Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: FTC

Posted in Consumer Privacy

Five Lessons from the FTC’s Latest Native Advertising Action

On March 15, 2016, the Federal Trade Commission reached an agreement with Lord & Taylor to settle charges that the luxury department store brand engaged in allegedly deceptive native advertising practices by failing to disclose and accurately represent its relationship to online magazines and fashion “influencers” who promoted the brand. This latest enforcement action follows the FTC’s release of a policy statement on native advertising practices and a companion set of guidelines for businesses. The action provides a cautionary tale with practical lessons about the importance of transparency in marketing strategies that mimic the look and feel of surrounding content.

Posted in International/EU Privacy

Inside the New EU-U.S. Data Framework: A Practical Breakdown of the Privacy Shield

The February 29, 2016 announcement of the new EU-U.S. data transfer framework—the Privacy Shield—was accompanied by over 130 pages of documentation and significantly more operational details than its predecessor, Safe Harbor. We have reviewed the Privacy Shield materials and published a comprehensive breakdown of the changes from Safe Harbor to Privacy Shield and the practical impact on business: Inside the New and Improved EU-U.S. Data Transfer Framework.

Posted in International/EU Privacy

First Look: EU–U.S. Privacy Shield

On February 29, 2016 and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, as it describes more specifically the measures that organizations wishing to use the Privacy Shield must implement. Importantly, the Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

FTC Says Listen Up When Vulnerability Reports Come In

The FTC wants companies to listen. More precisely, the FTC wants companies to pay attention to and promptly to respond to reports of security vulnerabilities. That’s a key takeaway from the Commission’s recent settlement with ASUSTek. In its complaint against the Taiwanese router manufacturer, the FTC alleged that ASUS misrepresented its security practices and failed to reasonably secure its router software, citing the company’s alleged failure to address vulnerability reports as one of the Commission’s primary concerns. The settlement reiterates the warnings contained in the FTC’s recent Start with Security Guide and prior settlements with HTC America and Fandango: the FTC expects companies to implement adequate processes for receiving and addressing security vulnerability reports within a reasonable time.

Posted in Cybersecurity & Data Breaches

Privacy, Security, and IoT Prominent Themes at Silicon Flatirons DBM Conference

On January 31, 2016, the Silicon Flatirons Center for Law, Technology, and Entrepreneurship at the University of Colorado hosted its annual Digital Broadband Migration Symposium. The theme of this year’s conference was “The Evolving Industry Structure of the Digital Broadband Landscape.” The two-day conference brought together an array of leaders from government, academia, and industry to examine the role of regulatory oversight, antitrust law, and intellectual property policy in regulating industry structure and to discuss what policy reforms may be appropriate for the constantly changing digital broadband environment. As outlined below, a recurring topic throughout this year’s conference was the relationship between privacy, security, and the evolving digital landscape.

Posted in Consumer Privacy

Three Signs Your Native Ad Needs a Disclosure: The FTC Issues Native Advertising Guidelines

If you’ve ever opened your washing machine to find white socks turned a pale shade of pink, you can relate to the sentiment of Buzzfeed UK’s piece “14 Laundry Fails We’ve All Experienced.” Humorous and empathetic, the piece mimicked Buzzfeed’s editorial tone and style, but also subtly promoted the message of a commercial advertiser—in this case, Dylon, a color dye manufacturer. And in what may be a sign of things to come in the US, the piece drew the attention of the U.K.’s advertising regulator, the Advertising Standards Authority, which cited Buzzfeed for failing to make the piece “obviously identifiable” as commercial content, a violation of the U.K.’s Committee on Advertising Practices Code.

Posted in Consumer Privacy

FTC Report: “Big Data Can Create Opportunities or Shut People Out”

On Wednesday, January 5, the FTC released a report titled “Big Data: A Tool for Inclusion or Exclusion?” The Report addresses the effects of the growing use of big data analytics on low-income and underserved populations, and the FTC’s role in monitoring and regulating the impacts of this commercial use of big data. There are two high-level takeaways from the Report: First, big data is a powerful tool that can be used to include or to exclude. Used responsibly, it can be a key to unlocking opportunities for underprivileged and underserved classes; but, when used with disregard for its effects, big data can serve to shut the underprivileged and underserved out of those same opportunities. Second, the FTC will be the cop on the beat. The Report’s emphasis on the tools at the FTC’s disposal for regulating the use of big data analytics, signals that the FTC intends to make use of its enforcement powers where it can.

