On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit vacated a 2016 Federal Trade Commission (“FTC”) order compelling LabMD to implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The Eleventh Circuit agreed with LabMD that the FTC order was unenforceable because it did not direct the company to stop any “unfair act or practice” within the meaning of Section 5(a) of the Federal Trade Commission Act (the “FTC Act”).
On May 31, 2018, the Federal Trade Commission published on its Business Blog a post addressing the easily missed data deletion requirement under the Children’s Online Privacy Protection Act (“COPPA”).
On May 24, 2018, the Federal Trade Commission granted final approval to a settlement (the “Final Settlement”) with PayPal, Inc., to resolve charges that PayPal’s peer-to-peer payment service, Venmo, misled consumers regarding certain restrictions on the use of its service, as well as the privacy of transactions. The proposed settlement was announced on February 27, 2018. In its complaint, the FTC alleged that Venmo misrepresented its information security practices by stating that it “uses bank-grade security systems and data encryption to protect your financial information.” Instead, the FTC alleged that Venmo violated the Gramm-Leach-Bliley Act’s (“GLBA’s”) Safeguards Rule by failing to (1) have a written information security program; (2) assess the risks to the security, confidentiality and integrity of customer information; and (3) implement basic safeguards such as providing security notifications to users that their passwords were changed. The complaint also alleged that Venmo (1) misled consumers about their ability to transfer funds to external bank accounts, and (2) misrepresented the extent to which consumers could control the privacy of their transactions, in violation of the GLBA Privacy Rule.
On April 11, 2018, Arizona amended its data breach notification law (the “amended law”). The amended law will require persons, companies and government agencies doing business in the state to notify affected individuals within 45 days of determining that a breach has resulted in or is reasonably likely to result in substantial economic loss to affected individuals. The old law only required notification “in the most expedient manner possible and without unreasonable delay.” The amended law also broadens the definition of personal information and requires regulatory notice and notice to the consumer reporting agencies (“CRAs”) under certain circumstances.
On April 27, 2018, the Federal Trade Commission issued two warning letters to foreign marketers of geolocation tracking devices for violations of the U.S. Children’s Online Privacy Protection Act (“COPPA”). The first letter was directed to a Chinese company, Gator Group, Ltd., that sold the “Kids GPS Gator Watch” (marketed as a child’s first cellphone); the second was sent to a Swedish company, Tinitell, Inc., marketing a child-based app that works with a mobile phone worn like a watch. Both products collect a child’s precise geolocation data, and the Gator Watch includes geofencing “safe zones.”
On April 30, 2018, the Federal Trade Commission announced that BLU Products, Inc. (“BLU”), a mobile phone manufacturer, agreed to settle charges that the company allowed ADUPS Technology Co. Ltd. (“ADUPS”), a third-party service provider based in China to collect consumers’ personal information without their knowledge or consent, notwithstanding the company’s promises that it would keep the relevant information secure and private. The relevant personal information allegedly included, among other information, text message content and real-time location information. On September 6, 2018, the FTC gave final approval to the settlement in a unanimous 5-0 vote.
On April 26, 2018, the U.S. Senate confirmed by unanimous consent all five pending nominees to the Federal Trade Commission. Once installed, the agency will have a full complement of Commissioners for the first time in nearly three years. The FTC will be comprised of three Republicans — Joseph Simons (Chairman), Noah Joshua Phillips and Christine Wilson — and two Democrats — Rebecca Kelly Slaughter and Rohit Chopra.
The Federal Trade Commission has modified its 2017 settlement with Uber Technologies, Inc. (“Uber”) after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach, which took place during the time that the FTC was investigating an earlier, 2014 breach. The 2016 breach occurred when intruders used an access key that an Uber engineer had posted on GitHub to download more than 47 million user names, including related email addresses or phone numbers, as well as more than 600,000 drivers’ names and license numbers. The FTC alleged that after Uber learned of the breach, it paid the intruders a $100,000 ransom through its “bug bounty” program. The bug bounty program is intended to reward responsible disclosure of security vulnerabilities.
On March 26, 2018, the U.S. Department of Commerce posted an update on the actions it has taken between January 2017 and March 2018 to support the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”). The update details measures taken in support of commercial and national security issues relating to the Privacy Shield.
On February 28, 2018, the Federal Trade Commission issued a report, titled Mobile Security Updates: Understanding the Issues (the “Report”), that analyzes the process by which mobile devices sold in the U.S. receive security updates and provides recommendations for improvement. The Report is based on information the FTC obtained from eight mobile device manufacturers, and from information the Federal Communications Commission collected from six wireless carriers.
