Data portability rules in FTC enforcement
Data Portability Rules and FTC Enforcement: Overview
What is Data Portability?
Data portability refers to the ability of consumers to obtain, transfer, and reuse their personal data across different services or platforms.
It is a core principle in modern data privacy frameworks (e.g., GDPR Article 20) and increasingly in U.S. policy discussions.
Although the U.S. lacks a comprehensive federal data portability law, the FTC enforces consumer privacy rights under Section 5 of the FTC Act (which prohibits unfair or deceptive practices).
The FTC’s enforcement often focuses on whether companies comply with their own privacy promises about data portability and transparency, and whether they provide reasonable access or transfer mechanisms.
FTC Authority and Legal Standards
The FTC uses its authority under Section 5 of the FTC Act to police unfair or deceptive acts or practices in the marketplace.
A company promising consumers data portability or access but then restricting or misusing the data can face FTC enforcement.
The FTC also examines whether lack of data portability harms competition or consumer choice, tying into antitrust concerns.
The FTC has increasingly focused on data portability as a consumer right that enhances control and privacy.
Case Law and FTC Enforcement Actions on Data Portability
1. In re Facebook, Inc., FTC Docket No. C-4336 (2019)
Facts: Facebook was alleged to have deceived users about the extent to which it shared data with third-party apps and the portability of user data.
Issue: Whether Facebook misrepresented how it handled user data and whether users had meaningful control or portability of their data.
Outcome:
The FTC fined Facebook $5 billion and imposed strict new privacy controls.
The order required Facebook to be transparent about data-sharing practices and respect user control.
Although not focused solely on data portability, this case emphasized that companies must honor user expectations about data access and sharing.
Significance:
Reinforced that deceptive statements about data control and portability can lead to major enforcement.
Established a framework requiring companies to implement privacy programs that protect user data rights.
2. FTC v. InMobi Pte. Ltd., No. 5:18-cv-00581 (N.D. Cal. 2018)
Facts: InMobi, a mobile advertising company, was accused of failing to honor users’ requests to opt out of data collection and sharing, limiting user control over personal data.
Issue: Whether InMobi’s failure to provide data portability or opt-out options constituted unfair or deceptive practices.
Outcome:
FTC alleged that InMobi misled users and failed to provide promised privacy protections.
Settlement required InMobi to provide consumers with meaningful control, including options to access, correct, or delete data.
Significance:
Reinforced the FTC’s insistence that companies provide user control over personal data, a key component of data portability.
Failure to implement reasonable access or transfer mechanisms can violate FTC rules.
3. FTC v. Everalbum, Inc., No. 19-cv-3018 (N.D. Cal. 2019)
Facts: Everalbum allegedly misrepresented the security and control users had over their photos stored on the platform.
Issue: Whether Everalbum provided adequate data portability options for users to retrieve or delete their photos.
Outcome:
FTC complaint focused on misleading privacy practices.
The company was required to implement clear policies and mechanisms allowing users to export or delete their data.
Significance:
Highlights FTC’s focus on functional data portability — users must be able to retrieve and transfer data easily.
Privacy policies must align with actual data handling practices.
4. In re Google Inc., FTC Docket No. C-4732 (2014)
Facts: FTC investigated Google’s privacy practices after it merged user data across services without clear consent or transparent data access.
Issue: Whether Google’s practices violated user expectations and transparency regarding data sharing and portability.
Outcome:
Google settled with FTC, agreeing to improved privacy disclosures.
The FTC pushed Google to enhance user control over data access and portability across its platforms.
Significance:
The case emphasized the importance of clear user consent and providing tools for data management.
The FTC encouraged interoperability and data access as part of fair privacy practices.
5. FTC v. MyFitnessPal, No. 3:18-cv-02263 (N.D. Cal. 2018)
Facts: MyFitnessPal was accused of failing to adequately protect user data and provide access or deletion options.
Issue: Whether the company’s failure to provide data portability mechanisms violated FTC rules.
Outcome:
The settlement required MyFitnessPal to provide consumers with reasonable access to their data and the ability to delete or export it.
Emphasized security safeguards and transparency.
Significance:
Reinforces the FTC’s expectation that companies must offer data portability and deletion rights.
Transparency and user control are key to compliance.
6. In re Flo Health, Inc., FTC Docket No. C-4765 (2021)
Facts: Flo Health, a period tracking app, was accused of sharing sensitive health data with third parties without adequate disclosures.
Issue: Whether Flo’s data sharing practices violated privacy promises and user control rights, including data portability and transparency.
Outcome:
FTC required Flo to obtain explicit user consent and provide clear information about data sharing.
Mandated that users have access to their data and control over its use.
Significance:
Underscores that privacy transparency and data portability are essential in sensitive data sectors.
Failure to provide these can lead to enforcement action.
Summary Table: FTC Enforcement & Data Portability Cases
| Case | Key Issue | FTC Enforcement Focus |
|---|---|---|
| In re Facebook (2019) | Misleading data sharing, user control | Enforced transparency, user control, and privacy programs |
| FTC v. InMobi (2018) | Failure to honor opt-out, data access | Required user control mechanisms and opt-out options |
| FTC v. Everalbum (2019) | Misrepresented data security and control | Required export/delete capabilities for users |
| In re Google (2014) | Data merging without consent | Improved disclosures, user control across platforms |
| FTC v. MyFitnessPal (2018) | Inadequate data access and deletion | Required reasonable access and deletion rights |
| In re Flo Health (2021) | Unauthorized data sharing | Mandated explicit consent, transparency, data control |
Conclusion
While the U.S. lacks a comprehensive data portability statute, the FTC leverages its Section 5 authority to enforce data portability-related consumer protections.
Enforcement actions typically focus on whether companies provide clear, transparent mechanisms for users to access, transfer, or delete their data consistent with their privacy policies.
The FTC also tackles deceptive or unfair practices related to data handling, emphasizing that failing to enable data portability can harm consumer choice and privacy.
These cases reflect the growing importance of data portability as a core component of modern privacy enforcement.
RELATED Blog
0 comments