FTC suddenly gets very stern about not-really-anonymized anonymized data

America's Federal Trade Commission (FTC) has these words for organizations that stretch the truth about anonymizing and securing people's data: expect to hear from us.

In its latest guidance to businesses, Acting FTC Associate Director for Privacy and Identity Protection Kristen Cohen said many companies claiming to anonymize data are deceiving their customers because this supposedly anonymous information can often easily be linked back to a person. 

Browsers, phones, fitness trackers, cars, and so on, collect bits of info about people's location and activities all the time, which is concerning enough, said Cohen. "Consider the unprecedented intrusion when connected devices and technology companies collect that data, combine it, and sell or monetize it," she continued. In many instances, folks aren't even aware their data is being sold, she said. 

Cohen didn't indicate that the FTC was preparing to enforce fresh rules or regulations. Instead, she said that the US watchdog's past enforcement actions on data privacy "provide a roadmap for firms seeking to comply with the law." 

In other words, the FTC already has plenty of laws on the books to take action, and will against those who fail to safeguard privacy and truly anonymize records.

Why now?

Those curious about the timing of the FTC's statement need only look back to last week for an explanation, as that's when President Joe Biden signed an executive order protecting access to reproductive health services. 

Along with ensuring women receive critical healthcare, the executive order instructed the FTC "to consider taking steps to protect consumers' privacy when seeking information about and provision of reproductive health care services," as well as considering additional options to address deceptive and fraudulent practices regarding the handling of said data. 

This isn't a new concern, though it has taken center stage since the US Supreme Court overturned its 1973 decision in Roe v. Wade, which federally protected access to abortion. Last year, a study found that 30 popular fertility tracking apps on Google Play were collecting, and potentially leaking, private information. 

• Google location tracking to forget you were ever at that medical clinic
• FTC urged to probe Apple, Google for enabling 'intense system of surveillance'
• Metaverse privacy maturity lags enthusiasm for new virtual worlds
• Once again, Facebook champions privacy ... of its algorithms: Independent probe into Instagram shut down

Research cited by Cohen found that 95 percent of anonymized data could be linked to a person using just four geolocated and timestamped data points.

The main basis of FTC enforcement of this type comes from Section 5 of the Federal Trade Commission Act. The section covers unfair acts and practices, which it defines as those that cause or are likely to cause substantial injury to people, can't be reasonably avoided, and aren't outweighed by benefits to customers or competition. 

Additionally, Cohen said the Safeguards Rule, Health Breach Notification Rule and the Children's Online Privacy Protection Rule are also enforced by the FTC.

The government agency never said in its guidance that it's acting in response to Biden's order, but it makes clear that reproductive healthcare, the data associated with it, and the threat that data poses to women in states with abortion restrictions is at the core.

"The exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms … that are exacerbated by the exploitation of information gleaned through commercial surveillance," Cohen wrote. ®