Posted in Consumer Privacy

FTC ALJ: Embarrassment/Emotional Harm and Risk of Harm Does Not Satisfy “Substantial Consumer Injury” Prong of Unfairness

On November 13, 2015, the Federal Trade Commission’s Chief Administrative Law Judge dismissed an FTC administrative complaint based on LabMD’s alleged failure to provide “reasonable and appropriate” security for personal information maintained on its computers. The ALJ concluded that the complaint counsel failed to prove that LabMD’s alleged practices constituted an unfair trade practice. Specifically, according to the ALJ’s initial decision, complaint counsel failed to prove by a preponderance of the evidence the first prong of the three-part unfairness test – that the alleged unreasonable conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act. The case is notable for being the first data security case tried before an ALJ and only one of two instances where a company has fought the FTC’s decision to move forward with an enforcement action based on allegations that a company has engaged in unfair practices because of inadequate data security practices. Companies have otherwise voluntarily entered into consent decrees without admitting liability. In the other instance where a company did not capitulate to an FTC enforcement action, Wyndham moved to dismiss the FTC’s lawsuit against it in federal district court based on lack of jurisdiction. Wyndham lost in the district court and on an interlocutory appeal the federal court of appeals upheld that ruling, but remanded the case to district court for a trial on the merits which will assess whether Wyndham’s alleged unreasonable data security practices meet the unfairness factors in section 5(n) of the FTC Act. Accordingly, as the ALJ did here, the court in Wyndham will consider whether the practices and the data breaches there caused or were likely to cause substantial consumer injury under the first prong of an unfairness inquiry

Posted in Consumer Privacy, News & Events

Upcoming DC Program Explores Where We Are Headed with Section 5 of the FTC Act

Data privacy and security regulators don’t always agree. Take a look at the Federal Trade Commission for example. In recent years, FTC commissioners have disagreed about the role that cost-benefit analyses should play and the types of consumer harms that should be considered in the FTC’s data privacy and security enforcement actions. For organizations that rely on the collection and use of consumer information, understanding the different viewpoints at the FTC and how those viewpoints may influence future enforcement is vital to evaluating risk. On Thursday, November 5, 2015, the Future of Privacy Forum will look at those issues as it celebrates its new home and its new partnership with Washington & Lee University School Law by hosting a panel discussion addressing the Future of Section 5 of the FTC Act. Panelists David Vladeck (former FTC Consumer Bureau Director David Vladeck) and James Cooper (former Acting Director of the Office of Policy Planning) will look at key Section 5 issues.

Posted in International/EU Privacy

Recording and Deck from Webinar: Safe Harbor Invalidated – What Next?

Thank you to everyone who participated in today’s webinar “Safe Harbor Invalidated – What Next?”, in which we analyzed the implications of yesterday’s decision by the Court of Justice of the European Union invalidating the EU-U.S. Safe Harbor Framework. A copy of the slide deck and a link to a recording of the webinar are attached to this post.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Recap of the OCR/NIST Conference on Safeguarding Health Information

Government officials and experts from the private sector discussed enabling precision medicine and efforts to bolster patients’ rights to access medical records, and also emphasized the importance of controlling access to protected health information at the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 2–3, 2015, and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services, Office for Civil Rights. Comprehensive risk analysis and risk management practices remained a point of emphasis throughout the conference. This blog post addresses the following additional themes that emerged during the conference.

Posted in Consumer Privacy

FTC Settlement Reinforces Lessons for Data Broker Industry

The FTC has brought a number of actions over the years against companies that shared or failed to protect consumer information in violation of privacy policy promises or transferred data in violation of specific laws, such as the Fair Credit Reporting Act. In what may be viewed as charting new territory, the FTC recently brought a second action against a data broker for selling payday loan application information to entities that were not engaged in making any kind of loans to consumers. Both sets of defendants purchased payday loan application information from online payday loan websites where consumers provided personal information, including financial institution account information, on the applications. The defendants purchased the application information from the websites and sold the information to third parties who did not make payday loans to consumers, but rather made unauthorized charges to consumers’ accounts. The Commission alleged that the selling of such sensitive information was unfair.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

FTC Issues Data Security Guidance and Announces Data Security Conferences

The Federal Trade Commission has published new guidance that “summarizes lessons learned” from the FTC’s 50-plus data security settlements while also announcing a series of data security conferences. In the new guidance titled “Start With Security: A Guide for Business,” the FTC acknowledges that the data security requirements contained in the settlements apply only to the affected companies. However, the settlements—and the FTC’s distillation of them—reveal regulatory expectations and identify risks that can affect companies of all types and sizes. In this post, we summarize the FTC’s new guidance and provide details on the FTC’s data security conferences happening this fall.

Posted in Consumer Privacy

FTC’s Latest Location-Tracking Settlement Reminds Companies to Mind Any Gap Between What They Say and What They Do

On April 23, the FTC accepted an administrative consent order with Nomi Technologies, Inc., which uses mobile device tracking technology to provide analytics services to retailers through its “Listen” service. At first blush, the action appears to involve a straightforward alleged misrepresentation in a privacy policy, but the two dissenting statements from Commissioner Wright and Commissioner Ohlhausen reveal more complex legal and policy issues. The settlement provides useful insights into how the current Chairwoman and Commissioners view deception cases on data privacy issues. It also affirms that a company’s public statements must be accurate, but suggests that voluntary promises relating to privacy should be made cautiously.

