Account security and digital identity have been hot topics for regulators and at the National Institute of Standards and Technology (NIST). The government has been promoting multifactor authentication (MFA) and innovation in digital identity, including in updates to the FTC’s Safeguards Rule for financial institutions, and in multiple NIST publications. A recent FTC settlement demonstrates the government’s interest in these tools, including in the possibility that organizations may deploy them in ways that do not meet consumers’ expectations or that result in collection of more data than the government thinks is necessary. Companies that are exploring MFA and other authentication measures should stay on top of NIST’s substantive guidance but also heed the FTC’s warning about possible misuse.

What Happened?

On May 25, 2022, the Federal Trade Commission (FTC) settled with a major social media company for $150 million to resolve the agency’s allegations that the social network allowed advertisers to use customer account phone numbers and email addresses, obtained for security purposes, for targeted advertising. The resolution included several requirements, including that the company “allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers.”

Background

In a prior FTC Order, the FTC prohibited a social media giant from misrepresenting “the extent to which [it] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information. . . .” According to the recent Complaint, beginning in May 2013 the company began asking users to provide either a phone number or email address to improve account security, in order to allow users to reset passwords, unfreeze accounts, and enable two-factor authentication. In addition to using such contact information for security, the FTC alleged that the company used the email addresses and phone numbers to aid advertisers in conducting targeted advertising without adequate disclosure to its users.

Final Order

In addition to the fine, going forward the order imposes the following conditions:

1. Prohibits the company from using account email addresses and phone numbers for targeted advertising;
2. Allows users to enable other multi-factor authentication methods to access the social media site, such as mobile authentication apps or security keys;
3. Requires that the company notify users that it used their phone numbers and email addresses collected for account security to target ads to them and provide information about privacy and security controls;
4. Implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
5. Requires that the company limit employee access to users’ personal data; and
6. Requires the company notify the FTC if it experiences a data breach.

Organizations can take some lessons from the FTC’s action here.

• Privacy policies or disclaimers alone may be insufficient to overcome a potential misrepresentation claim. Specifically, where a company’s privacy policy discloses that it may use a consumer’s data in various ways, if a company later represents or implies that it is collecting data for a specific purpose but uses that data for other purposes, such use can be alleged as a deceptive practice under this precedent. Accordingly, even if a company has a broad privacy policy, it should only use data for the purposes it stated or implied at the time of collection.
• If collecting additional data about a user, it will be prudent for the company to make clear to an end user the purpose for which the data may be used.
• Internal separation of data used for different purposes is paramount. The FTC’s actions illustrate the importance to the agency of companies having internal processes that can keep data sets separate.

More generally, we see in the FTC’s action here an encouragement to private companies to consider their authentication programs and how they promote end user security and privacy. In the end, the FTC required the company to offer more options for authentication, that do not rely on phone numbers. This approach is similar to the prohibition in California’s privacy law on companies requiring consumers to create accounts in order to exercise their privacy rights. Here the FTC likewise is signaling that it is interested in promoting consumer authentication options that are flexible and not restrictive.

[View source.]