The FTC-Drizly Saga Sends a Stark Reminder to Marketers to Limit Data Collection to What Is Necessary

In a new proposed settlement, the online liquor company Drizly plans to settle with the Federal Trade Commission (FTC) over a data breach that exposed the information of 2.5 million people in 2020. Under the settlement, Drizly is required to destroy unnecessary data and limit future data collection. Going a step further, it requires its CEO, James Cory Rellas, to implement an information security program, even if he moves to future companies where he is a majority owner, CEO or senior officer with information security responsibilities. The agency said Rellas and Drizly—acquired by Uber for 1.1 billion in 2021—were informed about its lax security practices two years prior to the breach. “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “CEOs who take shortcuts on security should take note.” A Marketer's Guide to the Key Differences Between the Statewide Privacy Laws In the absence of a federal privacy law, FTC chairperson Lina Khan has made it clear that her approach to consumer protection enforcement is to use every tool at the FTC’s disposal to ensure that companies are aligned with privacy and data security practices. Although state-wide privacy laws are on the horizon, states such as California and Colorado are yet to finalize their final drafts, making it unclear what the extent of data minimization practices would be for businesses. Still, this settlement is a reminder for marketers to work closely with privacy professionals while assessing foundational data security practices to avoid such breaches. A settlement of this nature—going after the CEO for a data breach—is not unheard of for the FTC. Most famously, the FTC was divided as to whether to specifically name Mark Zuckerberg in its penalization of Facebook in the Cambridge Analytica scandal, ultimately deciding not to. However, the fact that the conditions will follow Rellas to other companies, plus ordering Drizly to implement data minimization, the process of limiting the collection of personal information to what is directly relevant and for only as long as necessary, is less usual, according to Cobun Zweifel-Keegan, managing director, Washington, D.C. for The International Association of Privacy Professionals (IAPP). “What we’ve usually seen in the past was a requirement to implement the security program," he said. "What we're seeing here is also a focus on data minimization." The proposed order, subject to a 30-day public comment period before the agency finalizes its decision, requires Drizly to make a list of the data that it collects, such as names, email addresses, similar personal information and explicitly outline the business purposes of collecting such data. The company is required to “delete all data that it can't make a good business case for,” said Keegan. In Drizly's case, this could be collecting people's locations at all times beyond just delivery orders, or the app developer collecting information on all the apps on a person's phone in return for its service. This means destroying unnecessary data. The company is also required to document and report to the agency on what data it destroyed. A Marketer's Guide to the Key Differences Between the Statewide Privacy Laws To that, the company is required to refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in its retention schedule. It must detail the information it collects and why such data collection is necessary and make it publicly available on its website. Lastly, Drizly is required to implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint. This includes measures such as providing security training for its employees; designating a high-level employee to oversee the information security program; implementing controls on who can access personal data; and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data. This comes as an important signal, especially for marketers who rely on the collection of personal information to deliver its products and services, Keegan told Adweek. Meanwhile, chair Khan and the Democratic commissioners at the FTC have indicated they are willing to enforce data minimization as a best practice for privacy and security. “This is indicative of the types of settlements we're likely to see in the future from this FTC,” said Keegan.