Posted in Consumer Privacy, Privacy & Security Litigation

Court Allows FTC to Move Forward in “Common Carrier” Exemption Case

Last week, U.S. District Court Judge Edward M. Chen denied AT&T Mobility’s motion to dismiss the Federal Trade Commission’s (FTC’s) October 2014 complaint alleging that AT&T engaged in unfair and deceptive practices in connection with its retail mobile broadband data services. AT&T argued that its status as a common carrier makes it exempt from enforcement of the FTC Act. The court disagreed. At issue is the scope of the common carrier exemption.

Posted in Consumer Privacy

NTIA Launches Multistakeholder Process to Develop Privacy Best Practices for Commercial and Private Unmanned Aircraft Systems

On March 4, the U.S. Commerce Department’s National Telecommunications and Information Administration announced it is seeking comments on how to structure a new multistakeholder process to develop best practices for commercial and private unmanned aircraft systems use. NTIA also announced that it will likely hold its first multistakeholder meeting within 90 days.

Posted in Consumer Privacy

FTC Complaint Offers Lessons for Data Broker Industry

Two weeks ago, the FTC filed a district court complaint in Arizona against an operation that included three corporations and one individual. While touted as a case against data brokers (“FTC Charges Data Broker with Facilitating the Theft of Millions of Dollars from Consumers’ Accounts”), the single count unfair trade practices action really involves fraudulent and egregious conduct that took advantage of a particularly vulnerable population, but it nevertheless provides a few lessons for the data broker industry generally.

Posted in Consumer Privacy

FTC Settles Claims Against Medical Billing Provider for Inadequate Data Collection Disclosures

On December 3, 2014, the Federal Trade Commission announced two administrative settlements with a medical Billing Provider, PaymentsMD, LLC, and its former CEO, Michael Hughes, for allegedly misleading thousands of consumers who signed up for an online billing portal by failing to adequately disclose that the company would seek detailed medical information from pharmacies, medical labs, and insurance companies. The FTC’s enforcement of Section 5 does not extend to businesses or organizations covered by the Health Insurance Portability and Accountability Act.

Posted in News & Events

Hogan Lovells Partner Discusses Privacy Regulation with FTC Commissioner Ohlhausen

As the keynote speaker for the Winnik Forum, U.S. Federal Trade Commission (FTC) Commissioner Maureen Ohlhausen sat down with Christopher Wolf, Director of Hogan Lovells’ Privacy and Information Management Practice to discuss the evolving role of the FTC as we enter an era of “Big Data” and the “Internet of Things.” Commissioner Ohlhausen offered her views on a flexible approach to protecting consumer data privacy as connected devices continue to evolve. As opportunities arise for additional potential uses of collected data, Commissioner Ohlhausen said organizations and policymakers should consider a “harms-based approach” in which new uses of data would be allowed as long as they do not cause consumer harm and as long as they remain consistent with earlier promises that organizations have made to consumers. The key for Commissioner Ohlhausen is that companies should disclose what data is being collected and keep the promises that they make to consumers about the collection and uses of that data.

Posted in Consumer Privacy

FTC Sends Dozens of Warning Letters to Companies Over Advertising Disclosures

It should be standard practice for companies to review the transparency of material disclaimers and disclosures in their advertising before every ad campaign. However, some companies tend to pack material disclosures into fine print or otherwise minimize their significance. The Federal Trade Commission recently signaled to companies that it is paying attention to print and television ad disclosures. This follows the FTC’s renewed attention to online advertising as addressed last year in its updated .com Disclosures guidance for digital advertising

Posted in Consumer Privacy

FCC Announces $10 Million Proposed Forfeiture Over Data Security Practices

The Federal Communications Commission recently issued a Notice of Apparent Liability for Forfeiture proposing a $10 million penalty against TerraCom, Inc. and YourTel America, Inc. (collectively, the “companies”) for allegedly violating laws protecting consumers’ personal information. Specifically, the FCC alleged that the companies placed the personal data of up to 300,000 consumers at risk by storing Social Security numbers, names, addresses, driver’s licenses, and other proprietary information on unprotected Internet servers that “anyone in the world could access.” The decision is the FCC’s first case involving data security. It is also informative as to the FCC’s current and evolving expectations with regard to carriers’ duties to protect sensitive consumer information, and it underscores the need for organizations in the communications sector to keep a close eye on both FCC and Federal Trade Commission data privacy and security enforcement activity.