FTC Commissioner Rebecca Slaughter wrote about ordered destruction of algorithms in a Yale Journal of Law & Technology article. “The premise is simple,” she wrote. “When companies collect data illegally, they should not be able to profit from either the data or any algorithm developed using it.” The Weight Watchers settlement is the third of its kind in as many years. The first came in 2019, with Cambridge Analytica’s high-profile ordered destruction, and the second occurred in 2021 when Everalbum, Inc. allegedly misused facial recognition technology to identify users in photos outside of its app.

World Privacy Forum Executive Director Pam Dixon has said ordered destruction of algorithms is “definitely now to be expected whenever it is applicable or the right decision.” To avoid losing valuable assets, company stakeholders should have a working understanding of privacy principles and know when to seek guidance.

The Fair Information Practice Principles

An important set of privacy principles to be aware of are the Fair Information Practice Principles (“FIPPs”), which originated from a series of reports created by agencies in the U.S., Canada, and Europe. The resulting principles provide widely accepted guidance that speaks to the use and exchange data, and the principles should be considered from the outset by companies receiving, using, or sharing personal information.

• The Collection Limitation Principle. Appropriate limits should be placed on the collection of personal information. All data should be obtained through lawful means, and collection should not exceed the scope of the consent provided by the data subject.

• The Data Quality Principle. To the extent possible, data should be complete and accurate. In addition, data should be useful in that it matches the purpose for which it was collected.

• The Purpose Specification Principle. At the time of collection, a data subject should be made aware of the purpose for which personal information is being collected. The company should then proceed to use the collected data to fulfill only the specified purpose.

• The Use Limitation Principle. As a more granular version of the purpose specification principle, the use limitation principle provides that personal information should not be used for any particular application which exceeds the consent provided by the subject or which is unlawful.

• The Security Safeguards Principle. “Reasonable security measures” should be implemented to protect personal information from loss or unauthorized access, disclosure, destruction, or modification.

• The Openness Principle. This principle relates to transparency. After being advised by privacy or investigations counsel, companies should adopt an approach of openness about privacy practices and changes. Data subjects should have ready access to policies outlining how data is used and shared.

• The Individual Participation Principle. Data subjects are generally permitted to confirm whether a company has data related to the data subject and to obtain a copy of such data. In addition, a data subject is generally authorized to challenge inaccurate data.

• The Accountability Principle. Finally, companies are often held accountable for accurately documenting compliance with FIPPs and applicable laws.