As I noted yesterday, there have been at least three potential class action lawsuits against rent-to-own companies that used DesignerWare LLC software that, unbeknownst to consumers, remotely activated webcam images of individuals in their homes and in what might be sensitive or embarrassing situations.
One of the allegations in one of the lawsuits, however, made me take another look at the FTC’s consent orders in their case. Nowhere, it seemed, did the consent orders require the companies to notify consumers that they, their families, or others, had had their images captured and transmitted without their knowledge or consent.
So I contacted the FTC today to ask them whether the FTC could require notification of consumers in such cases if a settlement did not require any admission of guilt.
The FTC responded that they could require notification:
The FTC can require companies to notify consumers, provide redress, etc., even though our orders generally include language that the party does not admit or deny the facts alleged in the complaint. See, e.g., Choicepoint; CVS.
Such decisions, the spokesperson said, are made on a case-by-case basis:
We consider a number of factors, most obviously whether the company has already provided notice of a breach. As another example, we might challenge, say, a deceptive failure to encrypt information as a violation of Section 5, even if there is no evidence of a known breach exploiting that failure.
In this case, FTC staff felt that they had protected consumers because the consent orders required the firms to delete or destroy all the data improperly gathered and transmitted. The agency was also concerned that giving notice could actually harm consumers by disclosing their identities and revealing their default on payments on a rent-to-own contract.
Do you agree with their decision, and should they even have the option to make that decision? If we apply the “Would you want to be told under the circumstances?” approach, there are those who might answer, “Absolutely I would want to be told if my privacy was violated in this way.” Some might also point out that failure to notify might leave many consumers wondering or worrying whether they had been caught on camera in sensitive or compromising activities and that others may have viewed them.
But there’s also an argument to made that consumers might be better off not knowing as what can they really do at that point, other than sue, perhaps? And even suing would be difficult if the order still required data destruction, so I think we’re back to the argument as to whether individuals have a right to be told when they’ve been the victims of a privacy breach and whether the FTC should be including notification provisions for all cases and consumers where there has been an actual breach and not just a potential breach.
What do you think?