On February 26, 2018, the United States Court of Appeals for the Ninth Circuit ruled in an en banc decision that the “common carrier” exception in the Federal Trade Commission Act is “activity-based,” and therefore applies only to the extent a common carrier is engaging in common carrier services. The decision has implications for FTC authority over Internet service providers, indicating that the FTC has authority to bring consumer protection actions against such providers to the extent they are engaging in non-common carrier activities. The Federal Communications Commission (“FCC”) has previously ruled that Internet access service is not a common carrier service subject to that agency’s jurisdiction.
On February 27, 2018, the Federal Trade Commission (“FTC”) announced an agreement with PayPal, Inc., to settle charges that its Venmo peer-to-peer payment service misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. This is the second significant FTC settlement in the past three months that addressed these issues, following the FTC’s action against TaxSlayer, Inc. and signals a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA’s”) Privacy and Safeguards Rules.
On February 22, 2018, the Federal Trade Commission (“FTC”) published a blog post that provides tips on how consumers can use Virtual Private Network (“VPN”) apps to protect their information while in transit over public networks. The FTC notes that some consumers are finding VPN apps helpful in protecting their mobile device traffic over Wi-Fi networks at coffee shops, airports and other locations. Through a VPN app, a user can browse websites and use apps on their mobile devices, still shielding the traffic from prying eyes as it transmits via public networks.
On February 6, 2018, the Federal Trade Commission (“FTC”) released its agenda for PrivacyCon 2018, which will take place on February 28. Following recent FTC trends, PrivacyCon 2018 will focus on privacy and data security considerations associated with emerging technologies, including the Internet of Things, artificial intelligence and virtual reality. The event will feature four panel presentations by over 20 researchers, including (1) collection, exfiltration and leakage of private information; (2) consumer preferences, expectations and behaviors; (3) economics, markets and experiments and (4) tools and ratings for privacy management. The FTC’s press release emphasizes the event’s focus on the economics of privacy, including “how to quantify the harms that result when companies fail to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices.”
On February 5, 2018, the Federal Trade Commission (“FTC”) announced its most recent Children’s Online Privacy Protection Act (“COPPA”) case against Explore Talent, an online service marketed to aspiring actors and models. According to the FTC’s complaint, Explore Talent provided a free platform for consumers to find information about upcoming auditions, casting calls and other opportunities. The company also offered a monthly fee-based “pro” service that promised to provide consumers with access to specific opportunities. Users who registered online were asked to input a host of personal information including full name, email, telephone number, mailing address and photo; they also were asked to provide their eye color, hair color, body type, measurements, gender, ethnicity, age range and birth date.
On January 18, 2018, the Federal Trade Commission (“FTC”) released its 2017 Privacy & Data Security Update (the “Report”). The annual Report, which summarizes the privacy and data security-related activities conducted by the FTC over the past year, is broken down into five key areas: (1) enforcement; (2) advocacy; (3) workshops; (4) reports and surveys; (5) consumer education and business guidance; and (6) international engagement.
On January 9, 2018, the FTC issued a paper recapping the key takeaways from the FTC’s and National Highway Traffic Safety Administration’s June 2017 workshop on privacy and security issues involving connected cars. The workshop featured representatives from consumer groups, industry, government and academia.
On January 8, 2018, the FTC announced an agreement with electronic toy manufacturer, VTech Electronics Limited and its U.S. subsidiary, settling charges that VTech violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from hundreds of thousands of children without providing direct notice or obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected. Under the agreement, VTech will (1) pay a $650,000 civil penalty; (2) implement a comprehensive data security program, subject to ...
On December 12, 2017, the Federal Trade Commission hosted a workshop on informational injury in Washington, D.C., where industry experts, policymakers, researchers and legal professionals considered how to best characterize and measure potential injuries and resulting harms to consumers when information about them is misused or inappropriately protected.
Recently, the FTC and FCC announced their intent to enter into a Memorandum of Understanding (“MOU”) under which the agencies would coordinate their efforts following the adoption of the Restoring Internet Freedom Order (the “Order”). As we previously reported, if adopted, the Order would repeal the rules put in place by the FCC in 2015 that prohibit high-speed internet service providers (“ISPs”) from stopping or slowing down the delivery of websites and from charging customers extra fees for high-quality streaming and other services.
Recently, FCC Chairman Ajit Pai released a draft of the Restoring Internet Freedom Order (the “Order”). If adopted, the Order would repeal the rules put in place by the FCC in 2015 that prohibit high-speed internet service providers (“ISPs”) from stopping or slowing down the delivery of websites and from charging customers extra fees for high-quality streaming and other services.
Recently, the Federal Trade Commission released the final agenda for a workshop being held on December 12, 2017, that will address the various consumer injuries that result from the unauthorized access to or misuse of consumers’ personal information.
