Data Dive

On September 8, 2023, federal court approved a consent decree from the Equal Employment Opportunity Commission (EEOC) with iTutorGroup Inc. and its affiliates (“iTutor”) over alleged age discrimination in hiring, stemming from automated systems in recruiting software. Arriving on the heels of the EEOC announcing its artificial intelligence (AI) guidance initiative, many are calling this case the agency’s first ever AI-based antidiscrimination settlement.¹ While it is not clear what, if any, AI tools iTutor used for recruiting, one thing is certain: We will soon see many more lawsuits involving employers’ use of algorithms and automated systems, including AI, in recruitment and hiring.²

In a policy statement released on May 18, 2023, the Federal Trade Commission (FTC) warned of several consumer data privacy risks related to the increasing commercial use of biometrics technologies.¹  The Commission unanimously voted 3-0 to adopt the policy statement, which builds on more than a decade of Commission guidance on biometrics, including its 2012 report on best practices for facial recognition technology.

On May 4, 2023, an Idaho federal judge ruled that the Federal Trade Commission (FTC) needs stronger assertions of consumer harm in order for its data privacy suit against data broker/mobile analytics provider Kochava Inc. (“Kochava”) to proceed. The court simultaneously found no basis for Kochava’s suit to block the FTC’s enforcement action. The judge sided with Kochava’s argument that the agency had not adequately supported its claim that the company sales of geolocation data constituted unfair conduct under Section 5 of the FTC Act, finding no allegations that the practices “created a ‘significant risk’ of concrete harm.”¹ The agency has 30 days to amend the complaint.

Growing regulatory action to combat so-called “dark patterns” used in web design to influence consumer choice has resulted in hundreds of millions of dollars in fines, and promises to continue to be an area of enforcement in 2023. Federal enforcement actions, state laws and agency guidance have cast dark patterns as a grave concern that regulators are looking to root out from company practice. But what exactly are dark patterns and which practices do they encompass? Here we will discuss practices that risk being classified as dark patterns and how regulators are enforcing this new data privacy trap.

On February 1, 2023, the Federal Trade Commission (FTC) announced that it had taken enforcement action against prescription drug discount company GoodRx, which agreed to injunctive relief and to pay a $1.5 million civil penalty to settle allegations that the company violated the FTC Health Breach Notification Rule and Section 5 of the FTC Act.

The Federal Trade Commission (FTC) issued a consent order with alcohol delivery service Drizly and its CEO over allegations that multiple security failures led to a data breach that exposed the personal information of about 2.5 million consumers. The complaint alleges Drizly and its CEO’s actions constitute unfair and/or deceptive acts or practices in violation of section 5(a) of the Federal Trade Commission Act. Finalized on January 10, 2023, the order requires Drizly to destroy unnecessary data, limit future data collection and implement an information security program. Notably, it also personally binds the CEO to implement an information security program at any future business for the next 10 years.

This year has seen some substantial new data breach settlements including a $500,000 Federal Trade Commission (FTC) fine against CafePress, a $1.25 million multi-state class action settlement and $5 million New York Department of Financial Services (NYDFS) fine against Carnival Corporation (“Carnival”)¹ and a $4.5 million NYDFS fine against EyeMed Vision Care LLC (“EyeMed”). In an era of increasing scrutiny around cybersecurity practice, this assortment of settlements across companies in varying industries offers insight into how regulators view the application of core cyber protections, as well as their growing willingness to prescribe them.

The U.S. Department of Justice (DOJ) Antitrust Division fined three major U.S. poultry processors and a data consulting company a total of $84.8 million for violating federal antitrust laws by allegedly conspiring to fix employee wages and benefits. This settlement speaks to the antitrust agencies’ public commitment to investigate and prosecute competitive harm in labor markets.

As part of the Consolidated Appropriations Act, Congress had tasked the Federal Trade Commission (FTC) to examine whether artificial intelligence (AI) is a useful tool to combat the proliferation of harmful content online. In a June 2022 report titled, “Combatting Online Harms Through Innovation,” the FTC concluded that governments, platforms and other stakeholders must exercise great caution in mandating AI use, or over-relying on AI as a solution.