The Federal Trade Commission’s draft settlement deal with
The FTC’s proposed agreement containing consent order with Marriott, released Oct. 9, addresses hacks from 2014 to 2020 impacting more than 344 million customers worldwide. The deal would require the hotel chain and subsidiary
The FTC has traditionally used a notice-and-choice model, where consumers click to accept terms. The new agreement’s policy shifts the onus to Marriott to manage the data they collect. A right-to-delete enables consumers to ask businesses to remove data about them that’s been collected.
The FTC, as currently constituted, will likely continue deploying right-to-delete remedies in similar cases, said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals’ Washington, D.C., office. Privacy laws in California, Colorado, and several other states also already have such policies. The various requirements can create compliance hurdles for companies and their in-house counsels, including tracking collected data and determining what to delete.
Now is the time for companies to examine their data collection and retention practices, said Jessica Copeland, chair of Bond, Schoeneck & King PLLC’s cybersecurity and data privacy practice.
“Take this as your lesson learned as well,” Copeland said.
Data-Deletion Policies
Nearly every privacy law passed on the state level includes a consumer right to delete their data, said Jordan Rodell, state policy manager for trade group the Computer & Communications Industry Association.
To date, 20 states have signed comprehensive data privacy bills into law. Nine states already have laws in effect, and eight more will enact laws next year, according to a Bloomberg Law analysis. The Delaware Personal Data Privacy Act, for instance, will give consumers the right to ask businesses to delete their personal data—and appeal if those requests are denied—beginning Jan. 1.
Companies are challenged to parse the differences in states’ legislation, said Mauricio Uribe, co-chair of the software, information technology, and electrical practice groups at Knobbe Martens. While data such as Social Security numbers are broadly deemed personally identifiable, other forms of identification, like network addresses, aren’t so clear, he said.
“We’re really urging states to consider staying away from a patchwork and finding a way to kind of sync all of these laws up together so that compliance is feasible and manageable,” Rodell said.
The lack of an overarching federal privacy law furthers confusion among companies. But the FTC has carved out a “new path” using its regulatory authority to crack down on cyberattacks and institute security remedies, said Jonathan Walsh, a partner at Curtis, Mallet-Prevost, Colt & Mosle LLP.
Marriott is offering a process for US customers to submit deletion requests, according to an Oct. 9 statement. The FTC similarly required education technology provider
“Given that Marriott was amenable to doing this, maybe this is a way for the FTC to somehow have the net effect of a federal mandate to incorporate this right to deletion that perhaps would’ve been otherwise impossible through the rulemaking process,” Uribe said.
The fact that a federal agency is utilizing a right-to-delete policy as a data-privacy measure may be an “indication” of where a federal law would go if enacted, Copeland said.
The FTC declined to comment on its Marriott order, which isn’t yet finalized. The consent order agreement will be subject to public comment for 30 days, after which commissioners will vote on whether to make it final, an Oct. 9 agency press release said.
Marriott has reached a separate $52 million agreement with 49 state attorneys general and the District of Columbia over the pre-2020 breaches.
Compliance Challenges
Data mapping—which involves outlining information’s entry points, pathways, and storage locations— remains a challenge for businesses as they navigate right-to-delete policies.
The process can be arduous for Fortune 500 companies with global locations, Copeland said.
“Without a real granular understanding of how data gets processed in your organization, it’s going to be hard to have a lot of comfort that it’s deleted,” said Glenn Brown, a principal at Squire Patton Boggs and senior member of the firm’s data privacy, cybersecurity, and digital assets practice group.
Brown said in-house counsel should ensure they’re collaborating with their technical teams to ensure a unified data deletion process.
“The right to delete not only means the right to have a company delete your data from their database, it’s a right to prevent that same data from being reintroduced,” Brown said.
Beyond the technical challenge of ensuring there’s no reintroduction, deleting personal information could hinder marketing and outreach efforts. Many companies rely on data they’ve retained in order to reach out to customers they haven’t had touch points with in years, Copeland said.
Marriott’s settlement should show all businesses that it’s important to only collect information that’s necessary for company operations, the FTC said in an Oct. 9 blog post.
“Malicious actors can’t steal what isn’t there, so give careful thought to what data you collect before you collect it, and don’t keep data longer than you need it,” the FTC said in that post.
Companies should continually take notice of the FTC’s actions, advised Walsh.
“You have to keep an eye on what the FTC is doing because you may be required to enter a settlement like this if there, God forbid, is a data breach,” Walsh said.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.