On January 18, 2024, the U.S. Federal Trade Commission announced a complaint and proposed consent order with InMarket Media, LLC, a digital marketing platform and data aggregator.  Less than two weeks later, on February 1, the FTC announced a complaint and proposed consent order with software licensor and data provider Blackbaud, Inc.  In both cases, the FTC’s complaint alleged that the companies retained personal data for longer than was necessary, and that conduct violated Section 5 of the Federal Trade Commission Act as an unfair act or practice.  Under the proposed consent orders, both companies do not confirm or deny the allegations.

InMarket

Digital marketing platform and data aggregator InMarket collected extensive personal data both through purchases of data as well as through the software development kit (SDK) that it licensed to software developers.  The company would use the collected personal data (including geolocation data) to group customers into “audiences” for purposes of targeted advertising, including ads displayed through the SDK.  The FTC’s complaint alleged that InMarket failed to:  (a) “notify consumers that their location data will be used for targeted advertising” and (b) “verify that mobile applications (“apps”) incorporating the InMarket SDK have notified consumers of such use.”  (Complaint ¶ 3) 

According to the FTC’s complaint, developers would incorporate the InMarket SDK into developers’ apps, which would request access to the location data the consumer’s mobile device generates.  If the consumer allowed access, the device would send both the device’s precise latitude and longitude as well as the timestamp and unique mobile device identifier.  The FTC’s complaint states:  “From 2016 to the present, about 100 million unique devices sent Respondent location data each year.”  (Complaint ¶ 5 (emphasis in original))  InMarket would share advertising revenue with developers that incorporated the InMarket SDK into their apps.

InMarket also incorporated its SDK into its own apps, which would, for example, offer consumers rewards for completing certain tasks, such as watching videos, walking into stores, etc.  With respect to disclosure to consumers, the FTC complaint states that InMarket’s request for location data was, for example:  “Allow CheckPoints to access your location?  This allows us to award you extra points for walking into stores.”  (Complaint at ¶¶ 13-14)  The FTC pointed out that InMarket did disclose that it used consumer data for targeted advertising in its privacy policy, but the location consent screen did not link to the privacy policy.  (Complaint at ¶ 19)  The FTC alleged that “the misleading prompts do not inform consumers of the apps’ data collection and use practices” and that representations regarding the use of location information were material to consumers.  (Complaint at ¶¶ 18-19).

With respect to developers, the FTC alleged that InMarket did not require the developers to obtain informed consumer consent, but instead simply required that developers “comply with all applicable laws.”  (Complaint at ¶ 21)  The InMarket agreement with developers also did not disclose that the information users provided “will be supplemented and cross-referenced with purchased data and analyzed to draw inferences about those users for marketing purposes. Nor does it disclose to these app developers that it retained their users’ location information for up to five years.”  (Complaint at ¶ 22)

With respect to the five-year retention period, the FTC’s complaint stated:

This unreasonably long retention period—far longer than is necessary to accomplish InMarket’s stated purpose for collection (to allow a consumer to earn shopping points or make shopping lists)—significantly increases the risk that this sensitive data could be disclosed, misused, and linked back to the consumer, thereby exposing sensitive information about that consumer’s life.

(Complaint at ¶ 26)

That statement formed the basis for Count III of the FTC’s complaint:

Respondent’s retention of detailed location data for such an extended period has caused or is likely to cause substantial injury in the form of a loss of privacy about the day-to-day movements of millions of consumers, and an increased risk of disclosure of such sensitive information.  This injury is not reasonably avoidable by consumers themselves, as they are not aware of the scope of these practices.  This injury is also not outweighed by countervailing benefits to consumer or competition.  Consequently, Respondent’s retention of consumers’ detailed location data for longer than is reasonably necessary to effectuate its business purpose is an unfair act or practice.

(Count III of Complaint)

Count I of the complaint related to InMarket’s collection without disclosing InMarket’s uses of the location data.  Count II focused on the collection and use of consumer data from third-party apps.  Count IV alleged that InMarket had deceived consumers with its partial disclosure of its uses of the location data—alleged to be a deceptive failure to disclose.  All four counts alleged a violation of Section 5 of the FTC Act.

