On February 27, 2019, the Federal Trade Commission (“FTC”) announced that it settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children’s Online Privacy Protection Act (“COPPA”). This FTC COPPA action was notable not just for the size of the penalty, but also because of the joint statement by the two Democratic Commissioners, Rebecca Slaughter and Rohit Chopra, that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.
The Federal Trade Commission (FTC) recently published a paper recapping its December 2017 Informational Injury Workshop. Workshop participants, including academics, industry experts, consumer advocates, and government researchers, discussed what types of consumer harm might qualify as “substantial injury” under the FTC Act and what factors should be considered. The paper noted that several important points emerged from the workshop.
On September 27, the Federal Trade Commission (FTC) announced proposed settlement agreements with four companies it alleges violated Section 5 of the FTC Act by misrepresenting their certification status and compliance with the EU-U.S. Privacy Shield. This latest set of enforcement actions brings the FTC’s Privacy Shield related enforcement to settlements with eight defendants since the framework was adopted in July 2016 and it also introduced a couple of new FTC models of Privacy Shield enforcement.
The FTC has approved the first-ever petition to reopen and modify a privacy-related consent order. The petition, filed by Sears Holdings Management Corporation, sought to amend the terms of Sears’ 2009 consent order, which settled allegations that Sears did not adequately disclose the extent to which desktop software it distributed collected information from consumers. After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, as a result of changes in the mobile application marketplace, the Order’s requirements as applied to Sears’ mobile apps were “burdensome and counterproductive, both for consumers and Sears.” Hogan Lovells Partner Michelle Kisloff, Senior Associate Paul Otto, and Associate Joe Vladeck represented Sears in its petition.
Hot on the heels of the European Commission’s official review of the functioning of the EU-U.S. Privacy Shield framework, the Article 29 Working Party of EU data protection regulators has issued its own report on the matter. The summary of findings by the Working Party, which draws from both written submissions and oral contributions, begins by commending U.S. authorities for their efforts in establishing a procedural framework to support the operation of Privacy Shield but quickly shifts to the Working Party’s concerns. Should the concerns not be addressed by the time of the second joint review, the Working Party notes that its members will “take appropriate action,” including bringing a Privacy Shield adequacy decision to national courts for reference to the Court of Justice of the European Union for a preliminary ruling.
Join us tomorrow, October 25 for the next installment of our 2017 Internet of Things webinar series and get practical guidance on privacy compliance challenges presented by the Internet of Things.
Last week, the U.S. District Court for the Northern District of California dismissed three of six claims the Federal Trade Commission asserted against D-Link Systems related to its sale of routers and IP cameras and related software and services. The decision has implications for the pleading standards courts use to evaluate such claims at the motion to dismiss stage and for the FTC’s assertion of unfairness claims based on alleged likelihood of substantial consumer harm.
Hogan Lovells announced today that Edith Ramirez, the former Chairwoman of the US Federal Trade Commission, has joined the firm as a partner and will play an active role in Hogan Lovells’ Privacy and Cybersecurity practice. She will also co-head the firm’s Antitrust, Competition and Economic Regulation practice.
The Federal Trade Commission released an updated guidance document for complying with the Children’s Online Privacy Protection Act. The revised guidance, released on June 21, 2017, explicitly identifies connected toys and other Internet of Things devices as being covered under COPPA and adds clarity to web operators’ responsibility for the activities of third parties, such as ad networks and plug-ins, that collect personal information protected under COPPA. It also includes recently approved methods for obtaining verifiable parental consent.
How do you ensure that an Internet-connected sensor or device—often inexpensive and designed for lifespans of up to 20 years or more—can be secured against not only the intrusions of today but also those of the future? This question has taken on new urgency as low-cost Internet-connected devices are increasingly being co-opted into massive networks, known as “botnets,” that are capable of causing widespread disruption.
After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor. Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.
The Federal Trade Commission and National Highway Traffic Safety Administration are co-hosting a workshop on June 28, 2017, to explore the privacy and security issues raised by automated and connected vehicle technologies. The agencies are looking to explore the types of data such technologies collect, store, transmit, and share; the potential benefits and challenges posed by the technologies; the privacy and security practices of vehicle manufacturers; the roles that federal agencies should play in regulating privacy and security issues; and how self-regulatory standards apply to connected vehicle privacy and security issues. In advance of the workshop, the FTC and NHTSA are seeking public comment on privacy and security issues. Comments may be submitted through April 20, 2017.
As previously reported, on Thursday, March 9th, the Federal Trade Commission (FTC) hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. This is the second of two entries on the March 9th FinTech Forum and focuses on the discussions surrounding blockchain technologies, in which panelists reflected on the nascent stage of the technology, industry representatives expressed confusion over the applicability of current regulation, and regulators expressed a lack of clarity over jurisdictional questions.
