FTC's New Embrace of Right-to-Delete Policies in the Wake of Marriott’s Data Breach Settlement
U.S. Laws & Regulations

FTC’s New Embrace of Right-to-Delete Policies in the Wake of Marriott’s Data Breach Settlement

The Federal Trade Commission’s (FTC) recent draft settlement with Marriott International Inc. marks a significant step in addressing consumer data privacy through “right-to-delete” policies. This shift from the traditional notice-and-choice model underscores the FTC’s commitment to empowering consumers in managing their data amidst a landscape of rising state-level privacy laws. The FTC’s settlement, which follows a series of Marriott data breaches affecting millions, represents a new paradigm in data privacy compliance, with far-reaching implications for businesses nationwide. 

Jon Leibowitz, Former Chairman of the FTC, told Truyo, “This settlement could mark a crucial shift for businesses and the FTC. For companies, it reinforces the need to take data privacy seriously by implementing clear and accessible data deletion options for consumers. For the FTC, it represents a step toward shaping national privacy standards in the absence of federal legislation that may or may not gain ground next Congress. Moving forward, businesses that proactively adopt right-to-delete practices are likely to be better positioned, both in compliance and in building consumer trust, in a world where data privacy is paramount.” 

The FTC’s Right to Delete Shift 

The right-to-delete framework marks a departure from the FTC’s historical approach to data privacy. Traditionally, the FTC relied on a notice-and-choice model, allowing consumers to decide whether to engage based on provided terms and policies. However, the Marriott case pivots toward a more active responsibility on businesses to manage and, when requested, delete consumer data. 

  • Consumer Empowerment: Consumers can request deletion of personal data, increasing control over their digital footprint. 
  • Compliance Obligation: Companies must ensure they can respond to data deletion requests, highlighting the need for comprehensive data tracking and management systems. 

This shift signifies that companies must reassess their data collection and retention practices, particularly as the right-to-delete trend spreads through various state laws. 

Rise of Right-to-Delete Policies in State Legislation 

The FTC’s adoption of right to delete policies reflects a broader trend in U.S. state laws. Currently, 20 states have enacted data privacy laws with provisions for data deletion, including California, Colorado, and Delaware. By 2025, multiple states will enforce these laws, requiring companies to adapt quickly to avoid regulatory pitfalls.  

Compliance Challenges Across States 

Managing compliance with a patchwork of state laws poses significant challenges for companies operating across the U.S. Each state’s law can have nuanced differences in defining “personally identifiable information,” complicating compliance. For instance: 

  • Data Scope Variability: Information such as Social Security numbers is universally identifiable, but other identifiers like network addresses may be ambiguous. 
  • Patchwork Problem: Privacy advocates urge states to standardize laws to streamline compliance, reducing the burden on companies. 

Without a unified federal law, companies must keep abreast of state-specific requirements to ensure robust data protection measures across their operations. 

Marriott Settlement’s Implications for Businesses  

The Marriott settlement provides a blueprint for how the FTC may enforce right to delete policies going forward. Marriott’s draft consent order requires the company to offer a link for U.S. customers to request data deletion linked to their email addresses or loyalty accounts. This requirement aligns with broader FTC enforcement trends targeting companies that experience data breaches. 

Lessons for Businesses 

The Marriott settlement offers several critical insights for businesses aiming to comply with evolving data privacy standards: 

  • Data Collection Minimization: The FTC’s guidance urges companies to collect only necessary data. Minimizing data reduces exposure to cyber threats, as malicious actors cannot steal data that does not exist. 
  • Data Mapping: Understanding data pathways—how data enters, flows through, and is stored within the organization—is essential for effective data deletion. 
  • Collaborative Efforts: Legal and technical teams must work closely to create a deletion process that prevents data reintroduction and maintains consistency across databases. 
Technical and Operational Hurdles in Data Deletion 

Implementing a right-to-delete policy involves significant operational challenges. Companies, especially larger ones with global operations, may find data deletion complex due to data silos and varying data formats. 

Key Technical Challenges 
  • Data Mapping and Process Understanding: Companies need a clear understanding of data sources and storage points, especially when data flows through multiple systems and departments. 
  • Reintroduction Prevention: Ensuring deleted data does not reappear due to system redundancies is vital. Inconsistent deletion practices can lead to data re-emergence, undermining compliance efforts. 
  • Marketing Implications: For some companies, data deletion may limit their ability to reach dormant customers or effectively target marketing efforts, impacting customer retention strategies.

To meet these challenges, companies may need to invest in data management tools that automate deletion and ensure compliance with both state and federal requirements.  

Future of Data Privacy in the U.S. 

The FTC’s draft settlement with Marriott marks a pivotal step in the evolution of data privacy regulation in the U.S. This case signals a growing emphasis on consumer rights and a shift from passive data management models toward active compliance measures, such as right to delete policies. As state laws continue to expand on data privacy rights, companies must adapt by minimizing unnecessary data collection, enhancing data mapping, and ensuring rigorous deletion processes. With federal standards potentially on the horizon, the Marriott case offers a clear warning: companies need to proactively address data privacy to safeguard consumer trust and mitigate the risk of regulatory repercussions.  

To learn how Truyo can help you manage right to delete request, reach out to hello@truyo.com or visit our website to learn about our automated approach to DSAR requests.  


Author

Dan Clarke
Dan Clarke
President, Truyo
November 14, 2024

Let Truyo Be Your Guide Towards Safer AI Adoption

Connect with us today