Who’s privy to some of a person’s most sensitive information? A healthcare provider? A member of the clergy? Their Mom? There’s someone else to add to that list: the company that prepares their taxes. The FTC is using its Penalty Offense Authority to put five tax preparation companies on notice that they could face civil penalties if they misuse consumers’ confidential data. Not in the tax prep business? Not so fast. The Notice of Penalty Offenses Concerning Misuse of Information Collected in Confidential Contexts restates long-standing legal principles every business should keep in mind.
Under the Penalty Offense Authority in Section 5(m)(1)(B) of the FTC Act, the FTC can seek civil penalties – currently up to $50,120 per violation – if there is a written Commission decision establishing that certain conduct is deceptive or unfair, a company is on notice of that fact, and the company nonetheless engages in that prohibited practice.
The Notice sent to the tax preparation companies cites the litigated FTC decision against Beneficial Corporation as legal authority. You’ll want to read the Notice for details, but here are some practices specifically cited as illegal:
- “It is an unfair or deceptive trade practice to use information collected in a context where an individual reasonably expects that such information will remain confidential (‘Confidential Context’) for any purpose not explicitly requested by the individual unless the individual first provides affirmative express consent for such use.”
- “It is an unfair or deceptive trade practice to make false, misleading, or deceptive representations or omissions concerning the use or confidentiality of information collected in a Confidential Context.”
Boiling it down to the basics, the Notice warns the tax prep companies that unless they first get the person’s affirmative express content, it may be deceptive or unfair under the FTC Act for them to put consumers’ information to use in other contexts – for example, for the company’s own separate financial benefit, for advertising purposes, or for the promotion or sale of other products. And although there may be situations where obtaining consent is not sufficient to protect consumers’ privacy, the Notice makes clear that, at a minimum, you must get consumers’ consent before using confidential information for unexpected purposes.
One significant detail businesses should heed: this warning applies to improper uses and disclosures of confidential information in offline and online environments. With respect to online marketing, the FTC’s accompanying letter specifically cautions businesses against employing tracking technologies such as pixels to use or disclose consumers’ confidential information for advertising and marketing purposes. Specifically, the letter to the tax prep companies mentions this post from the FTC’s Office of Technology and adds this important point:
[T]he Commission considers it an unfair or deceptive act or practice to use tracking technologies such as pixels, cookies, APIs, or SDKs to amass, analyze, infer, and transfer information collected in a Confidential Context for the purposes described in the prior paragraph without first obtaining affirmative express consent. It is also an unfair or deceptive practice to misrepresent or omit material facts regarding the use or confidentiality of information collected in a Confidential Context through tracking technologies such as pixels, cookies, or SDKs.
Pixels are nearly ubiquitous in the online world, so businesses should review their tracking technologies to ensure their use is above board.
The Notice of Penalty Offenses was sent to just those five tax prep companies, but the accompanying letter includes insights from recent settlements in BetterHelp, GoodRx, and Epic Games that every business should bear in mind when considering what constitutes “affirmative express consent.” Spoiler alert: burying something in your Privacy Policy or Terms of Service doesn’t meet the “clear and conspicuous” standard.
Fully agree!!! Higher penalties and License suspension for a period of time.
Wow the consequences of using consumer's confidential data seems serious!