On November 8, 2017, Sears Holding Management Corporation (“Sears”) requested that the FTC reopen and modify a 2009 Commission Order (the “Order”) settling charges that Sears inadequately disclosed the scope of consumer data collected through the company’s software application. The initial FTC complaint alleged that Sears represented to consumers that its downloadable software application would track users’ “online browsing,” but in fact tracked nearly all of the users’ Internet behavior. Sears petitioned the FTC to modify the Order’s definition of ...
On November 8, 2017, the FTC announced a settlement with Georgia-based online tax preparation service, TaxSlayer, LLC (“TaxSlayer”), regarding allegations that the company violated federal rules on financial privacy and data security. According to the FTC’s complaint, malicious hackers were able to gain full access to nearly 9,000 TaxSlayer user accounts between October 2015 and December 2015. The hackers allegedly used the personal information contained in the users’ accounts, including contact information, Social Security numbers and financial information, to engage in tax identify theft and obtain tax refunds through filing fraudulent tax returns. The FTC charged TaxSlayer with violating the Gramm-Leach-Bliley Act’s Safeguards Rule and Privacy Rule.
On October 23, 2017, the Federal Trade Commission issued a policy enforcement statement providing additional guidance on the applicability of the Children’s Online Privacy Protection Rule (“COPPA Rule”) to the collection of children’s audio voice recordings. The FTC previously updated the COPPA Rule in 2013, adding voice recordings to the definition of personal information, which led to questions about how the COPPA Rule would be enforced against organizations who collect a child’s voice recording for the sole purpose of issuing a command or request.
On October 19, 2017, the White House announced that President Donald J. Trump plans to nominate two individuals to serve as commissioners of the Federal Trade Commission. President Trump selected Joseph Simons to lead the FTC as its chairman for a seven-year term, beginning September 26, 2017. Simons’ background primarily has focused on antitrust matters. From June 2001 to August 2003, he led the FTC’s antitrust initiative as Director of the FTC’s Bureau of Competition.
On October 18, 2017, the EU Commission (“Commission”) released its report and accompanying working document on the first annual review of the EU-U.S. Privacy Shield framework (collectively, the “Report”). The Report states that the Privacy Shield framework continues to ensure an adequate level of protection for personal data that is transferred from the EU to the U.S. It also indicates that U.S. authorities have put in place the necessary structures and procedures to ensure the proper functioning of the Privacy Shield, including by providing new redress possibilities for EU individuals and instituting appropriate safeguards regarding government access to personal data. The Report also states that Privacy Shield-related complaint-handling and enforcement procedures have been properly established.
On October 13, 2017, the Federal Trade Commission published the twelfth and final blog post in its “Stick with Security” series (the “Series”). The Series focused on the 10 principles outlined in the FTC’s Start with Security Guide for Businesses and sought to provide insights and lessons learned on data security from recent FTC cases, closed investigations and questions and comments received from businesses. The final post, entitled Stick with Security: FTC resources for your business, outlines the resources available to businesses to put the principles detailed in the Series into practice. These can be found on the FTC’s Data Security page.
On October 4, 2017, the Federal Trade Commission and the Department of Education (“DOE”) announced that they will co-host a workshop to explore privacy issues related to education technology. The Ed Tech Workshop, which will take place on December 1, 2017 in Washington, D.C., will examine how the FTC’s Rule implementing the Children’s Online Privacy Protection Act (“COPPA”) applies to schools and intersects with the Family Educational Rights and Privacy Act (“FERPA”), which is administered by the DOE.
On September 29, 2017, the Federal Trade Commission published the eleventh blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Secure paper, physical media, and devices, highlights the importance of adopting a 360 degree approach to protecting confidential data. This strategy includes securing not only networks and information systems, but also paper, physical media and devices.
On September 22, 2017, the Federal Trade Commission published the tenth blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Put procedures in place to keep your security current and address vulnerabilities that may arise, outlines how and why companies should keep their security up to date and respond quickly to credible threats.
The Federal Trade Commission will host a workshop on informational injury on December 12, 2017. The FTC’s three main goals for hosting the workshop are to:
- “Better identify the qualitatively different types of injury to consumers and businesses from privacy and data security incidents;”
- “Explore frameworks for how the FTC might approach quantitatively measuring such injuries and estimate the risk of their occurrence;” and
- “Better understand how consumers and businesses weigh these injuries and risks when evaluating the tradeoffs to sharing, collecting, storing and using information.”
On September 15, 2017, the Federal Trade Commission published the ninth blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Make sure your service providers implement reasonable security measures, highlights the importance for companies to ensure that the service providers they engage with implement reasonable security measures.
