Following, by a day, a privacy-related claim challenge brought against another advertiser, the National Advertising Division found that advertiser DuckDuckGo had sufficiently substantiated its privacy claims. These cases are significant reminders in two ways. First, that claims made about privacy and security can be viewed through an advertising lens and examined to see if they are properly substantiated. Second, that the NAD, the self-regulatory body that actively examines truth and accuracy of advertising, is looking at privacy claims. As those familiar with the NAD are aware, it refers those who do not cooperate to the FTC for priority action to examine if there have been violations of Section 5 of the FTC Act.

Continue Reading NAD Examines Privacy Statements Made By DuckDuckGo in Online Ads

The National Advertising Division, a self-regulatory body that examines the truth and accuracy of advertising claims, recently examined privacy claims made by Brave, Inc. Using the same analysis given to other advertising claims, the NAD analyzed Brave’s statements about consumer privacy. It assessed both the implied as well as the express claims made by the company as well as the extent to which the substantiation Brave had for the claims supported those claims.

Continue Reading NAD Brings False Advertising Claims Over Privacy Representations

With six months before the first of the new US state general privacy laws go into effect, there are several steps companies can take now to begin to prepare. Unfortunately there are some parts of compliance that will be impacted by regulations that have either not been drafted, or if drafted, remain unfinalized. What, then, can companies do now? Familiarizing themselves with the types of requirements and beginning to address and develop mechanics for those requirements is a good start. Fortunately for most, these will not be new, as they are conceptually covered by CCPA, GDPR, or both.

Continue Reading Preparing for US State Privacy Law Compliance: The Six Month Mark

On June 7, Sen. Sherrod Brown (D-OH), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, sent a letter to Treasury Secretary Janet Yellen to request a review by the Financial Stability Oversight Council of financial institutions’ consumer data activities and their potential threat to U.S. financial stability and security. The letter raised concerns that this information may be sold to third-party purchasers or data brokers who compile it with personal data collected from other sources often associated with advertising and exploited for other uses. The Committee also raised concerns that such data could be used for nefarious purposes including “glean[ing] consumers’ tolerance for price hikes, or using certain people’s spending patterns to target them for blackmail or ransomware.” 

Continue Reading Senate Banking Committee Sends Letter to Yellen on Collection, Use of Consumer Data

Connecticut just joined California, Colorado, Utah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023, the same time as Colorado’s very similar law. Companies preparing for these new laws (Virginia goes into effect January 1, 2023 and Utah December 31, 2023) will want to keep in mind the following five things about this fifth general US state privacy law.
Continue Reading Connecticut Fifth State to Pass a Comprehensive Privacy Law

The Colorado AG’s office recently released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The office is seeking informal public feedback on a series of topics. While the AG listed eight specific topics for feedback, the public can offer input on any aspect of the upcoming rulemaking. The AG’s office is interested in comments about the universal opt-out, the requirements around consent, and “dark patterns.” The AG is also interested in circumstances triggering data protection assessments and the requirements around profiling. Questions were also posed about “offline” collection of data. Lastly, the office seeks feedback to the rules around opinion letters and about how CPA compares or contrasts to privacy laws in other jurisdictions.

Continue Reading Colorado AG Seeks Input on Key Aspects of Upcoming Privacy Act

The California AG recently issued an opinion interpreting the scope of information that should be provided to consumers in an access request. In responding to access requests, companies must provide a list of all personal information that it has about that consumer. The AG opinion clarifies that inferences a company draws from personal information should be included in such a response.
Continue Reading In First CCPA “Opinion”, California AG Clarifies Scope of Access Requests

The Digital Advertising Accountability Program, which enforces privacy principles for digital advertising, issued a compliance warning to advertisers regarding device fingerprinting. This warning is worth keeping in mind, since the “fingerprinting” practice is rising in more and more industries.
Continue Reading DAA Issues Warning On Device Fingerprinting

The Office of the Australian Information Commissioner issued a determination earlier this fall about 7-Eleven’s use of “faceprints.” The OAIC found the convenience store improperly collected faceprint information without getting individuals’ consent in violation of the Privacy Act.

Continue Reading Australia Objects to 7-Eleven’s In-Store Use of Facial Recognition Technology

The Federal Trade Commission recently issued a new enforcement policy statement about “dark patterns:” programs that attempt to “trap” consumers into service contracts. These programs usually take the form of negative option marketing programs, according to the FTC, and are regulated under most states’ laws as well as the Restore Online Shoppers Confidence Act (ROSCA).

Continue Reading FTC To Focus Enforcement Efforts on Dark Patterns

Apple has issued new guidelines for apps that let people create accounts. The guidelines will require these apps to give people a way to delete their accounts. This requirement is broader than CCPA and GDPR deletion rights, as it applies to all users (not just those from specific territories). The requirements go into effect for submissions starting January 31, 2022.

Continue Reading Apple To Require Ability to Delete Accounts In-App