“It’s getting more into the weeds and helping us understand what the FTC means when it wants companies to implement data minimization practices.”
However, though the FTC voted 4-0 to accept the consent agreement, Wilson said she did not support holding Rellas liable, because by naming Rellas the FTC has “signaled the agency will substitute its own judgment about corporate priorities” for companies rather than targeting ineffective data security practices.
“There is no doubt that robust data security is important… But CEOs have hundreds of issues and numerous regulatory obligations to navigate,” said Wilson in a statement. “Companies, not federal regulators, are better positioned to evaluate what risks require the regular attention of a CEO. And when companies err in making those assessments, the government will hold them accountable. Accordingly, I dissent from the inclusion of the individual defendant in the complaint and settlement in this matter.”
The lawsuit is the latest move by the FTC around data security and privacy policies under Lina Khan’s administration since she was sworn in as the FTC chair in June 2021. In March, the FTC cracked down on online retailer CafePress after the company allegedly covered a major data breach and failed to secure customers’ sensitive data, while in August the commission announced its intent to scrutinize the surveillance and data collection tactics of big tech and ad tech firms. Recently, the FTC also filed a lawsuit against an Idaho-based data broker called Kochava, alleging that its customized data feeds allow purchasers to track end users at sensitive locations like places of worship and addiction recovery centers.
Cobun Zweifel-Keegan, managing director of the Washington D.C. office of the International Association of Privacy Professionals (IAPP), said that in particular the FTC has been focusing at a granular level on data minimization policies, with this most recent order providing tight specifics for companies around charting out how data is collected, retained and deleted.
“It’s getting more into the weeds and helping us understand what the FTC means when it wants companies to implement data minimization practices,” said Zweifel-Keegan. “This signals the future course of a lot of FTC actions. I think there will be a common set of requirements under consent orders to help to effectuate this goal of robust data minimization.”