On September 8, 2017, the Federal Trade Commission published the eighth blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Apply sound security practices when developing new products, outlines the importance of building security into product development from the start.
On September 8, 2017, the Federal Trade Commission announced that it had settled charges against three companies for misleading consumers about their participation in the Privacy Shield framework. The FTC alleged that Decusoft, LLC, Tru Communication, Inc. and Md7, LLC violated the FTC Act by falsely claiming that they were certified to the EU-U.S. Privacy Shield, when in fact the three companies never completed the Privacy Shield certification process. In addition, Decusoft falsely claimed to be certified to the Swiss-U.S. Privacy Shield. This marks the first enforcement action brought by the FTC pursuant to the Privacy Shield.
On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General.
On September 1, 2017, the FTC published the seventh blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Secure remote access to your network, outlines important security measures businesses should take to ensure that outside entryways to their systems are sensibly defended.
On August 25, 2017, the FTC published the sixth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Segment your network and monitor who’s trying to get in and out, illustrates the benefits of segmenting networks and monitoring the size and frequency of data transfers.
On August 15, 2017, the FTC announced that it had reached a settlement with Uber, Inc., over allegations that the ride-sharing company had made deceptive data privacy and security representations to its consumers. Under the terms of the settlement, Uber has agreed to implement a comprehensive privacy program and undergo regular, independent privacy audits for the next 20 years.
On August 18, 2017, the FTC published the fifth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Store sensitive personal information securely and protect it during transmission, outlines steps businesses can take to secure sensitive data, including when it is in transit.
On August 11, 2017, the FTC published the fourth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Require secure passwords and authentication, examines five effective security measures companies can take to safeguard their computer networks.
On August 4, 2017, the FTC published the third blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled “Stick with security: Control access to data sensibly,” details key security measures businesses can take to limit unauthorized access to data in their possession.
On July 31, 2017, the Federal Trade Commission announced that it has approved modifications to TRUSTe’s safe harbor program under the Children’s Online Privacy Protection Rule (the “COPPA Rule”).
On July 28, 2017, the FTC published the second blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled “Start with security – and stick with it,” looks at key security principles that apply to all businesses regardless of their size or the types of data they handle.
On July 21, 2017, the FTC announced its publication of “Stick with Security,” a series of blog posts on reasonable steps that companies should take to protect and secure consumer data. The posts will build on the FTC’s Start with Security Guide for Businesses, and will be based on the FTC’s 60+ law enforcement actions, closed investigations and questions from businesses. Every Friday for the next few months, the FTC will publish on its Business Blog a new post focusing on each of the 10 “Start with Security” principles.
On July 5, 2017, the FTC announced that Blue Global Media, LLC (“Blue Global”) agreed to settle charges that it misled consumers into filling out loan applications and then sold those applications, including sensitive personal information contained therein, to other entities without verifying how consumers’ information would be used or whether it would remain secure. According to the FTC’s complaint, Blue Global claimed it would connect loan applicants to lenders from its network of over 100 lenders in an effort to offer applicants the best terms. In reality, Blue Global “sold very few of the loan applications to lenders; did not match applications based on loan rates or terms; and sold the loan applications to the first buyer willing to pay for them.” The FTC alleged that, contrary to Blue Global’s representations, the company provided consumers’ sensitive information—including SSN and bank account number—to buyers without consumers’ knowledge or consent. The FTC further alleged that, upon receiving complaints from consumers that their personal information was being misused, Blue Global failed to investigate or take action to prevent harm to consumers.
On June 21, 2017, the Federal Trade Commission updated its guidance, Six-Step Compliance Plan for Your Business, for complying with the Children’s Online Privacy Protection Act (“COPPA”). The FTC enforces the COPPA Rule, which sets requirements regarding children’s privacy and safety online. The updated guidance adds new information on situations where COPPA applies and steps to take for compliance.
On June 5, 2017, an Illinois federal court ordered satellite television provider Dish Network LLC (“Dish”) to pay a record $280 million in civil penalties for violations of the FTC’s Telemarketing Sales Rule (“TSR”), the Telephone Consumer Protection Act (“TCPA”) and state law. In its complaint, the FTC alleged that Dish initiated, or caused a telemarketer to initiate, outbound telephone calls to phone numbers listed on the Do Not Call Registry, in violation of the TSR. The complaint further alleged that Dish violated the TSR’s prohibition on abandoned calls and assisted and facilitated telemarketers when it knew or consciously avoided knowing that telemarketers were breaking the law.
On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including businesses, hospitals, utilities and government entities around the world.
