On August 30, 2024, the Federal Trade Commission (FTC) announced a proposed order against security camera firm Verkada, requiring the company to implement a comprehensive information security program following a significant data breach. Notably, this case also marks a rare enforcement action under the CAN-SPAM Act, which regulates commercial emails.
The FTC’s proposed order must be approved by a federal judge before it goes into effect, but the action is a strong reminder for businesses to review their compliance with CAN-SPAM and data security laws.
Key Points
- Record CAN-SPAM Penalty: Verkada is required to pay a $2.95 million fine for violating the CAN-SPAM Act, the largest penalty the FTC has ever imposed for such violations. Verkada was accused of sending commercial emails without proper unsubscribe options, violating key aspects of the law.
- CAN-SPAM Compliance Requirements: Businesses should ensure their marketing emails:
- Include accurate header information.
- Do not use deceptive subject lines.
- Clearly identify the message as an advertisement.
- Provide a valid physical postal address.
- Offer a clear and easy way to opt out of future emails, and honor opt-out requests promptly.
- Information Security Failures: The FTC also alleged Verkada failed to implement basic security measures, including unique passwords, encryption, and secure network controls, which enabled a hacker to access sensitive video footage from psychiatric hospitals and women’s health clinics.
- Misleading Claims About Privacy Practices: Verkada allegedly misled consumers about its adherence to data protection standards, including HIPAA and the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. Additionally, the company failed to disclose that some of its positive product reviews were written by employees and a venture capital investor.
- Ongoing Obligations: The proposed order will require Verkada to undergo regular third-party audits of its security practices and prohibit the company from making false claims about its privacy and data security practices.
Business Implications
This case highlights the FTC’s renewed focus on enforcing CAN-SPAM, a law that many businesses may not prioritize but that carries significant penalties for non-compliance. Fines can reach up to $51,000 per violation, underscoring the importance of meeting the law’s requirements.
In-house counsel should:
- Set up time with sales and marketing teams to remind them that the FTC is actively enforcing CAN-SPAM.
- Review CAN-SPAM’s compliance requirements with the business and ensure that all marketing emails include the necessary components.
- Double-check that all email opt-out mechanisms are functioning and properly handled.
Taking these steps now can help your business avoid costly penalties and maintain compliance.
If your company has questions about CAN-SPAM compliance or would like assistance in reviewing your email marketing practices to ensure they meet federal requirements, we are here to help. Contact the attorney assigned to your account for guidance on how to avoid costly enforcement actions and protect your business. We can also provide sample emails to ensure your templates are compliant.
