The FTC has approved the first-ever petition to reopen and modify a privacy-related consent order. The petition, filed by Sears Holdings Management Corporation, sought to amend the terms of Sears’ 2009 consent order, which settled allegations that Sears did not adequately disclose the extent to which desktop software it distributed collected information from consumers. After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, as a result of changes in the mobile application marketplace, the Order’s requirements as applied to Sears’ mobile apps were “burdensome and counterproductive, both for consumers and Sears.” Hogan Lovells Partner Michelle Kisloff, Senior Associate Paul Otto, and Associate Joe Vladeck represented Sears in its petition.
On March 2, 2016, the Consumer Financial Protection Bureau announced its first data security enforcement action in the form of a Consent Order with online payment platform Dwolla, Inc. The 5 year Consent Order is based on CFPB allegations that Dwolla engaged in deceptive acts and practices by misrepresenting to consumers that it had “reasonable and appropriate data security practices.” Dwolla neither admitted nor denied that it engaged in data security misrepresentations. The CFPB fined Dwolla $100,000, enjoined it from making further misrepresentations, and is requiring that it develop a written, comprehensive data security program, designate a person responsible for the program, provide employee training, conduct risk assessments, and undergo independent third party audits annually, among other things. The CFPB also places primary responsibility for compliance with the Consent Order on Dwolla’s board of directors.