Comments of EPIC in re the Federal Trade Commission’s Proposed Order & Settlement With Chegg, Inc.

Dear Chair Khan and Commissioners Slaughter, Wilson, and Bedoya,

By notice published November 14, 2022, the Federal Trade Commission (FTC) announced its proposed consent order and settlement with Chegg, Inc., for Chegg’s alleged violations of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), prohibiting unfair or deceptive acts or practices.[1] The proposed consent order with Chegg is the result of the FTC’s two-count complaint alleging that Chegg failed to reasonably safeguard consumers’ personal information and misrepresented to consumers that it was taking reasonable steps to protect their personal information.[2]

The Electronic Privacy Information Center (EPIC) submits this letter in support of the proposed consent order. EPIC is a public interest research center in Washington, D.C. established in 1994 to focus on public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC routinely files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights.[3]

EPIC commends the Commission for using its authority to investigate and take enforcement actions against companies like Chegg engaged in unfair and deceptive practices, especially where insufficient protections for personal information are involved. Chegg collects and stores a tremendous breadth of personal information. From employee data to consumer information necessary to search for scholarship opportunities, millions of users have provided Chegg “with their religious denominations, heritages, dates of birth, parents’ income ranges, sexual orientations, and disabilities. In addition, [Chegg] collects Social Security numbers, financial account information, and other personal information from its employees.”[4] Although Chegg represented to consumers that it was keeping their information safe, Chegg’s information security practices were inadequate, resulting in multiple infiltrations by hackers.[5]

Use of Unfairness Authority

EPIC applauds the Commission’s use of its Section 5 unfairness authority against Chegg and encourages the Commission to continue expanding its use of that authority as a check on harmful privacy and data security practices. The Commission’s unfairness authority allows the FTC to stop and penalize commercial practices that (1) cause substantial injury, (2) are not outweighed by any countervailing benefits to consumers or competition, and (3) consumers cannot reasonably avoid.[6] Generally, the goal of the unfairness authority is to maintain the “free exercise of consumer decision-making.”[7] The Commission’s unfairness authority can be a potent tool in the privacy and data security context.[8] Privacy violations that result in substantial injury can impact both consumers individually and society broadly.

Chegg’s failure to implement “relatively low-cost security measures”[9] caused substantial injury through the resulting security breaches. Chegg’s “profound lack of diligence”[10] and basic security measures left consumers’ personal data vulnerable for hackers to access. Moreover, Chegg’s inadequate information security practices were not outweighed by benefits to consumers or to competition. Consumers also could not reasonably avoid the harm because, as noted in the second count of the complaint, Chegg “misrepresented to consumers that it took reasonable steps to protect their personal information.”[11] Where consumers have no reason to anticipate harm, “there [i]s no occasion for the consumers even to consider taking steps to avoid it.”[12]

EPIC encourages the Commission to continue building on its use of unfairness authority as a basis for privacy and data security enforcement actions.

Inclusion of Access and Deletion Rights and Data Minimization

EPIC commends the Commission’s incorporation of access and deletion rights into the proposed consent order. The proposed consent order would require Chegg to “[p]rovide a Clear and Conspicuous link on the homepage and initial login page of [its] websites directing consumers to an online form through which they can request access to or the deletion of their Covered Information.”[13] Including access and deletion rights in consent decrees is an encouraging step toward securing meaningful transparency and consumer control in the processing of personal data. EPIC’s recent comments responding to the FTC Commercial Surveillance Advanced Notice of Proposed Rulemaking highlight the important role of access and deletion rights.[14] Access and deletion rights work in tandem with data minimization safeguards to enhance consumer privacy and data security.

It is encouraging that the proposed order also requires Chegg to integrate data minimization into its information security program. The proposed order states that Chegg’s information security program must incorporate “[p]olicies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies or procedures.”[15] The Commission should continue to center data minimization in future consent orders involving privacy and data security.

Finally, as EPIC has stated previously, we urge the Commission to incorporate these same access and deletion rights and data minimization safeguards into its trade rule(s) on commercial surveillance. Establishing these baseline standards would provide meaningful protection for consumers’ personal information and clear guidance to firms as to how they must secure consumer privacy.[16]

Conclusion

EPIC urges the Commission to finalize the proposed Chegg consent order. Additionally, EPIC encourages the Commission to (1) build on its use of unfairness authority in privacy and data security matters and (2) continue centering data rights and data minimization in future enforcement actions and regulations. Please feel free to reach out to EPIC Law Fellow Suzanne Bernstein at [email protected] if you have any questions.