Under the proposed 20-year consent order, the FTC would place multiple requirements on InMarket, including a prohibition on the sale or licensing of location data and the establishment of an “SDK Supplier Assessment Program.”  (Consent Order at ¶¶ II, VI)  With respect to data retention, not only would the proposed consent order require that InMarket establish a “simple, easily-located means for consumers to request that Respondent delete Location Data that Respondent previously collected from a specific mobile device,” it would also require a publicly available timeframe for retention of covered information on InMarket’s website.  (Consent Order at ¶¶ 9-10) That retention timeframe would need to be “the shortest time reasonably necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information.”(Consent Order at ¶ X)

Blackbaud

Blackbaud had a cyber security event in 2020 where personal information was exfiltrated.  (We have twice covered the consumer class action, here and here.)  Blackbaud provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics services to various charitable organizations, including healthcare, religious, and educational institutions as well as various foundations.  As a result, Blackbaud had personal information on millions of consumers, including names, dates of birth, Social Security numbers, financial information, medical information, religious belief data, and account credentials.  According to paragraph 9 of the FTC complaint, Blackbaud did not encrypt database backup files.  The complaint also alleges that:  “Blackbaud did not enforce its own data retention policies, resulting in the company keeping customer’s consumer data for years longer than was necessary.” (Complaint ¶10.)

Blackbaud notified its customers of the security incident on July 16, 2020, but the notice stated that “No information about your constituents was accessed.”  Unfortunately, the FTC complaint states that Blackbaud knew by July 31 that personal information had been accessed (Complaint ¶ 14), yet Blackbaud did not disclose the extent of the breach until October 2020.

The FTC pointed out that Blackbaud’s posted privacy policy stated “While no website can guarantee exhaustive security, we maintain appropriate physical electronic and procedural safeguards to protect your personal information collected via the website.”  (Complaint  ¶18)  The FTC’s complaint then listed 8 ways the agency believed that Blackbaud did not maintain appropriate security, ranging from weak passwords, to failing to patch in a timely manner, to failure to “implement and enforce appropriate data retention schedules and deletion practices for the vast amounts of consumers’ personal information stored on its network.”  (Complaint  ¶19)  The FTC’s five-count complaint alleged in Count II that Blackbaud’s alleged failure to “implement and enforce reasonable data retention practices for sensitive consumer data maintained by its customers on its network” was an unfair act or practice in violation of Section 5 of the FTC Act.

Under the proposed 20-year consent order, among other things, Blackbaud would be required to “Delete“ or destroy backup data that is not retained in connection with providing products or services to customers, excluding information legally required to be maintained  (Consent § II)  The draft consent order defines “Delete” to mean “to remove Covered Information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.”   Blackbaud would also be required to “refrain from maintaining any Covered Information not necessary for the purpose(s) for which such information is stored and/or maintained by Respondent.”  In addition, similar to the InMarket proposed consent above, Blackbaud would be required to post on its website a publicly available timeframe for retention of covered information, which cannot be an indefinite retention period.  The FTC added that the retention schedule requirements apply to databases of personal information of former customers and customers who migrate to a different Blackbaud product.  (Complaint § III)

Our Take

As we have previously written, regulators are focusing more and more on retention of data.  Note in the InMarket case, the FTC alleged that five years was too long for InMarket to retain sensitive location data.  With respect to Blackbaud, the FTC was particularly concerned about retention of former customers’ personal financial and health data, not to mention the company’s alleged failure to follow its own record retention policies.  Moreover, in the Blackbaud draft Consent Order, it appears the FTC is taking an even more nuanced approach finding that even if the company needed certain data for longer periods, it did not need to keep it accessible or unencrypted.  This regulatory scrutiny could lead to even more scrutiny of company retention and storage practices, especially where companies keep multiple copies of the same data and where convenience copies (that are generally more accessible) do not necessarily need to be kept as long as archival or system or record versions. 

Retention has become a focus of the FTC as part of its overall focus on privacy and consumer protection.  As most companies cannot “flip-the-switch” on record retention as it impacts multiple areas of the business including operations and legal, companies would be wise to start developing a plan to update and revise their information governance strategy and program.