The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.
Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations
Following its 2021 Dark Patterns enforcement policy, the FTC recently issued a staff report on the practice. The report summarized many of the cases the agency has brought against companies it alleges have engaged in “dark patterns” designed to “get consumers to part with their money or data.” These include using design elements that induce false beliefs, that delay important and material information, that lead to unauthorized charges, or that subvert or confuse privacy choices.
The FTC recently announced an ambitious Advance Notice of Proposed Rulemaking (ANPR) broadly aimed at a host of privacy and data security issues. This is the first step by the agency to explore using its Section 18 rulemaking authority under the FTC Act to issue a broad consumer privacy-focused trade regulation rule. The ANPR poses 95 questions and various topics, ranging from collection of information from children, to consent, data security, biometrics, artificial intelligence, and automated decision-making. The ANPR is focused on the impact to consumers and as workers or employees in a business capacity.
Continue Reading FTC Announces Proposed Rulemaking On Privacy and Data Security
The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice
Continue Reading FTC Weighs In On Data Breach Notification
The FTC recently took two well-publicized steps in the children’s privacy space. First, it penalized WW International (formerly, Weight Watchers) and its subsidiary, Kurbo, for alleged COPPA violations. Second, it unanimously voted to adopt a new policy statement on education technology and COPPA. These actions follow its March COPPA settlement with TickTalk Tech.
Dark patterns have been a recent regulatory focus. The FTC issued an enforcement policy late last year, and the European Data Protection Board followed suit with guidelines this spring. The
Continue Reading What’s the Big Deal About Dark Patterns?
The FTC recently published two new resources for complying with the Health Breach Notification Rule. The Rule requires vendors of personal health records (PHR), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information. The guidance reaffirms and adds further clarity to the Agency’s broad interpretation of the Rule released in its policy statement last fall.
Continue Reading FTC Continues to Signal Interest in Digital Health Industry, Publishing Updated Resources
A California-based lead generation company recently settled with the FTC for $1.5 million over alleged privacy violations. The FTC argued that the company deceptively acquired consumer personal information and improperly
Continue Reading FTC Fines Lead Generation Company $1.5M Citing Misuse of Consumer Financial Data
The FTC recently settled with a surveillance app operator over allegations that the company facilitated the secret harvesting of personal information. According to the FTC, the main users of Support King, LLC’s “SpyFone” app were bad actors who used the tool to remotely monitor users’ physical and digital activities. The FTC dismissed the company’s argument that the users were employers and parents as a “pretext.” It felt neither group would want to use the product, which to install required minimizing the device’s security settings and potentially voiding the device warranty.
Continue Reading FTC Surveillance App Settlement Signals Concern Over Deceptive Tracking
The use of apps, wearables, and other devices used to track health and wellness data have continued to rise. The FTC again signaled its focus on this growing industry in a statement on the scope of the Health Breach Notification Rule. In the statement, the FTC called out specific types of apps and trackers that it views as having notification obligations under this rule.
Continue Reading FTC Warns Digital Health Industry to Comply with its Breach Notification Rule
The FTC recently announced the removal of Aristotle International, Inc. from the list of seven approved safe harbor programs under the Children’s Online Privacy Protection Act. Programs that are approved by the FTC must place requirements on participating organizations that are the same -or greater- than the requirements of COPPA. (As we have reported in the past, COPPA requires, inter alia, getting verified parental consent before collecting personal information from children online.) Companies that participate in those approved COPPA safe harbor programs are deemed in compliance with COPPA. Such protection can be valuable with a law, like COPPA, that has been found to be confusing to operationalize.
Continue Reading A COPPA First: Safe Harbor Program Removed From Approved List