Sincerely,

/s/ John Davisson 
EPIC Director of Litigation &
Senior Counsel

/s/ Suzanne Bernstein 
EPIC Law Fellow 

[1] Chegg, Inc.; Analysis of Proposed Consent Order to Aid Public, 87 Fed. Reg. 68,157 (Nov. 14, 2022), https://www.federalregister.gov/documents/2022/11/14/2022-24690/chegg-inc-analysis-of-proposed-consent-order-to-aid-public-comment [hereinafter Federal Register Notice].

[2] Id.; Chegg, Inc. Complaint, In the Matter of Chegg, Inc., FTC File No. 202-3151 (2022), https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf.

[3] See, e.g., Comments of EPIC, FTC Proposed Trade Regulation Rule on Commercial Surveillance and Data Security (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf; Comments of EPIC, In re CafePress, File No. 192-3209 (2022), https://epic.org/wp-content/uploads/2022/04/EPIC-comments-in-re-cafepress.pdf; Comments of EPIC, In re Matter of Support King, LLC (SpyFone.com), FTC File No. 192-3003 (2021), https://archive.epic.org/apa/comments/In-re-SpyFone-Order-EPIC-comment-100821.pdf; Comments of EPIC et al., In re Zoom Video Communications, Inc., FTC File No. 192-3167 (2020), https://epic.org/apa/comments/EPIC-FTC-Zoom-Dec2020.pdf; Complaint of EPIC, In re Online Test Proctoring Companies (Dec. 9, 2020), https://epic.org/wp-content/uploads/privacy/dccppa/online-test-proctoring/EPIC-complaint-in-re-online-test-proctoring-companies-12-09-20.pdf; Complaint of EPIC, In re Airbnb (Feb. 26, 2020), https://epic.org/privacy/ftc/airbnb/EPIC_FTC_Airbnb_Complaint_Feb2020.pdf; Complaint of EPIC, In re HireVue (Nov. 6, 2019), https://epic.org/privacy/ftc/hirevue/EPIC_FTC_HireVue_Complaint.pdf; Comments of EPIC, In re Unrollme, Inc., FTC File No. 172-3139 (2019), https://epic.org/apa/comments/EPICFTC-Unrollme-Sept2019.pdf; Comments of EPIC, In re Aleksandr Kogan and Alexander Nix, FTC File Nos. 182-3106 & 182-3107 (2019), https://epic.org/apa/comments/EPIC-FTCCambridgeAnalytica-Sept2019.pdf; EPIC, Comments on Standards for Safeguarding Customer Information, Docket No. 2019-04981 (Aug. 1, 2019), https://epic.org/apa/comments/EPIC-FTC-Safeguards-Aug2019.pdf; Complaint of EPIC, In re Zoom Video Commc’ns, Inc. (July 11, 2019), https://epic.org/privacy/ftc/zoomEPIC-FTC-Complaint-In-re-Zoom-7-19.pdf.

[4] Federal Register Notice, supra note 1.

[5] Id.

[6] 15 U.S.C. § 45(n); see also FTC, Policy Statement on Unfairness (1980), https://www.ftc.gov/legal-library/browse/ftc-policystatement-unfairness.

[7] See Calli Schroeder & Cobun Keegan, Unpacking Unfairness: The FTC’s Evolving Measures of Privacy Harms, 15 J. L. Econ. & Pol’y 1, 27 (2018), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4204208.

[8] See Id. at 20 (“The relative dearth of unfairness cases in the FTC’s data privacy cases shows that there is room for an expanded role for unfairness enforcement at the FTC.”).

[9] Federal Register Notice, supra note 1.

[10] FTC v. Neovi, Inc., 604 F.3d 1150, 1153 (9^th Cir. 2010).

[11] Federal Register Notice, supra note 1.

[12] Orkin Exterminating Co., Inc. v. FTC, 849 F.2d 1354, 1365 (11th Cir. 1988).

[13] Chegg Inc. Decision and Proposed Order, In the Matter of Chegg, Inc., FTC File No. 2023151 at 7 (2022), https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Decision-and-Order.pdf[hereinafter Proposed Order]. See also FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 245-46 (3rd Cir. 2015) (holding that consumers could not have reasonably avoided harm from the hotel chain’s poor security practices where the privacy policy overstated the efficacy of those practices).

[14] Comments of EPIC, FTC Proposed Trade Regulation Rule on Commercial Surveillance and Data Security 3 (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf (“[T]he Commission should require businesses to promptly honor an individual’s request to access all data the business maintains on them; to have such data corrected if it is in error; or to secure the deletion of all such data.”).

[15] Proposed Order, supra note 13 at 9.

[16] See Consumer Reports & EPIC, How the FTC Can Mandate Data Minimization Through a Section 5 Unfairness Rulemaking (Jan. 26, 2022), https://epic.org/wp-content/uploads/2022/01/CR_Epic_ FTCDataMinimization_012522_VF_.pdf.