Tag Icon

FTC Flags a New Form of Unsportsmanlike Conduct via Notice of Penalty Offense

The FTC recently sent five tax preparers a notice of its intention to pursue civil penalties (“Notice”) if they continue to use consumers’ data for purposes other than tax preparation (such as advertising) without first obtaining consumers’ consent. These facts are not particularly surprising. But the legal basis relied upon by the FTC for its threat is intriguing because it suggests a twist on the FTC’s usual approach to privacy enforcement actions under Section 5.

Also noteworthy: The FTC made its move under its “penalty offense authority” under Section 5, which authorizes civil penalties up to $50,120 per violation when a written Commission decision has established that certain conduct is deceptive or unfair, the target is on notice of that fact, and it nonetheless engages in the conduct.

We recommend watching this space for similar scrimmages by the agency that could signal an expansion of its Section 5 playbook, presenting privacy professionals with a new reason to call an audible.

Old news or new law? 

In the Notice, the FTC asserts that the tax preparers violated Section 5 of the FTC Act by using consumers’ “confidential data” for purposes other than providing the service the consumers requested. In particular, the FTC identified several courses of conduct that violate Section 5:

  • “us[ing] information collected in a context where an individual reasonably expects that such information will remain confidential (“Confidential Context”) for any purpose not explicitly requested by the individual unless the individual first provides affirmative express consent for such use[;]”
  • “us[ing] information collected in a Confidential Context to obtain a financial benefit that is separate from the benefit generated from providing the product or service requested by the individual unless the individual first provides affirmative express consent for such use[;]” and
  • “us[ing] information collected in a Confidential Context to advertise, sell, or promote products or services unless the individual first provides affirmative express consent for such use.”

In a blog post highlighting the action, the FTC asserts that the Notice simply “restates long-standing legal principles” and points to In re: Beneficial Corp., 86 F.T.C. 119, 173 (1975), aff’d in relevant part, 542 F.2d 611 (3rd Cir. 1976) (also cited in the Notice). You will forgive us for being unfamiliar with the FTC’s Beneficial action since the decision was issued before anyone on the Wyrick privacy team was born.

Even the boomers among us, however, may not remember Beneficial, which has not been featured in prominent, modern FTC Section 5 cases. Is that because Beneficial only serves as notice of prohibited conduct for other tax preparers, such as the five targets of the Notice? Or might it have now resurfaced because an FTC that is increasingly active in the privacy space is relying on Beneficial to target players in other industries who collect data in “confidential contexts” and establish that they also have notice such conduct is impermissible? We think it’s the latter.

New routes to assert FTC Act violations

The Notice reveals the FTC making at least three tweaks to its standard privacy enforcement playbook under Section 5.

First: the source of the alleged unfairness or deception. The FTC has for decades highlighted through white papers, blogs, and enforcement actions (anyone remember Myspace?) that a material misrepresentation or omission about data use can constitute an unfair or deceptive trade practice.  This position was on display in the agency’s $150M action involving Twitter, which had requested users’ mobile phone numbers for the stated purpose of implementing multifactor authentication, but later used the information for advertising without any mention to consumers of that secondary use.

The targets in these FTC actions typically make affirmative statements that are judged by the FTC to be false or incomplete, and therefore materially misleading. The position taken in the Notice, however, asserts a different basis for that charge: a consumer’s expectation of confidentiality, coupled with unexpected uses of personal information by the business, may be an unfair or deceptive trade practice, irrespective of the business’s statements about data use.

This rationale is a variation on the FTC’s well-established approach of leveraging a business’s prior statements to consumers to show a material omission. Both Beneficial and the Notice, in contrast, focus on parties whose relationships with consumers give rise to a reasonable expectation of confidentiality on the consumer’s part. A privacy policy or other statement about data use was not dispositive to the analysis.

Second: the FTC’s assertion that internal use of consumer data for financial benefit can be an unfair or deceptive trade practice if the consumer has not provided affirmative express consent for the use. Specifically, in Beneficial the defendant sought to cross-sell loans to tax preparation clients by repurposing the information they handled for the clients during tax prep. In its prior actions, the FTC has been clear that a disclosure of personal information for financial benefit can be unfair or deceptive, but flagging internal uses that are undertaken for financial benefit is at least arguably an expansion of the FTC’s Section 5 focus.

Finally, the Notice establishes that using consumer data received in a confidential context for advertising or promotional purposes without consumers’ affirmative express consent is unfair or deceptive. We should all know by now that using personal information for marketing is among the most likely scenarios to cause the FTC to throw a flag, but this outcome suggests that opt-in consent is always required for such uses when personal information is received by organizations in a context where the consumer expects confidentiality.

