The FTC recently settled with a surveillance app operator over allegations that the company facilitated the secret harvesting of personal information. According to the FTC, the main users of Support King, LLC’s “SpyFone” app were bad actors who used the tool to remotely monitor users’ physical and digital activities. The FTC dismissed the company’s argument that the users were employers and parents as a “pretext.” It felt neither group would want to use the product, which to install required minimizing the device’s security settings and potentially voiding the device warranty.

Continue Reading FTC Surveillance App Settlement Signals Concern Over Deceptive Tracking

Baltimore recently prohibited several uses of “face surveillance” technology.  Under the new law companies cannot use systems that identify or verify individuals based on their face.  The law also prohibits saving information gathered from these systems.  Getting an individual’s consent is not a way around the prohibition. Nor is promising not to connect information gathered with other personal information.

Continue Reading Baltimore Blows By Brother Burghs with Big Biometrics Ban

Companies are struggling to understand how to comply with rapidly changing and sometimes conflicting privacy obligations. For entities outside of the US seeking to do business in the States, approaching and understanding the patchwork of state and federal privacy laws can be daunting, especially since US privacy laws vary depending on the type of activities in which companies engage, the individuals from whom they gather or use information, and the industry in which the company operates. While there are some “general” privacy laws (notably in California and Virginia) those are the exception rather than the rule.

Continue Reading Tools for Understanding Global Privacy Obligations

As discussed in our sister blog, CARU’s revised Ad Guidelines go into effect on January 1, 2022. While the core principles of the guidelines have not changed, they now include new content to account for today’s advertising environment. Several modifications are important to keep in mind for those who collect information from children.

Continue Reading The Impact of the CARU Advertising Guidelines Change On Privacy

The SEC recently announced a settlement with Pearson plc where the company has agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber incident. According to the order, Pearson made misleading statements and omissions about a 2018 data breach involving the theft of student data and administrator credentials in its July 2019 semi-annual report.

Continue Reading SEC Fine Highlights Importance of Cybersecurity Disclosures

The California attorney general has created a tool for consumers to report situations where companies sell information but do not have an opt-out of sale link on their website. The release of the tool came at the same time as the AG’s update on its CCPA enforcement actions. In that update, the AG highlighted one of the most common problems it had found: not having appropriate disclosures around “sales.”

Continue Reading AG Implements Tool to Allow Consumer Reporting of Alleged DNS Violations

The FTC recently announced the removal of Aristotle International, Inc. from the list of seven approved safe harbor programs under the Children’s Online Privacy Protection Act. Programs that are approved by the FTC must place requirements on participating organizations that are the same -or greater- than the requirements of COPPA. (As we have reported in the past, COPPA requires, inter alia, getting verified parental consent before collecting personal information from children online.) Companies that participate in those approved COPPA safe harbor programs are deemed in compliance with COPPA. Such protection can be valuable with a law, like COPPA, that has been found to be confusing to operationalize.

Continue Reading A COPPA First: Safe Harbor Program Removed From Approved List

The FTC recently voted to authorize the use of compulsory processes—the FTC’s primary investigatory tools—on what it calls “key law enforcement priorities.” The resolutions allow investigators to take actions like issuing subpoenas and civil investigations demands (commonly referred to as “CIDs”) in a variety of areas. Of note is the inclusion of both healthcare markets and technology platforms, signaling a potential FTC interest in those sectors.

Continue Reading FTC Signals Focus on Healthcare and Technology Platforms, Among Others

Colorado recently joined Virginia and California in passing a more comprehensive privacy law. The Colorado Privacy Act (CPA) will go into effect July 1, 2023. This is six months after Virginia’s law (CDPA) and California’s Privacy Rights Act (CPRA), which amends the existing CCPA, go into effect. The law does not have a private right of action, and the AG is to adopt regulations on certain aspects by July 1, 2023.

Continue Reading And Then There Were Three: Colorado Passes Privacy Law, Effective July 2023

Texas’s data breach notification law was recently amended to require the state’s Attorney General to post notice of data breaches on a public website within 30 days of receiving notice of the data breach. It also requires companies to provide the AG with more information when notifying the AG of a breach.

Continue Reading Texas Breach Notification Law Amended, Changes Effective September 1, 2021

New York City recently enacted a biometric ordinance that is set to come into effect July 9, 2021. With this ordinance, NYC joins other cities (like Portland) in regulating the use of biometric information. The ordinance may impact retailers, restaurants, and entertainment venues in the city that use security cameras with facial-recognition technology or otherwise collect biometric identifiers from their customers.
Continue Reading New York City Biometric Ordinance Effective July 9, Are You Ready?