Privacy and data security issues have become the subject of critical focus in corporate mergers, acquisitions, divestitures and related transactions. In 2016 and 2017, several large transactions, especially those involving telecommunications, entertainment and technology companies, have been impacted by either concerns about the collection and use of personal information or significant information security breaches. The FTC has sharpened its focus on the use of personal information as a factor in evaluating the competitive effects of a given corporate transaction, and the SEC is now closely scrutinizing privacy and data security representations made to investors in public filings connected to transactions. More broadly, privacy and data security problems that are not timely discovered before entering into an M&A transaction can become significant liabilities post-closing and also lead to litigation.
On April 19, 2017, the FTC announced that it is seeking public comment on proposed changes to TRUSTe, Inc.’s safe harbor program under the Children’s Online Privacy Protection Rule (the “Proposed Changes”). As we previously reported, New York Attorney General Eric T. Schneiderman announced that TRUSTe agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. The Proposed Changes are a result of the settlement agreement between TRUSTe and the New York Attorney General.
On April 3, 2017, President Trump signed a bill which nullifies the Broadband Consumer Privacy Rules (the "Rules") promulgated by the FCC in October 2016. The Rules largely had not yet taken effect. In a statement, FCC Chairman Ajit Pai praised the elimination of the Rules, noting that, “in order to deliver that consistent and comprehensive protection, the Federal Communications Commission will be working with the Federal Trade Commission to restore the FTC’s authority to police Internet service providers’ privacy practices.” ...
On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., (“Upromise”) agreed to pay $500,000 to settle allegations (the “Settlement”) that it violated the terms of a 2012 consent order (the “2012 Order”) that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.
On March 3, 2017, the FTC announced the results of a study about online businesses’ use of proper email authentication technology to prevent phishing attacks. The study’s sample included 569 large online businesses with strong ties to the U.S. The FTC found that 86 percent of those businesses use Sender Policy Framework—an email authentication technology that enables Internet Service Providers (“ISPs”) to determine whether an email is from a legitimate source (e.g., whether an email that claims to be from a business’s domain in fact came from the business).
Hunton & Williams LLP, in coordination with the U.S. Chamber of Commerce, recently issued a series of recommendations to enhance the effectiveness of data privacy regulators. The report, Seeking Solutions: Attributes of Effective Data Protection Authorities, identifies seven key attributes of data protection authorities (“DPAs”) that contribute to effective data protection governance. The report also explores how the level of effectiveness varies based on differences in the structure, roles and resources of a DPA.
On March 1, 2017, the Federal Communications Commission (“FCC”), under the new leadership of Chairman Ajit Pai, voted 2-1 to issue a temporary stay of the data security obligations of the FCC’s Broadband Consumer Privacy Rules (the “Rules”), which were to go into effect March 2, 2017. The temporary stay will remain in place until the FCC is able to act on pending petitions for reconsideration.
On February 22, 2017, the Federal Trade Commission announced that it had reached settlement agreements (“the Proposed Agreements”) with three U.S. companies charged with deceiving consumers about their participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (“APEC CBPR”) system. The three companies are Sentinel Labs, Inc. (which provides endpoint protection software), SpyChatter, Inc. (which markets a private messaging app) and Vir2us, Inc. (which distributes cybersecurity software). In separate complaints, the FTC alleged that each company falsely represented in its online privacy policy that it participated in the APEC CBPR program (“the Program”), when in fact none of the companies have ever been certified as required by the Program. The Program requires participants to undergo a review by an APEC-recognized accountability agent, whose review certifies that participants meet the Program’s standards. The Program is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.
On February 6, 2017, the FTC announced that it has agreed to settle charges that VIZIO, Inc. (“VIZIO”), installed software on about 11 million consumer televisions to collect viewing data without consumers’ knowledge or consent. The stipulated federal court order requires VIZIO to pay $2.2 million to the FTC and New Jersey Division of Consumer Affairs.
On January 23, 2017, the FTC released a Staff Report (the “Report”) on cross-device tracking technology that can link multiple Internet-connected devices to the same person and track that person’s activity across those devices. The Report follows a November 2015 workshop on the same subject and is based on information and comments gathered during that workshop.
On December 20, 2016, the FTC announced that it has agreed to settle charges that Turn Inc. (“Turn”), a company that enables commercial brands and ad agencies to target digital advertising to consumers, tracked consumers online even after consumers took steps to opt out of tracking.
On December 14, 2016, the FTC announced that the operating companies of the AshleyMadison.com website (collectively, the “Operators”) have settled with the FTC and a coalition of state regulators over charges that the Operators deceived consumers and failed to protect users’ personal information. The FTC worked with a coalition of 13 states, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner to resolve this matter, which was initiated in the wake of the website’s July 2015 data breach.
