures that can • Annual Privacy Updates: These updates provide sum- impose liability. maries of FTC enforcement activities and other actions taken to meet FTC mission requirements. g. FTC and The People of the State of New York v. • Business Blog: This blog includes discussions of current Google, LLC and YouTube, LLC319 privacy topics.324 In this case, the FTC in conjunction with the Attorney Gen- • Publication of Settlements: This listing of FTC settle- eral of New York brought an action against YouTube and its ments includes complaint and settlement documents as parent corporation Google in connection with YouTube’s col- well as statements FTC and press releases.325 lection of personal information from children under the age of • Reports and Guides on a range of outreach subjects.326 13 without parental notification and consent in violation of the • Open Hearings and Outreach: The FTC website includes provisions of COPPA. The case resulted in the imposition of information about both upcoming and past outreach $170 million in fines and penalties against YouTube and Google events together with relevant information about the out- ($136 Million to the FTC and $36 Million to the State of New comes of those outreach events. York) and the entry of injunctive relief. That injunctive relief included measures to ensure that content providers self-certify the existence of content directed to children. It also requires that Google and YouTube provide notice of their data collection 321   See, e.g.16 C.F.R. § 313 (Privacy of Consumer Financial Informa- practices with respect to children and acquire requisite parental tion Rule); 16 C.F.R. § 312 (Children’s Online Privacy Protection Rule). consents in accordance with the provisions of COPPA.320 322   15 U.S.C. § 57a. This case should serve as a reminder to airports and airport 323   FTC Use of Its Authorities to Protect Consumer Privacy and Security, stakeholders that where data collection programs are designed F.T.C. (2020), at 5, https://www.ftc.gov/system/files/documents/reports/ to target children under the age of 13, special rules apply. The reports-response-senate-appropriations-committee-report-116-111-ftcs- collection of data regarding these children using internet tools use-its-authorities-resources/p065404reportprivacydatasecurity.pdf. is something that requires additional analysis. In fact, any use of 324   FTC Business Blog, https://www.ftc.gov/news-events/blogs/­ business-blog (last visited Aug. 4, 2020). data regarding children, such the use of video images and the 325   See, e.g., Cases Tagged with Privacy and Security= Consumer Pri- like, is likely worthy of special scrutiny. vacy + Data Security + Identity Theft, F.T.C. (2020), https://www.ftc.gov/ enforcement/cases-proceedings/terms/245%2B247%2B249%2B262. 326   See, e.g., Protecting Personal Information: A Guide for Business, F.T.C. (Oct. 2016), https://www.bulkorder.ftc.gov/publications/protecting- personal-information-guide-business; Data Breach Response: A Guide for Business, F.T.C. (May 2019), https://www.bulkorder.ftc.gov/publications/ 317   FTC Use of Its Authorities to Protect Consumer Privacy and Security, data-breach-response-guide-business; Start with Security: A Guide for F.T.C. (2020), at 6, https://www.ftc.gov/system/files/documents/reports/ Business F.T.C. (June 2015), https://www.bulkorder.ftc.gov/publications/ reports-response-senate-appropriations-committee-report-116-111-ftcs- start-security-guide-business; Protecting Consumer Privacy in an Era of use-its-authorities-resources/p065404reportprivacydatasecurity.pdf. Rapid Change, F.T.C. (Mar. 2012), https://www.ftc.gov/sites/default/files/ documents/reports/federal-trade-commission-report-protecting-­ 318   Id. at 7. c ons u m e r- pr iv a c y - e r a - r api d - ch ange - re c om m e n d at i ons /­ 319   No. 1:19-cv-02642, (D.D.C. Sept. 10, 2019), https://www.ftc.gov/ 120326privacyreport.pdf; Facing Facts: Best Practices for Common Use of system/files/documents/cases/172_3083_youtube_coppa_consent_ Facial Recognition Technologies, F.T.C. (Oct. 2012) https://www.ftc.gov/ order_signed.pdf. sites/default/files/documents/reports/facing-facts-best-practices-­ 320   Id. common-uses-facial-recognition-technologies/121022facialtechrpt.pdf.