HyperBeard, the makers of several children’s mobile apps (including KleptoCats), recently settled with the FTC over failure to obtain verifiable parental consent before collecting children’s personal information online, in violation of COPPA. In its complaint, the FTC argued that the HyperBeard apps were clearly directed to children. The apps contained brightly-colored animated characters, kid-friendly language, games that were easy to play, and were promoted on kids’ websites and publications.
Continue Reading KleptoCats Maker Settles with FTC Over Failure to Get Parental Consent

At the end of March, Washington, D.C. signed the Security Breach Protection Amendment Act of 2019, which adds some significant changes to D.C.’s existing data breach law, first enacted in 2007. The law is projected to take effect by June 13, 2020. Some of the major changes are summarized below.
Continue Reading D.C. Amends Data Breach Notification Law, Adds Security Requirements

The FTC recently issued comments on how companies can use artificial intelligence tools without engaging in deceptive or unfair trade practices or running afoul of the Fair Credit Reporting Act. The FTC pointed to enforcement it has brought in this area, and recommended that companies keep in mind four key principles when using AI tools. While much of their advice draws on requirements for those that are subject to the Fair Credit Reporting Act (FCRA), there are lessons that may be useful for many.
Continue Reading FTC Provides Direction on AI Technology

The FTC recently released its annual privacy and security report, providing a snapshot of the issues focused on in the previous year. These reports are often looked at as a signal for insights into the agency’s upcoming priorities. Generally, the report contains a summary of the FTC’s enforcement, advocacy, and rulemaking actions from 2019, a year where we saw several record-setting fines. The report also discusses privacy/security workshops, consumer education, and international engagement. Some of the highlights from 2019 discussed in the report include:
Continue Reading FTC Releases 2019 Privacy and Security Year in Review

The FTC recently settled with the mobile phone company BLU Products, Inc., over allegations that the company was letting one of its vendors pull extensive and detailed personal information off of users’ phones. According to the FTC, BLU phones were pre-loaded with firmware updating tools made by ADUPS Technology. ADUPS, through its software, was then able to gain full administrative control of phones, according to the FTC complaint. Indeed, the FTC alleged that the software transmitted to ADUPS, without users knowledge, full content of text messages, real-time cell tower location data, contact lists, call logs, and lists of applications installed on phones. This became public in November 2016, and BLU assured consumers on its website that this “unexpected” data collection practices had stopped. According to the FTC, though, older devices still had this software.
Continue Reading FTC Outlines Expected Privacy Program Elements in BLU Settlement

Enforcement of the Digital Advertising Alliance “Application of the Principles of Transparency and Control to Data Used Across Devices” (DAA Cross-Device Principles) officially began on February 1, just a week after the FTC issued a staff report discussing the application of the FTC Online Behavioral Advertising Principles in the context of “Cross Device Tracking” and suggesting that the DAA Cross-Device Principles, while commendable, could be stronger.
Continue Reading FTC / DAA Extend Data Privacy Focus to Cross-Device Tracking

Last Thursday, in a vote split along party lines, the Federal Communications Commission (“FCC”) approved a new regulatory regime staking its claim to privacy regulation of both fixed and mobile Internet service providers (“ISPs”) like Comcast, Verizon, and AT&T.  The FCC’s rules follow its decision in the Open Internet Order, released last year and analyzed here, to classify broadband Internet access service as a common-carrier telecommunications service.  The FCC’s new rules are intended to give consumers control over the ways in which ISPs use and share their customers’ private information.  While the FCC has yet to release its Report and Order, the FCC’s Fact Sheet and statements by the commissioners indicate that the new privacy rules in many respects track the proposed rules the FCC put forward earlier this year, which seek to make the FCC the “toughest” privacy regulator in the Internet ecosystem by imposing on ISPs significantly more onerous and restrictive requirements for use and collection of consumer data than the Federal Trade Commission (“FTC”) imposes on its non-ISP competitors.
Continue Reading FCC Issues New Privacy Rules for Internet Service Providers: Safeguarding Consumers or Lulling Them Into A False Sense of Privacy?

In Federal Trade Commission v. LeadClick Media, LLC, 2016 U.S. App. LEXIS 17383 (2nd Cir. 2016), the Second Circuit recently held that an affiliate marketing network provider could be subjected to liability under the Federal Trade Commission Act (“FTC Act”) for deceptive marketing materials published by the affiliates.  It also concluded that Section 230 of the Communications Decency Act (“CDA”) did not immunize the network provider from liability.  In doing so, the Second Circuit emphasized that the network provider had knowledge of and the authority to control the content of the affiliate websites.  This ruling could increase the exposure of internet businesses to liability for deceptive acts or practices engaged in by third-party vendors or independent contractors.
Continue Reading No Protection for Network Marketing Provider That Had Knowledge and Authority to Control Deceptive Conduct of Affiliates

Many businesses are still coasting along enjoying the marketing advantages of social media without making sure they have a good compliance program in place. For every company with a Facebook fan page or Twitter account roughly 65 percent would admit they do not have a social media policy. For companies with a social media policy, many of those policies have been lifted from online samples that may be over broad, and include provisions that have been challenged with some success in court.
Continue Reading Is Your Company’s Social Media Launch Ahead Of Its Compliance Program

The preliminary Staff Report issued by the FTC earlier this month is the most aggressive effort by the FTC to date on the issue of online and mobile privacy generally. The preliminary Staff Report proposes a “do not track” mechanism along with an overall online privacy framework that would rigidly regulate how information is collected both online and through mobile devices, how it can be used, and how it must be stored. Deviating from the distinction between “personally-identifiable information” and “non-personally-identifiable information” that has formed the foundation for other privacy regulations and legislation, the framework proposed in the preliminary Staff Report maintains that such dichotomy is no longer relevant. Because this is arguably a profound change in the existing state of regulation in this area, the preliminary Staff Report is being circulated for comment before it becomes final. This article provides a basic outline of the proposed framework for those who may not already be familiar with the preliminary Staff Report.
Continue Reading The Federal Trade Commission’s Proposed Framework For Consumer Privacy Protection – The Basics