On December 1, 2016, the nonpartisan Commission on Enhancing Cybersecurity (the “Commission”), established in February 2016 by President Obama as part of a $19 billion Cybersecurity National Action Plan, issued its Report on Securing and Growing the Digital Economy (the “Report”), which includes recommended actions that the government and private sector can take over the next 10 years to improve cybersecurity.
On November 30, 2016, the FTC released a staff summary (the “Summary”) of a public workshop called Putting Disclosures to the Test. The workshop, which was held on September 15, 2016, examined ways of testing and evaluating company disclosures regarding advertising claims and privacy practices. The Summary reviews the workshop and its key takeaways.
On November 1, 2016, the FTC announced that a group of entities known as the Consumer Education Group (“CEG”) settled FTC charges that, between late 2013 and 2015, it made millions of telemarketing calls, including pre-recorded robocalls, to consumers on the national Do Not Call (“DNC”) Registry, in violation of the Telemarketing Sales Rule (“TSR”).
This post has been updated.
On October 27, 2016, the Federal Communications Commission (“FCC”) announced the adoption of rules that require broadband Internet Service Providers (“ISPs”) to take steps to protect consumer privacy (the “Rules”). According to the FCC’s press release, the Rules are intended to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.”
On October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page Guide details steps businesses should take once they become aware of a potential breach. The Guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.
On October 27, 2016, the Federal Communications Commission (“FCC”) will vote on whether to finalize proposed rules (the "Proposed Rules”) concerning new privacy restrictions for Internet Service Providers (“ISPs”). The Proposed Rules, which revise previous versions introduced earlier this year, would require customers’ explicit (or “opt-in”) consent before an ISP can use or share a customer’s personal data, including web browsing and app usage history, geolocation data, children’s information, health information, financial information, email and other message contents and Social Security numbers.
On August 29, 2016, the Federal Trade Commission announced that it is seeking public comment on the Gramm-Leach-Bliley Act (“GLB”) Safeguards Rule. The GLB Safeguards Rule, which became effective in 2003, requires financial institutions to develop, implement and maintain a comprehensive information security program to safeguard customer information.
On July 29, 2016, the Federal Trade Commission (“FTC”) announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury.
On July 14, 2016, the Federal Trade Commission issued warning letters to 28 companies relating to apparent false claims of participation in the APEC Cross-Border Privacy Rules (“CBPR”).
The warning letters state that the companies’ websites represent APEC CBPR certification even though the companies do not appear to have undertaken the necessary steps to claim certification, such as a review and approval process by an APEC-recognized Accountability Agent.
On July 12, 2016, the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, and U.S. Secretary of Commerce Penny Pritzker announced the formal adoption of the EU-U.S. Privacy Shield (the “Privacy Shield”) framework, composed of an Adequacy Decision and accompanying Annexes.
On June 29, 2016, the Federal Trade Commission announced that, to account for inflation, it is increasing the civil penalty maximums for certain violations of the FTC Act effective August 1, 2016. The FTC’s authority for issuing these adjustments comes from the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The Federal Register Notice indicates which sections of the FTC Act the adjustments will apply to, and the corresponding increases. For example, the FTC has increased the maximum fine from $16,000 to $40,000 for certain violations of Section 5 of ...
On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other requirements, the settlement orders the company to pay $950,000 in civil penalties.
On June 8, 2016, the Federal Trade Commission announced that Practice Fusion, an electronic health records company, agreed to settle FTC charges that the company misled consumers about the privacy of doctor reviews submitted to the company.
In a recent video segment, “What Do You Do with a Hacked Law Firm?”, from Mimesis Law’s Cy-Pher Executive Roundtable held in May, Lisa Sotto, chair of the firm’s Global Privacy and Cybersecurity practice, and other privacy professionals discussed the Federal Trade Commission’s jurisdiction in bringing enforcement actions against law firms in a breach event. “There’s no reason why law firms are exempt from [those actions],” says Sotto. However, if the information lost is financial information or trade secrets rather than personal information, “it’s not ...
The Federal Trade Commission announced that it will host a workshop on September 15, 2016, “Putting Disclosures to the Test,” on the efficacy and costs of consumer disclosures in advertising and privacy policies. Planned discussion topics include examining disclosures meant to avoid deception in advertising, disclosures designed to inform consumers of data tracking, and industry-specific disclosures for jewelry, environmental and fuel-saving claims. The workshop is open to the public and will take place at the FTC’s Constitution Center offices in Washington, D.C ...
