The FTC recently announced a settlement with Global Tel*Link, a telecommunications company that contracts with prisons and jails to provide communication services to incarcerated individuals and their families. Those who use their services create accounts with the company and are required to provide not only usernames and passwords but also Social Security numbers and government ID numbers. The company also collects financial account information as well as names and addresses. The company included in its marketing materials promises about security, including that it was the “cornerstone of what we do.” The company also made promises about its security in RFPs to prisons and jails.Continue Reading FTC Decision with Global Tel*Link Signals Expectations for Use of Testing Environments

Biden’s sweeping AI Executive Order sought to have artificial intelligence used in accordance with eight underlying principles. The order, while directed to government agencies, will impact businesses as well. In particular, the order has privacy and cybersecurity impacts on companies’ use of artificial intelligence. Among other things, companies should keep in mind the following:Continue Reading What Is the Privacy Impact of the White House AI Order for Businesses?

The FTC’s second attempt to pursue the data broker, Kochava, continues to move forward. The amended complaint, which was just unsealed and thus available for the public to review, gives insight into the agency’s perspective on the harm that results when companies create profiles with sensitive information, and use that information to target ads to individuals. The amended complaint provides more detail about Kochava’s alleged practices; allegations the company strongly disagreed with. (Thus, why it sought -unsuccessfully- to have it sealed.)Continue Reading Amended Kochava Complaint Gives Insight into FTC’s View of Harm from Data Profiles

The FTC recently amended the Safeguards Rule to make non-banking institutions such as mortgage brokers, motor vehicle dealers, and payday lenders notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. The FTC plans to provide an online form that will be used to report certain information, including the type of information involved in the security event and the number of consumers affected or potentially affected. The FTC’s Safeguards Rule also requires non-banks to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.Continue Reading Impact of FTC Safeguard Rules Amendment on Breach Notification Timing

The FTC continues its focus and concern on use of technologies that integrate artificial intelligence, this time turning to potential consumer harm with voice cloning technology. Today the commission announced a challenge looking for solutions to help monitor and prevent malicious voice cloning. In the announcement, the FTC pointed to current scams where threat actors use cloned voices -created using AI tools- to conduct scams. For example, money requests from a person’s “relative.” The winner will receive a $25,000 prize, and entries will be accepted in the first weeks of January.Continue Reading FTC Vocalizes AI Voice Cloning Challenge

The Massachusetts Gaming Commission approved data privacy regulations under the 2022 Massachusetts Sports Wagering Act earlier this fall. While directed to a narrow group of companies, the restrictions around use of artificial intelligence, profiling and breach notification suggest the types of concerns that we may see other regulators focus on in other industries.Continue Reading Massachusetts Wagers Big on Privacy in Sports Betting

The Children’s Advertising Review Unit (CARU) released new guidelines for interacting with children in the metaverse: Building Guardrails for Child-Directed Advertising & Privacy in the Metaverse. The guardrails are intended to be “realistic and actionable” ways for companies to comply with privacy laws and engage responsibly with children online.Continue Reading CARU Releases Metaverse Guidelines

Beginning today, the UK adequacy decision for US data protection measures goes into effect. As a result, UK companies can transfer personal information to entities in the US that are participants in the EU-US Data Privacy Framework (DPF). As part of the decision, the UK Secretary of State will review the ongoing sufficiency of the DPF every four years. The ICO, in supporting the decision, suggested that the UK Secretary of State look at specific factors when reassessing the program. These include the risk to UK data subjects for automated decision making and right to be forgotten.Continue Reading No Need to Mind the Gap – UK Extension is a Data Bridge for US-UK Data Transfers

Among the various requirements under US state comprehensive privacy laws, those that relate to loyalty programs may be some of the most confusing. Only three states — California, Colorado and Florida — regulate these programs. How they do this varies, and the level of detail contained in the laws also varies. In California and Florida, the laws’ impact on loyalty programs is in how they define “financial incentives.” These are times when a company “pays” a consumer for their personal information. This might occur with a straight cash payment. More common though, is optimized pricing or providing a higher quality of services in exchange for getting personal information. For those who offer loyalty programs, depending on how they are operated, they may viewed as be financial incentives under these laws. Colorado’s comprehensive privacy law, on the other hand, imposes obligations on companies that operate “bona fide loyalty programs.” These are defined as programs where information is processed solely to provide the program’s benefits. Benefits must be -like in California- better pricing or quality of services.Continue Reading The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs

The SEC has now finalized its much anticipated rules for public companies’ cybersecurity disclosures. The final rules, published this month, require disclosure of certain cybersecurity incidents much sooner than under many other breach notification regimes. Additionally, the final rules require new periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks and about the roles of management and the board of directors in managing or overseeing those cybersecurity risks. These new requirements vary from the SEC’s prior (2018) guidance, and unlike in the past, are now codified under the Securities Exchange Act of 1934 and the Securities Act of 1933.Continue Reading SEC Gives Finality on Cybersecurity Disclosures for Public Companies

The CPPA, the California regulatory body charged with enforcing CCPA, has now issued draft regulations on risk assessments and cybersecurity audits. The draft was released ahead of a public board meeting to discuss those topics (among other things).Continue Reading What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?