$1.6M Ashley Madison settlement sees unprecedented cooperation between FTC, foreign data protection authorities

Concluding an investigation that involved unprecedented international cooperation, the U.S. Federal Trade Commission announced on Wednesday that infidelity-focused dating website AshleyMadison.com will settle charges in connection with a massive July 2015 user data breach.

As part of the settlement, the Toronto-based company will pay a fine of $1.6 million, commit to implementing a comprehensive data security program, and will be subject to third-party assessments.

In addition to being one of the largest data security cases the FTC has ever addressed, this settlement is notable for the level of cooperation between international data protection agencies. The Federal Trade Commission worked extensively with the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner in coordinating both the investigation and settlement.

The Ashley Madison case marks one of the first times the FTC has cooperated so broadly with international data protection agencies. In doing so, the FTC relied on provisions of the U.S. SAFE WEB Act, allowing the commission to share information with foreign counterparts to combat deceptive and unfair practices that cross national borders.

FTC Chairwoman Edith Ramirez noted that the cooperation allowed the agencies to gather more comprehensive information and made the investigation more efficient, adding that “we will continue to build on this cooperation.”

Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada echoed the sentiment, calling it “imperative” that regulators around the world work together to ensure the privacy rights of citizens, irrespective of their home country.

“Collective action sends a strong message to all companies that safeguarding information is important, and that deceptive actions are not tolerated,” Therrien said.

When asked if the pending change in FTC leadership would affect the climate for international cooperation, Ramirez noted that the issue of data security has bipartisan support in the commission, and that it is likely that international cooperation will happen increasingly going forward.

The $1.6 million settlement does not include restitution for those harmed — the FTC intended it solely as punishment to ensure that Ashley Madison does not profit from haphazard security measures regarding user privacy.

The FTC initially sought some $17.5 million, but Ashley Madison was unable to pay such a large sum, which led to the fine being reduced. However, the penalty does come with a so-called “avalanche clause,” allowing the FTC to seek the full amount if the commission were to discover that Ashley Madison officials were dishonest about the company’s financial position.