A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New York Attorney General in January of 2022, which we described here. And the third is the U.S. Federal Trade Commission, which issued a proposed consent with the current and former owners of CafePress on March 15.
The matter is a bit complex because the FTC consent covers both the former and current operator of CafePress platform, and involves personal information of customers who purchased personalized merchandise on the CafePress platform as well as personal information (including Social Security Numbers) of merchants that sold goods on the CafePress platform. On September 1, 2020, PlanetArt purchased substantially all the CafePress assets from Residual Pumpkin (the former owner).
According to the FTC complaint, CafePress “failed to provide reasonable security for the Personal Information stored on its network.” Among the practices the FTC listed, CafePress stored personal information, including Social Security Numbers of merchants, in clear, readable text; “failed to reasonably respond to security incidents”; and “created unnecessary risks to Personal Information by storing it indefinitely on its network without a business need.” (emphasis supplied)
The FTC’s complaint also states that, in February of 2019, a hacker took advantage of the security weaknesses and found and exfiltrated personal information stored on the CafePress network, including more than 180,000 unencrypted Social Security numbers as well as millions of unencrypted names, addresses and security questions and answers. The information was then offered for sale on the dark web. A month later, a third party researcher contacted CafePress about the theft and demonstrated the security vulnerability. The company fixed the vulnerability but did not notify affected individuals until September of 2019. The company also experienced other security incidents, including malware infections and hacks of merchant accounts. The company was also notified by a foreign government that its data was sold to “carders.”
In addition, with respect to Privacy Shield, the complaint alleged that the company deactivated user accounts when it received requests from European Union residents to delete information—rather than deleting the information. “Because of this failure to honor deletion requests, information from many consumers who had requested before the February 2019 breach that [former owner] delete their information was exposed in the breach.”
The complaint claimed that the listed practices were unfair or deceptive acts in violation of Section 5 of the Federal Trade Commission Act.
The Proposed Consent
Each of the two defendants entered into separate proposed consents with the FTC. Neither defendant admits or denies the allegations in the complaint. We note that each proposed consent defines “Personal Information” to include not only the information typically used in state security breach notification laws but also “a persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, a mobile device ID, or processor serial number.” The FTC also proposes to define “consumer” to include “any individual who is, or seeks to become, an employee, officer, or independent contractor of Respondent.” One difference between the two consents is that the former owner has agreed to pay $500,000 to the FTC.
With respect to data retention practices, the proposed consent prohibits each defendant from misrepresenting “information deletion and retention practices.” Each defendant would also be required, within 60 days, to establish a comprehensive information security program that includes policies and procedures “to minimize data collection, storage, and retention, including data deletion or retention policies and procedures.” The 20-year proposed consent also includes compliance monitoring, third party assessments, and reporting to the FTC.
Comments must be received by the FTC on or before April 21, 2022.
Clearly, the FTC found significant failings with CafePress’s data security program. As we noted at the top, the FTC joins a growing list of regulators who are purposefully emphasizing the over retention of data as being its own independent privacy failure and a reason for the $500,000 payment. Although one could argue that some of the other failures were more egregious from a privacy perspective than over-retention, it does appear that the FTC may be setting up future matters where it can rely on over retention by itself as a reason to fine an organization.
Critically, it was not merely that CafePress had over-retained personal information, but that it had no plan to remediate the issue and, in fact, was indefinitely retaining data for no business purpose. The FTC finds that this degree of over retention runs counter to CafePress’s pledge to use “the best and most accepted methods and technologies” to secure their clients’ data. Even where getting substantial data disposition in the near term is difficult or impossible, companies can put themselves in a better position by have a working framework and a path to substantial completion.