On May 9, 2016, the Federal Trade Commission announced it had issued Orders to File a Special Report (“Orders”) to eight mobile device manufacturers requiring them to, for purposes of the FTC’s ongoing study of the mobile ecosystem, provide the FTC with “information about how [the companies] issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.” The FTC’s authority to issue such Orders comes from Section 6(b) of the FTC Act.
On May 4, 2016, the Federal Trade Commission issued a press release announcing its recent settlement with the hand-held vaporizers manufacturer, Very Incognito Technologies, Inc. (“Vipvape”). The FTC had charged Vipvape with falsely claiming that it was a certified company under the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) framework. The settlement prohibits Vipvape from misleading consumers about its participation in any privacy and security certification program, including the APEC CBPR framework. This is the first CBPR-related case taken up by the FTC.
The Federal Trade Commission recently released an interactive tool for mobile health apps. The tool was developed in conjunction with several other federal agencies, including the Department of Health and Human Services’ Office for Civil Rights, the Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration.
On April 6, 2016, the Federal Trade Commission formally welcomed the updated Recommendation on Consumer Protection in E-commerce (the “Recommendation”) issued by the Organization for Economic Cooperation and Development (“OECD”) on March 24, 2016, endorsing the Recommendation’s broadened scope and increased consumer protections that “are designed to strengthen consumers’ trust in the expanding electronic marketplace.”
Personal information about consumers is the lifeblood of many organizations. Because of the potential value of the information, companies are increasingly focused on privacy and data security issues that arise in the context of mergers, acquisitions, divestitures and related transactions. In many corporate transactions, data is a critical asset that should be addressed as a key deal point. Unfortunately, too often personal data is transferred without consideration of the issues that otherwise might change the pricing of a deal – or kill it altogether. In a recent article ...
On February 29, 2016, the European Commission issued the legal texts that will implement the EU-U.S. Privacy Shield. These texts include a draft adequacy decision from the European Commission, Frequently Asked Questions and a Communication summarizing the steps that have been taken in the last few years to restore trust in transatlantic data flows.
The agreement in support of the new EU-U.S. transatlantic data transfer framework, known as the EU-U.S. Privacy Shield, was reached on February 2, 2016, between the U.S. Department of Commerce and the European Commission. Once adopted, the adequacy decision will establish that the safeguards provided when transferring personal data pursuant to the new EU-U.S. Privacy Shield are equivalent to the EU data protection standards. In addition, the European Commission has stated that the new framework reflects the requirements that were set forth by the Court of Justice of the European Union (the “CJEU”) in the recent Schrems decision.
On February 23, 2016, the Federal Trade Commission announced that it reached a settlement with Taiwanese-based network hardware manufacturer ASUSTeK Computer, Inc. (“ASUS”), to resolve claims that the company engaged in unfair and deceptive security practices in connection with developing network routers and cloud storage products sold to consumers in the U.S.
On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
On January 6, 2015, the Federal Trade Commission released its report on big data entitled Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues. The report is a compilation of a seminar on alternative scoring products, the discussions at a big data public workshop held on September 15, 2014, and other recent research and public commentary on the issue.
Late last year the Federal Trade Commission issued enforcement guidance on “native advertising” — ads that purposely are formatted to appear as noncommercial and are integrated into surrounding editorial content. The agency’s guidance took two parts: an Enforcement Policy Statement on deceptively formatted ads, and a Guide for Business on native advertising. These long-awaited guidance documents follow on the FTC’s December 2013 “Blurred Lines” workshop on native advertising. Importantly, the FTC notes that its policy statement does not apply just to advertisers but also to other parties that help create the content: ad agencies, ad networks and potentially, publishers.
On December 21, 2015, the Federal Trade Commission announced software company Oracle Corporation (“Oracle”) has agreed to settle FTC charges that accused the company of misrepresenting the security of its software updates. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company had deceived consumers about the security provided by updates to the Java Platform, Standard Edition software (“Java SE”).
On December 17, 2015, the Federal Trade Commission announced that LifeLock, Inc. (“LifeLock”) has agreed to pay $100 million to settle contempt charges for deceptive advertising. According to the FTC, “[t]his is the largest monetary award obtained by the Commission in an order enforcement action.” Under the terms of the settlement, $68 million of the settlement amount will be paid to class action consumers who were injured by the identity theft protection company’s violation of a 2010 settlement with the FTC that required LifeLock to protect consumer information. The rest of the money will be used for settlements with state attorneys general, and any remaining money will go to the FTC. The case is Federal Trade Commission v. LifeLock Inc., et al. (2:10-cv-00530), in the U.S. District Court for the District of Arizona.
On December 17, 2015, the FTC announced a pair of COPPA settlements against operators of child-directed mobile apps available for download in the major app stores. These cases are the FTC’s first COPPA actions involving the collection of persistent identifiers, and no other personal information, from children since the FTC’s updated COPPA Rule went into effect in 2013. The FTC levied civil penalties, totaling $360,000, in both cases.