On Thursday, March 9th, the Federal Trade Commission (FTC) hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. The FTC acknowledged the benefits of technological developments in AI and blockchain technologies, but stressed that advancements in these technologies must be coupled with an awareness of and active engagement in identifying and minimizing associated risks. This blog post focuses on the AI discussion, which addressed how the values of privacy, autonomy, and fairness are affected by the advent of AI systems as well as how to ensure safety and security in the development and deployment of individual and connected AI systems.
On January 23, 2017, fourteen months after hosting a workshop to review the multi-device, multi-platform digital landscape, the FTC issued a staff report on cross-device tracking summarizing the FTC’s 2015 workshop and providing a set of related recommendations. In this post, we look at the FTC’s previous advice on cross-device tracking, key takeaways from the FTC report, and how the guidance aligns with the Digital Advertising Alliance’s (DAA) self-regulatory principles for cross-device tracking, which become enforceable on February 1, 2017.
In June 2015, the Federal Trade Commission held a workshop on The “Sharing” Economy: Issues Facing Platforms, Participants, and Regulators. The Commission also solicited public comments on the topic, receiving more than 2,000 comments in response. On 17 November, the Commission issued a report summarizing the issues explored in the workshop and the public comments. The report emphasized that the workshop (and its ensuing summary) was not intended “as a precursor to law enforcement” but “an opportunity to learn more” about this rapidly evolving business model and to aid “the Commission, as well as regulators, consumer groups, platforms, participants using the platforms, incumbent firms, and others” to address the unique issues raised by sharing economy platforms.
The Federal Communication Commission’s long-awaited – and much debated – privacy rules for Internet Service Providers have now been adopted. The agency approved the rules by a 3-2 vote along political party lines last Thursday. Several of the FCC requirements are particularly notable for being more restrictive than the Federal Trade Commission’s standards for consumer online privacy. In this post we provide an overview of some of the new FCC rules and highlight key areas where the FCC’s requirements diverge from the FTC’s framework.
Close followers of the cases FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD know that the litigation has prompted increased Congressional oversight of the Federal Trade Commission’s data security enforcement practices. Prior to Wyndham and LabMD, Congressional debates on the FTC’s data security practices centered on whether the Commission should have additional tools to address these issues, including traditional rulemaking authority to create new data security rules, civil penalty authority to fine violators, or authority over the activities of non-profit entities. To the extent Congress questioned the FTC’s enforcement decisions in this pre- Wyndham and LabMD era, those inquires typically focused on the length of time of FTC settlement agreements, while relatively little attention was paid to how the Commission provided notice of its data security standards or how the Commission chose its enforcement targets. Wyndham and LabMD fundamentally shifted this debate.
On October 13, the Federal Trade Commission held a workshop on drone privacy and cybersecurity as part of its Fall Technology Series. Close watchers of the drone privacy debate would recognize the arguments presented at the FTC workshop as reminiscent of the comprehensive and productive debate over drone privacy played out before the National Telecommunications and Information Administration earlier this year. The NTIA process concluded with the release of Best Practices for drone privacy supported by a diverse group of industry members and civil society representatives. Although the FTC’s workshop was in many ways a reprise of the NTIA multi-stakeholder debate, the workshop was notable insofar as the public gained new insights into FTC staff views on drone privacy and cybersecurity.
The Federal Trade Commission recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity issued in 2014 by the National Institute of Standards and Technology and strongly endorsed by the White House. The FTC first explains how this question has a faulty premise, as the Framework is not designed to be a compliance checklist. Instead, in this new blog post, the FTC outlines how the FTC’s enforcement actions comport with the Framework’s five Core functions—Identify, Protect, Detect, Respond, and Recover—and emphasizes how both the Framework and the FTC’s approach highlight risk assessment and management, along with implementation of reasonable security measures, as the touchstones of any data security compliance program.
The FTC today announced a request for public comment on the Standards for Safeguarding Consumer Information Rule. The FTC promulgated the Safeguards Rule in 2002, implementing Title V of the Gramm-Leach-Bliley Act , which required federal agencies to establish standards for the administrative, technical, and physical safeguards employed by financial institutions for certain information. In addition to general requests for comment, the FTC requested that five specific issues be addressed, which we have outlined below. Comments are due by November 7, 2016.
On July 25, 2016, Hogan Lovells hosted a Silicon Valley dinner as part of its 2025 dinner series. The theme of the dinner was “I’m from Mars, You’re from Venus: The Tech Community and its Future Relationship with Government”. The discussion, moderated by Deirdre Mulligan of UC, Berkeley, focused on the tech community’s view of regulatory, law enforcement and national security issues, here in the U.S., as well as in Europe; and how the tech industry will be impacted by the upcoming U.S. elections as well as Brexit.
A new report from the Department of Health and Human Services Office of the National Coordinator for Health Information Technology highlights data protection gaps in the U.S. for health data from wearable devices, social media, and emerging technologies. The report, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” identifies several areas in which privacy and security protections for health data have lagged behind technological developments that are expanding the collection of health data outside the traditional venues for health care.
In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of […]