FTC declares war on ‘pervasive extraction’ and ‘mishandling’ of personal info by targeting companies selling browsing data
The Federal Trade Commission would really like you to know that it considers web-browsing and location data to be sensitive, even if it doesn’t contain personally identifiable information like names and Social Security numbers.
A couple weeks ago, the FTC proposed a $16.5 million settlement with cybersecurity firm Avast, which it charged with unfairly selling browser information that the company had collected through its antivirus product and browser extensions. (Side note: Avast is British/Czech, so take that, everyone who thinks it’s always European regulators cracking down on American companies over privacy stuff!) And in January, it also proposed settlements with X-Mode Social and InMarket, both of which are data aggregators that collected people’s precise location data and sold it to private government contractors.
Yesterday, to tie together the emerging theme, the FTC published a blog post detailing its “heightened focus on pervasive extraction and mishandling of consumers’ sensitive personal data.”
“Browsing and location data are sensitive. Full stop,” the agency wrote. “None of the underlying datasets at issue in the FTC’s proposed complaints against Avast, X-Mode, or InMarket are alleged to have contained people’s names, Social Security numbers, or other traditional standalone elements of personally identifiable information (or ‘PII’). Indeed, the FTC’s proposed complaint against Avast acknowledges Avast’s use of a proprietary algorithm to find and remove these elements from its users’ browsing data before selling it. What makes the underlying data sensitive springs from the insights they reveal and the ease with which those insights can be attributed to particular people.”
The FTC has been on a crusade to tackle the importance of location data since July 2022, when it said it viewed such data as sensitive. Adding browsing data to the pile is a significant move that brings U.S. data-protection enforcement a little closer to Europe's, where people enjoy broad protections covering any data that can be connected with them as identifiable individuals (a far more expansive classification than PII, which only covers data that can be used to identify someone.)
As the U.S. still lacks much federal privacy law outside the realms of health care and children’s data, the FTC is mostly limited to cracking down on “unfair or deceptive acts or practices in or affecting commerce,” as per Section 5 of the FTC Act. So far, it’s mostly focused on the deception angle—allegedly a feature in all these three cases. But there’s another case worth keeping an eye on, involving a data broker called Kochava that also sold sensitive location data. This case doesn’t involve deception, but rather just what the FTC sees as unfairness in how the company sold data that could cause people substantial injury, without their express consent. If that case goes the FTC’s way, that would be an even more significant shift for Americans’ privacy rights.
Or Congress could, you know, finally pass a comprehensive federal privacy law that really brings the U.S. in line with global norms. It’s always worth staying optimistic! More news below.
David Meyer
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
This story was originally featured on Fortune.com
