In October 2022, a series of regulatory and legal decisions came to light which seemed to signal a substantial change in how privacy and cybersecurity risks were going to be dealt with in the United States. The Federal Trade Commission (FTC), the primary US agency protecting consumers and fair trade, has recently embraced an aggressive stance towards the protection of consumer privacy. This strong stance has been long anticipated by many in the corporate governance arena, and has also been long overdue. But, while trying to turn the RMS Titanic with a soup spoon may take a while, once the turn begins, it continues to grow and is very difficult to reverse.
On 24 October 2022, the FTC announced that it was taking action against online alcohol marketplace Drizly for failure to properly protect the personal data of 2.5 million of its customers. For Europeans familiar with the European Union's General Data Protection Regulation (GDPR), such regulatory action has become somewhat normalised, if not pedestrian. What is substantially different in the FTC's latest action is that now they are getting personal. In an unprecedented move, this