According to the FTC’s complaint, GoodRx shared sensitive personal health information for years with advertising companies, contrary to their promises made in their privacy policies. Among other violations, GoodRx failed to report these unauthorized disclosures which is required under the Health Breach Notification Rule.
The FTC has a history of taking enforcement action against companies who provide misleading information to consumers, including in online privacy policies. Expanded enforcement of online privacy compliance is occurring on a state level as well. For example, in late 2022, the Attorney General for California settled a California Consumer Privacy Act (CCPA) enforcement case against Sephora for $1.2 million in a landmark settlement.
This trend of enforcement actions against businesses for violating data privacy laws should cause all businesses who have an online presence to verify their compliance with applicable law. While historically compliance with online privacy laws was relatively easy, it is becoming more complex as more individual states enact new data privacy requirements. In addition to California, the following states now have consumer privacy laws that are going into effect this year – Colorado, Connecticut, Virginia, and Utah. A stronger push by government regulators to force compliance “or pay the price” certainly appears to be reality.
The five states that currently have consumer data privacy laws is just the tip of the iceberg. Numerous other states have pending legislation on identical topics. In addition to state and federal regulators, there is an increasing amount of class action litigation brought by plaintiffs’ attorneys, particularly under California’s law. The bottom line is that companies who overlook consumer privacy compliance may pay far more in the future through penalties and litigation than if they just became compliant with applicable law.
So, what should executives and business owners do in light of the current trend of enforcement actions regarding breaches of data privacy laws?
- Assuming you have a trusted lawyer, who is experienced in technology and data privacy law, ask them to review your current privacy policies to make sure they are compliant with applicable law, including the new laws taking effect in 2023.
- Assign an individual in the company to “own” the data privacy compliance process.
- Test your company’s actual response to some example requests that may come in from consumers.
This blog was drafted by Jack Amaral and Jon Farnsworth, attorneys in the Spencer Fane Minneapolis office. For more information, visit spencerfane.com.