Big data breaches bring big settlements. Sometimes they also bring novel regulatory settlement terms.
Last week, my new counterpart, IAPP Cybersecurity Law Center Managing Director James Dempsey, drew attention to some unique terms in Marriott's draft settlement with the U.S. Federal Trade Commission.
The FTC's draft consent order indeed continues the steady march toward a refinement of data minimization requirements in both privacy and cybersecurity matters, which has been a trend at the agency for years. Dempsey is also right to observe what may be a first-of-its-kind requirement for Marriott to respect certain deletion requests from consumers across the U.S.
In addition to the terms within the order itself, the settlement is notable for its simultaneous release alongside a coordinated multistate settlement between Marriott and 50 U.S. attorneys general.
Minimization at its maximum
When reviewed together, the FTC and multistate settlements reiterate the growing regulatory focus on data minimization throughout the personal data life cycle as a core principle of privacy and cybersecurity. The FTC and state attorneys general have a fondness for minimization, as most directly explored in the joint comment submitted by 33 state attorneys general to the FTC's advance notice of proposed rulemaking on commercial surveillance and data security.
In this light, the novel deletion requirement in the settlements is simply one more step on the path toward explicit, granular and prescriptive data minimization rules for companies that run afoul of U.S. privacy enforcers.
As an operational concept, data minimization can be somewhat broad and confusing. It encompasses data protection practices at each step of processing personal data, including collection limitation, purpose specification, retention policies and robust deletion mechanisms.
The Marriott settlements include requirements that apply at each of these stages.
Legitimate business need
Once the draft orders are finalized, Marriott will find itself under a decades-long obligation to build and maintain a robust information security program. As one part of this, the multistate settlement requires Marriott to "incorporate written policies and procedures that are modified as appropriate to require reasonable efforts to collect, use, share, and retain personal information to the minimum extent necessary to satisfy legitimate business need or legal requirements."
In a couple of ways, this language seems more restrictive than the usual state law requirements for data minimization, or even prior similar settlements.
For one, while the principle of purpose limitation generally requires processing to be consistent with a "business purpose," here the company is required to document how its stated business purpose is "legitimate." The addition of a single modifier may seem small, but if a legislature incorporated such a change, it would certainly signal a stronger standard for documenting reasonable purposes of data collection and use.
The FTC retention term is different, requiring instead a "specific business need." As in other similar FTC settlements, Marriott will be required to disclose in its terms of use or privacy policy the purpose for which the personal information is collected along with the specific business need for retaining it.
But the FTC, too, mentions a "legitimate business need" as an exception to the requirement to destroy data when it no longer meets the above requirements. Along with other exceptions like legal obligations, so long as the company has "documented legitimate business needs, except for marketing" it need not destroy the personal information.
Marketing alone cannot override the company's retention obligations.
Minimum extent necessary
The requirement to limit collection, use, sharing and retention of personal data to the minimum extent necessary appears in the state attorney general settlements but not their FTC analogue. As far as I can tell, this is novel language.
A similar concept exists in the health privacy context. The Health Insurance Portability and Accountability Rule applies a "minimum necessary" standard to covered entities when they use or disclose protected health information.
This term is also reminiscent of, though perhaps more restrictive than, state law requirements. For example, under Colorado's implementing regulations for its comprehensive consumer privacy law, companies must "carefully consider each Processing purpose and determine the minimum Personal Data that is necessary, adequate, or relevant for the express purpose or purposes."
Arguably, a requirement for processing to be necessary, adequate or relevant provides three times as many options as a single "necessary" term. And that’s not to mention the difference between "necessary" and the "minimum extent necessary." Documentation of processing decisions will likely need to be detailed and explicit in concluding that this is the minimum alternative for processing personal data.
A taste of a nationwide right to deletion
At any given time in the near future, any given company must honor requests to delete personal data from consumers located in somewhere between seven and 20 U.S. states.
Though similar rights are included in any federal privacy proposal, and many companies voluntarily extend these rights to U.S. consumers regardless of jurisdiction, there is still no federal deletion requirement that applies to general personal information.
Under the multistate and FTC consent orders, Marriott will soon be under an obligation to respect deletion requests associated with an email or rewards number within 60 days.
Outside of the general data minimization requirement, the Marriott settlement falls short of requiring the company to proactively delete personal information of consumers, as some other FTC settlements have required. But the ongoing obligation to respect deletion requests from all U.S. consumers is a novel and notable rule.
Fittingly, the FTC consent order places this requirement in the same "data handling" section as the rest of its data minimization terms. You can think of consumer-requested deletion as the icing on the cake of a robust data minimization policy — superseding any otherwise applicable retention policies.
Policies and procedures for deletion will always need to include robust technical mechanisms to effectuate actual removal of personal data. But the difficulties of actual data deletion will have to be a subject for another day.
Please send feedback, updates and deletion requests to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director in Washington, D.C., for the IAPP.