On May 31, 2023, the Federal Trade Commission announced a proposed order against home security camera company Ring LLC (“Ring”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.
According to the FTC’s complaint, Ring allegedly made false or misleading representations that it took reasonable steps to ensure that Ring home security cameras are a secure means to monitor private areas of consumers’ homes. In addition, the FTC alleged that Ring gave thousands of employees and contractors unrestricted access to video recordings of customers’ intimate spaces (e.g., bathrooms, bedrooms and children’s nurseries) without customers’ knowledge or consent. Ring’s privacy disclosures allegedly included descriptions of Ring’s use of recordings for product improvement and development but these were “buried” in terms that were “dense with legalese” and failed to adequately obtain consumers consent for the “invasive review of highly sensitive” video data. Only in January 2018 did Ring allegedly take steps to obtain consumers’ consent, “limiting research and development to videos publicly posted on the Internet or for which employees, contractors, and their friends and family had given their written consent for such use on a document that clearly informed the consumer of Ring’s review of their video data.”
Ring also allegedly failed to provide reasonable security to prevent unauthorized access to the live feeds and stored videos of its cameras, which Ring offered to consumers for the purpose of monitoring and securing private areas of their homes. In particular, Ring allegedly failed to appreciate and control for credential stuffing and brute force attacks, using measures such as requiring a unique, strong complex password; notifying users of suspicious logins; monitoring and notifying users of concurrent sessions; rate limiting; comparisons to ensure that passwords device owners try to set do not reuse breached passwords; and multi-factor authentication.
The FTC’s proposed order would require Ring to (1) pay $5.8 million; (2) delete recordings that were reviewed and annotated by employees or contractors for research and development purposes, and any models or algorithms developed from such review and annotation; (3) establish and implement for 20 years a “comprehensive privacy and data security program” that includes, among other items, documented safeguards and controls, periodic monitoring and testing and contractual requirements for service providers; (4) obtain initial and biennial third party assessments of the mandated privacy and data security program; and (5) provide a certification of compliance with the order from Ring’s CEO or other principal executive officer.