Consistent with the FTC’s laser focus on mobile privacy, the Commission today announced its latest privacy law enforcement action – this time against a mobile device manufacturer. Today’s announcement, with HTC America, involves the FTC’s charges that the device manufacturer did not sufficiently secure the software that it developed for its smartphones and tablet computers, and did not accurately describe its data handling practices to device users. The FTC’s allegations underscore the Commission’s view that companies are required under Section 5 of the FTC Act to (1) implement a number of specific privacy-by-design steps to products capable of collecting, accessing, and transmitting personal information, and (2) carefully confirm that any representations they make about a product and how personal information is handled – including statements in a product’s user guide and representations made on the interface of a software application – remain consistent with the product’s capabilities.
The case is a good example of how quickly and aggressively privacy law and enforcement are evolving, and how important it is to be cognizant of such legal trends and how they affect a company’s privacy responsibilities in product design and development. The failure to incorporate such considerations from “the ground up” and as part of a company’s culture, training, and oversight – as evidenced by the FTC’s steady enforcement on such issues – can, as evidenced by this action and others, lead to 20-year regulatory consent orders and/or expensive litigation.
This Kelley Drye client advisory outlines the FTC’s most recent “privacy by design” law enforcement action, and identifies several practical tips to keep in mind for companies that design and market products capable of collecting, storing, or disclosing personal information.