The FTC Reminds Us Of The Right To Be Forgotten
Table Of Contents:
‘The Internet never forgets’ is a warning that what you do online could come back to haunt you later. It’s also a common myth, as content frequently disappears, either by accident or on purpose. Just try accessing those online discussion forums you used to read back in 1998. Or decades of MTV News.
In some cases, though, people might like their digital information to disappear—especially when it’s hosted by companies they no longer trust. The FTC made that a little easier in October when it settled a case with Marriott International. That settlement enables consumers to demand that Marriott International delete their records. Could this set a precedent in the U.S. that European consumers have enjoyed for years?
When Criminals Checked In – And Checked Out Millions Of Records
In 2018, Marriott revealed that intruders had compromised the reservation system of its Starwood Hotels & Resorts subsidiary. In two breaches, they stole 339m customer records from Starwood, including credit card details and passport numbers.
The attacks began in 2014 before Marriott acquired Starwood. When Marriott discovered the breach two years after the 2016 acquisition, it still hadn’t transitioned Starwood to its own reservation system. Then, between 2018 and 2020, a third breach occurred, this time affecting Marriott’s own systems. That intrusion saw the theft of another 5.2 million customer records, primarily for stealing their loyalty points.
The FTC’s complaint against Marriott focuses on two things. The first is the alleged failure to provide appropriate security measures, including password controls, software patches, and network logging. The second is what the FTC considers consumer deception through misleading security statements.
What the FTC doesn’t explicitly detail in its complaint is Marriott’s U-turn on its encryption claims. The hotelier said at the time that the credit card numbers and some passport data in the Starwood breach had been encrypted with AES-128, a powerful encryption protocol. However, in a legal hearing on April 10 this year, it revealed that it had, in fact, been processed using the SHA-1 hashing algorithm. Not only is this not an encryption mechanism, but security researchers have also exposed vulnerabilities in SHA-1 as far back as 2005. The NSA has now retired it altogether.
Consumers Will Soon Be Able To Delete Their Marriott Data
Marriott agreed to a hefty $52m payment in a separate settlement with 50 attorneys general. This accounts for 0.8% of its revenue or just over three days’ takings—or, put another way, about 15 cents per affected consumer.
Perhaps a more substantial outcome for the real victims of the Marriott breach was the hotel chain’s agreement with both the states and the FTC that it would allow customers to delete their personal information from its systems. Marriott must include a button on its website allowing customers to request this data deletion. It must then confirm receipt and explain the data deletion process within 60 days of each request.
This isn’t the first time the FTC has issued data deletion requests as part of its settlements. In October 2022, the Commission settled with educational technology provider Chegg for its alleged cybersecurity shortcomings, and the agreement included an order for the company to let consumers delete their data. A settlement with marketing company InMarket in May this year also included a demand for the company to delete any customer location data upon customer request.
However, in an analysis of the Marriott case, Jim Dempsey, managing director for the IAPP Cybersecurity Law Center, says that the Marriott settlement contains something new. “It was the first time the FTC required a company that suffered a security breach to provide all customers with a link to request the deletion of personal information associated with an email address and/or a loyalty rewards program account number,” he said.
Spreading Consumer Data Deletion Requirements
These data deletion provisions might become more widespread. The U.S. doesn’t have a federal privacy law. However, plenty of state-level data deletion laws are already in effect or due to come into force. Those doing business in California, Colorado, Connecticut, Utah, and Virginia must now delete consumer data upon request, while similar laws in Iowa and Nebraska will come into force in January next year. There are more in the works.
In Europe, companies have been dealing with this for a long time. The General Data Protection Regulation (GDPR), which came into effect in 2018, has imposed the right for consumers to delete data.
All this means the FTC’s latest and most aggressive right-to-delete settlement is unlikely to be its last. With a new, largely anti-regulation government on its way in, it’s unclear if Congress will pass an overarching federal right-to-delete law any time soon. However, as state-level support for right-to-delete measures grows, it gives the FTC more of a grounding to use this concept in settlements with companies.
How To Prepare
It’s important for organisations that think they might be affected by data deletion requests to prepare for them. There are both legal and technical aspects to this. Understanding their responsibility around an incoming deletion request means assessing the specific characteristics of that data against the scope of the rule—whether that’s a regulatory settlement, a state law, or a regional regulation. This includes understanding whether the purpose of your retaining the data is exempt under the rule and whether you need the data to fulfil a contract with the individual.
If you must delete the data, that involves identifying and gathering the information in question, often from multiple systems. Creating a data governance strategy that supports this might include using technology to tag and locate the data by request and then creating deletion records to automate reporting.
The more rights consumers get to delete their data, the more it might restore trust in an online ecosystem that has badly failed them. Companies that prepare for this eventuality now will do more than ensure they can comply with that specific rule; they’ll be levelling up data governance in a world that sorely needs it.
