Business Blog
Companies warned about consequences of loose use of consumers’ confidential data
Who’s privy to some of a person’s most sensitive information? A healthcare provider? A member of the clergy? Their Mom? There’s someone else to add to that list: the company that prepares their taxes. The FTC is using its Penalty Offense Authority to put five tax preparation companies on notice that they could face civil penalties if they misuse consumers’ confidential data. Not in the tax prep business? Not so fast. The Notice of Penalty Offenses Concerning Misuse of Information Collected in Confidential Contexts restates long-standing legal principles every business should keep in mind.
Under the Penalty Offense Authority in Section 5(m)(1)(B) of the FTC Act, the FTC can seek civil penalties – currently up to $50,120 per violation – if there is a written Commission decision establishing that certain conduct is deceptive or unfair, a company is on notice of that fact, and the company nonetheless engages in that prohibited practice.
The Notice sent to the tax preparation companies cites the litigated FTC decision against Beneficial Corporation as legal authority. You’ll want to read the Notice for details, but here are some practices specifically cited as illegal:
- “It is an unfair or deceptive trade practice to use information collected in a context where an individual reasonably expects that such information will remain confidential (‘Confidential Context’) for any purpose not explicitly requested by the individual unless the individual first provides affirmative express consent for such use.”
- “It is an unfair or deceptive trade practice to make false, misleading, or deceptive representations or omissions concerning the use or confidentiality of information collected in a Confidential Context.”
Boiling it down to the basics, the Notice warns the tax prep companies that unless they first get the person’s affirmative express content, it may be deceptive or unfair under the FTC Act for them to put consumers’ information to use in other contexts – for example, for the company’s own separate financial benefit, for advertising purposes, or for the promotion or sale of other products. And although there may be situations where obtaining consent is not sufficient to protect consumers’ privacy, the Notice makes clear that, at a minimum, you must get consumers’ consent before using confidential information for unexpected purposes.
One significant detail businesses should heed: this warning applies to improper uses and disclosures of confidential information in offline and online environments. With respect to online marketing, the FTC’s accompanying letter specifically cautions businesses against employing tracking technologies such as pixels to use or disclose consumers’ confidential information for advertising and marketing purposes. Specifically, the letter to the tax prep companies mentions this post from the FTC’s Office of Technology and adds this important point:
[T]he Commission considers it an unfair or deceptive act or practice to use tracking technologies such as pixels, cookies, APIs, or SDKs to amass, analyze, infer, and transfer information collected in a Confidential Context for the purposes described in the prior paragraph without first obtaining affirmative express consent. It is also an unfair or deceptive practice to misrepresent or omit material facts regarding the use or confidentiality of information collected in a Confidential Context through tracking technologies such as pixels, cookies, or SDKs.
Pixels are nearly ubiquitous in the online world, so businesses should review their tracking technologies to ensure their use is above board.
The Notice of Penalty Offenses was sent to just those five tax prep companies, but the accompanying letter includes insights from recent settlements in BetterHelp, GoodRx, and Epic Games that every business should bear in mind when considering what constitutes “affirmative express consent.” Spoiler alert: burying something in your Privacy Policy or Terms of Service doesn’t meet the “clear and conspicuous” standard.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
Fully agree!!! Higher penalties and License suspension for a period of time.
Wow the consequences of using consumer's confidential data seems serious!