FTC Boldly Moves into a New Era of Data Minimization and Retention

 October 19, 2023

Privacy Plus+

Privacy, Technology and Perspective

FTC Boldly Moves into a New Era of Data Minimization and Retention.  This week, let’s highlight what could be an inflection point in data privacy regulation in the United States, as 2023 marks the year that the Federal Trade Commission (FTC) has placed its focus on data minimization and retention.

Background:

We live at a time when data is often referred to as the 'new oil.' Now, the practices of collecting, storing, and utilizing this valuable resource are under increasing scrutiny as several recent FTC settlements have brought the critical issues of data minimization and retention to the forefront in the United States.

Since at least 2018, data minimization has been recognized as a key principle under the EU’s General Data Protection Regulation (GDPR). Article 5(1)(c) of the GDPR expressly states that personal data must be "adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed." In the European Economic Union (EEA) (and in the UK under the UK GDPR), data controllers must scrutinize the data they collect, and ensure that only the minimal amount of data is gathered and processed. Compliance with this principle effectively requires a paradigm shift in data management.

Hence, the recent orders by the FTC illustrate a significant move by a U.S. regulator to actively curb the over-collection and indefinite storage of user data.

The FTC’s Orders Implicating Data Minimization and Retention:

Chegg (January 2023)

In our post, entitled “It’s Turtles All the Way Down” - FTC Focuses on AWS Security,” we referenced the FTC’s case against Chegg Inc., an education technology (Ed Tech) provider that came under fire for its lax data security practices, which led to the exposure of sensitive information belonging to millions of its users and employees.  You can read more by clicking on the following link:

https://www.hoschmorris.com/privacy-plus-news/its-turtles-and-aws-all-the-way-down

In its finalized consent order against Chegg, the corrective measures imposed by the FTC mandated that Chegg limit the personal information it collects and retains, ensuring it only holds information essential for its provided services. The FTC also required Chegg to adhere to a retention schedule regarding that data. A link to the FTC’s finalized order follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/Chegg-DecisionandOrder.pdf

Drizly (January 2023)

Similarly, we have covered the Drizly case before, and you can read our post, entitled “FTC takes Action Against Drizly and its CEO: Will Protecting Data Become a Priority for CEOs?”, by clicking on the following link:

https://www.hoschmorris.com/privacy-plus-news/drizly-and-its-ceo-protecting-data-as-a-priority

Drizly's case echoes a narrative similar to Chegg—the company retained a vast amount of consumers' personal information, which was eventually compromised.

The FTC's finalized order against Drizly again requires the company to destroy any personal information that is not necessary for its operations, and it prohibits Drizly from further collection or storage absent a detailed retention schedule, which it must make publicly available.  A link to that order is available here:

https://www.ftc.gov/system/files/ftc_gov/pdf/2023185-drizly-combined-consent.pdf

You can also review Drizly’s new retention schedule at the link that follows:

https://drizly.com/data-retention-and-deletion

GoodRx (February 2023)

The FTC's order against GoodRx places a spotlight on the retention of Sensitive Health Information (SHI).  For a refresher on the GoodRx case, you can review our post, entitled “Bad Privacy Practices at GoodRx?” by clicking on the following link:

https://www.hoschmorris.com/privacy-plus-news/bad-privacy-practices-at-goodrx

While the GoodRx case also involved various privacy infractions, including deceptive claims about sharing users' SHI and the failure to establish a written privacy program, the remedy of data retention limits was striking. Digital health platforms and others now must reassess their data retention policies to define and justify the timelines for storing PHI, emphasizing the principle of data minimization.

Betterhelp (July 2023)

Similar to GoodRx, the FTC’s recent order against online counseling service, Betterhelp requires the company to limit how long it can retain personal and health information according to a data retention schedule. We previously covered Betterhelp in our post, entitled “Mental Health Data is For Sale,” which is available at the following link:

 https://www.hoschmorris.com/privacy-plus-news/mental-health-data-is-for-sale

Our thoughts:

For businesses operating today, especially those that collect and process sensitive information, these FTC actions send a clear message:

Data minimization and transparent retention policies are becoming standards.

The FTC's enforcement goes beyond merely financial penalties. Rather, it sets forth explicit operational mandates.  Companies must now assess the adequacy of their data retention policies and operationalize them.

We do wonder how AI systems – especially machine learning models – will fare in this new landscape.

By design, AI systems 'learn' and evolve by ingesting vast amounts of data, including precisely the sensitive personal information that companies are now required to minimize or delete. So the question arises: Even if the original data is purged, what about the 'residual knowledge' that has been assimilated into the AI? Does the AI system and the company that runs it benefit at the expense of the individuals whose personal information they have processed?

It's a nuanced aspect of data retention that regulators and companies need to address. The models may not 'remember' data in the human sense, but their algorithms are shaped by it, potentially impacting both their outputs and future performance. This underscores a pivotal, yet sometimes overlooked, aspect of data privacy:

AI systems hold a lasting imprint of deleted data, so what should happen to them?

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.