On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corporation (“Wyndham”) settled charges brought by the FTC stemming from allegations that the company unfairly failed to maintain reasonable data security practices. The case is FTC v. Wyndham Worldwide Corporation, et al. (2:13-CV-01887-ES-JAD) in the U.S. District Court for the District of New Jersey.
As reported in the Hunton Employment & Labor Perspectives Blog:
On November 2, 2015, a putative class action was filed against retailer Big Lots Stores, Inc. in Philadelphia, stemming from allegations that the company “systematically” violated the Fair Credit Reporting Act’s (“FCRA’s”) “standalone disclosure requirement” by making prospective employees sign a document used as a background check consent form that contained extraneous information. Among other things, the plaintiff alleges that Big Lots’ form violates the FCRA because it includes the following three categories of extraneous information: (1) an “implied liability waiver” (specifically, a statement that the applicant “fully understand[s] that all employment decisions are based on legitimate nondiscriminatory reasons”); (2) state-specific notices; and (3) information on how background information will be gathered and from which sources, statements pertaining to disputing any information, and the name and contact information of the consumer reporting agency.
On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD Inc. (“LabMD”) for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury. The law judge did not address LabMD’s claim that the FTC does not have jurisdiction to enforce data security standards under the unfairness prong of Section 5 of the FTC Act, and LabMD has reserved its jurisdictional challenge for an anticipated appeal to the federal court. The action is In the Matter of LabMD Inc., Docket No. 9357.
On Monday, November 2, 2015, Hunton & Williams LLP’s Centre for Information Policy Leadership (“CIPL”) Senior Policy Advisor, Fred H. Cate, moderated an academic panel on The Data Dilemma: A Transatlantic Discussion on Privacy, Security, Innovation, Trade, and the Protection of Personal Data in the 21st Century. The event was sponsored by Indiana University and took place at the CIEE Global Institute in Berlin, Germany.
On October 26, 2015, the Federal Trade Commission (“FTC”) issued a press release on the Global Privacy Enforcement Network (“GPEN”) Alert, a new multilateral information sharing system that would allow participating agencies to share information relating to an investigation in order to facilitate better cross-border coordination. The FTC, along with agencies from seven other nations, signed a Memorandum of Understanding at the 37th International Conference of Data Protection and Privacy Commissioners in Amsterdam. FTC Chairwoman Edith Ramirez stated that the “GPEN Alert is an important, practical cooperation tool that will help GPEN authorities protect consumer privacy across the globe.” Australia, Canada, Ireland, The Netherlands, New Zealand, Norway and the United Kingdom join the U.S. in their efforts to coordinate global consumer privacy protection.
Hunton & Williams welcomes Phyllis H. Marcus as counsel to the firm’s privacy and competition teams. Phyllis joins the firm from the Federal Trade Commission, where she held a number of leadership positions, most recently as Chief of Staff of the Division of Advertising Practices. Phyllis led the FTC’s children’s online privacy program, including bringing a number of enforcement actions and overhauling the Children’s Online Privacy Protection Act (“COPPA”) Rule. She offers the privacy team a keen understanding of the complexities of the revised regulations, as well as broader issues relating to student privacy, mobile applications and the Internet of Things.
On October 21, 2015, the EU-U.S. Privacy Bridge Initiative, a group of transatlantic privacy experts that was convened in April of 2014, released its report on Privacy Bridges – EU and US Privacy Experts in Search of Transatlantic Privacy Solutions.
On August 24, 2015, the United States Court of Appeals for the Third Circuit issued its opinion in Federal Trade Commission v. Wyndham Worldwide Corporation (“Wyndham”), affirming a district court holding that the Federal Trade Commission has the authority to regulate companies’ data security practices.
On August 17, 2015, the Federal Trade Commission announced proposed settlements with 13 companies over allegations that they misled consumers by falsely claiming to be Safe Harbor certified when their certifications had lapsed or they had never been certified at all.
On June 30, 2015, the Federal Trade Commission announced its new “Start With Security” business education initiative, which will provide businesses with information on data security and how to protect consumer information.
Earlier this month, the Payment Card Industry Security Standards Council (“PCI SSC”) published a set of enhanced validation procedures designed to provide greater assurance that certain entities are maintaining compliance with the PCI Data Security Standard (“PCI DSS”) effectively and on a continuing basis. The payment card brands and acquirers will determine which organizations are required to undergo a compliance assessment with respect to these supplemental validation requirements, which are entitled the PCI DSS Designated Entities Supplemental Validation (“DESV”).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code