Data Privacy Violations: What Will be Your Company’s Extensive Remediation Requirements? featured image

Data Privacy Violations: What Will be Your Company’s Extensive Remediation Requirements?

by John DiGiacomo

Partner

Internet Law

When a company violates data privacy laws, the company will face civil lawsuits from consumers and enforcement actions from state and federal government regulators. Civil money judgments can be massive as can penalties imposed by regulators. But remitting payment is never the final stage in resolving a privacy violation. Even with civil cases, there may be injunctive relief issued by the court requiring extended compliance and remediation actions. Without question, if regulators settle a data privacy violation, there will be substantial remediation and compliance actions required. This is among the many reasons it is necessary to retain experienced data privacy and internet lawyers to help avoid data privacy violations and to avoid data breaches accomplished by cybercriminals.

As an example, let us look at the remediation and compliance requirements imposed recently by the Federal Trade Commission in its settlement with Flo Health, Inc. See FTC press release here and the Proposed Settlement and Consent Order here. Flo Health is the developer of a period and fertility-tracking app used by more than 100 million consumers worldwide.

The FTC investigated Flo Health after reports surfaced that it was violating a number of laws and regulations related to consumer data privacy. For example, as reported in the press release, Flo Health disclosed sensitive health information — like a user’s pregnancy status — to third parties in the form of “app events.” Through these events, Flo Health transferred app data to such third parties – like Google and Facebook –  for various reasons including directed marketing. Flo Health did not limit how third parties could use this health data, did not obtain user consent before disclosure and misled consumers to believe that data sharing was done only in compliance with various data privacy laws.

As noted, the FTC has reached a settlement with Flo Health. Strangely, it does not seem that Flo Health was assessed any sort of penalty for its violation of data privacy laws. However, the Settlement Order contains a very lengthy list of compliance and remediation actions that Flo Health must undertake. Flo Health will be subject to the Settlement and Consent Order for 20 years. In brief, the remediations and compliance actions include:

  • Flo Health must ask any third party to destroy data that should not have been disclosed
  • Notice must be provided to users and the public that data about periods, menstrual cycles and pregnancies was shared with the data analytics divisions of various third parties
  • Going forward, before disclosing any consumer’s health information to a third party, Flo Health must provide notice to consumers including what data will be disclosed, to whom the data will be disclosed and to what use the data will be put
  • Going forward, Flo Health must obtain “express affirmative consent” from users before disclosing/sharing data
  • Flo Health must obtain an outside “Compliance Review” conducted within 180 days to verify any attestations and assertions made with respect to compliance with privacy laws and frameworks
  • Flo Health — and its senior management and board — must cooperate with the Compliance Reviewer
  • A senior management officer must be appointed and must regularly certify that Flo Health is in compliance with the Settlement and Order
  • Going forward, Flo Health must notify of the FTC of any incident involving any unauthorized disclosure of individually identifiable data from or about a consumer to third parties
  • Flo Health must comply with numerous recordkeeping requirements
  • Flo Health must periodically (and as might be requested) provide to the FTC information and/or documents necessary for the FTC to monitor compliance with the Proposed Order

As can be seen, violating data privacy laws and regulations will be costly in terms of money and in personnel time and attention that must be expended with respect to very extensive compliance and remediation requirements. Note again that Flo Health will be subject to the order for 20 years. Note further that if the data is lost or stolen through a hack or other cyber-breach, typically, an additional lengthy set of cybersecurity remedial actions are included in a Settlement Order. If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data privacy lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case