While the Notice implies this position is well-established, we note that the FTC references a white paper from 1998 that simply notes consumer choice principles should apply to secondary data uses. That’s a bit different from finding that marketing use is material and warrants affirmative express consent. In any event, under the position espoused in the Notice, it would not suffice to present a consumer with a static privacy notice at the point of data collection disclosing marketing uses of the consumer’s data: a “clear and conspicuous disclosure” of those uses would be required.

Are other organizations likely to get caught up in the action?

The Notice and corresponding blog post clearly signal that the FTC considers tax preparers to be “on notice” of this standard since Beneficial involves a fellow tax preparer (even though the case arose around the same time the Minnesota Vikings last appeared in a Super Bowl). The interesting question is: Does this Notice mean that any organization whose relationship with consumers creates a reasonable expectation of confidentiality is on notice of the FTC’s position? If so, the FTC could leverage its penalty offense authority under Section 5 against those organizations too, and seek up to $50,120 per violation.

The FTC’s blog post discussing the Notice implies that is the case, speculating that health care providers, clergy, and (we assume this was a joke, but maybe not!) mothers are privy to “some of a person’s most sensitive information” before highlighting the Notice’s position on information shared in confidential contexts. The FTC then asserts that “every business should keep [it] in mind.”

We expect the FTC will continue to assert its view, and that the recipients of the Notice simply present a convenient, early score. The case has egregious facts, an inarguable consumer expectation of confidentiality, and is backed by a Circuit-Court-affirmed prior FTC decision that is directly on-point. Savvy privacy professionals will recognize this pattern in the FTC’s Section 5 enforcement expansion efforts: the FTC accumulates enforcement actions, starting with safe plays and moving the ball steadily down the field on its preferred policy positions. By the time the ball is on the 5-yard line, a dozen prior plays will have put the regulated community on notice of the goal. Eventually, any business that could be said to owe some measure of confidentiality to consumers will be subject to potential FTC Section 5 enforcement (with a monetary penalty!) if the information entrusted to it is used for other purposes, particularly for financial benefit or marketing.

In fact, the FTC has already made a new home for this variety of penalty offense on its webpage accumulating its actions. The other varieties, covering topics from “Substantiation” (product claims), “Endorsements,” and “Auto Rentals,” are each populated with multiple examples of prior enforcement actions. For now, the newest listing, “Penalty Offenses Concerning Misuse of Information Collected in Confidential Context” features only the Notice and Beneficial Corp. We think it won’t be long before they have some company.

Healthcare and pixels in the red zone

In considering the broader implications of the Notice beyond tax preparers, health care providers will be top-of-mind. That industry has been under scrutiny by the FTC throughout 2023 for practices ranging from overuse of “euphemisms” to describe data handling practices, to posting misleading HIPAA privacy seals, to relying on “dense” privacy policies to make required disclosures to consumers.

The Notice also targets another practice recently scrutinized by the FTC: using tracking pixels on websites where consumers share sensitive information. The FTC has already taken enforcement actions under Section 5 against health care providers engaged in this practice, asserting in part that their “unfair” conduct included failing to obtain “affirmative express consent” before disclosing consumers’ health information to “third parties” engaged in ad tech. In those cases, the FTC’s claims relied in large part on allegedly deceptive statements that health care providers made in their privacy policies. But under the reasoning in the Notice and Beneficial, the FTC wouldn’t need to make any assertions about deceptive statements: simply showing that website visitors had a “reasonable expectation” that information communicated through the provider’s website would be kept confidential, and use or disclosure of data contrary to that expectation, would be sufficient.

How to stay onside

To recap, here are the situations you should consider ripe for affirmative express consent, based on the Notice:

  • Using consumer information collected in a “confidential context” (where an individual reasonably expects the information will remain confidential) for purposes not explicitly requested by the individual;
  • Using such information to obtain a financial benefit that is separate from the benefit generated from providing the product or service requested by the individual; and
  • Using such information to advertise, sell, or promote products or services (including yours).

And keep in mind: although the Notice provides yet another reason to treat online tracking technologies with caution, the FTC’s approach is not limited to online contexts. Beneficial was decided in 1973. The conduct at issue there included hard copy recordation and in-person sales attempts. The FTC confirms, in 2023, in its letters to the five tax preparers that were the target of the Notice that “[t]he concepts espoused in Beneficial concern the use of information collected in any Confidential Context, whether online or offline.”

If you would like help reviewing your current practices or future initiatives with respect to FTC enforcement trends, or any other privacy or data security consideration, please contact any member of the Wyrick Robbins Privacy and Data Security Team.