Christopher Olsen

Subscribe to all posts by Christopher Olsen

Round Three: FTC Proposes Further Restrictions on Meta’s Privacy Practices and a Complete Prohibition on Meta Monetizing Youth Data

On May 3, 2023, the Federal Trade Commission (FTC) announced that it issued an order to show cause (the “show cause order”) to Meta Platforms, Inc. (formerly Facebook, Inc., “Meta”). The show cause order proposes major changes to the April 2020 order (the “2020 order”) pursuant to which Meta agreed to make substantial changes to its privacy program and pay a … Continue Reading

FTC Announces Settlement with Drizly; Complaint Names CEO in His Individual Capacity

On October 24, 2022, the Federal Trade Commission (FTC) announced a proposed consent order against Drizly and its CEO, James Cory Rellas, over the online alcohol marketplace company’s data breach incident in 2020, which exposed personal information of about 2.5 million customers. The order is noteworthy in that it 1) personally names and requires Drizly’s … Continue Reading

FTC Takes Aggressive Action Against Internet Service Provider for Misrepresenting Internet Speeds

Last week, the Federal Trade Commission (FTC) and the District Attorneys of Los Angeles County and Riverside County agreed to an order to settle claims against Frontier Communications Intermediate, LLC and its parent company, Frontier Communications Parent, Inc. (collectively, Frontier). The plaintiffs alleged that Frontier promised internet speeds that Frontier did not deliver. The order, approved by … Continue Reading

Consumer Financial Protection Bureau Alleges Dark Patterns in Advertising of Financial Products; Files Suit Against TransUnion and Senior Executive for Violating Order

On April 12, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) filed a lawsuit against TransUnion, two of its subsidiaries, and former TransUnion executive John Danaher in his individual capacity for violating an enforcement order. That order, from January 2017, was part of a settlement in which TransUnion agreed to pay $16.9 million in restitution … Continue Reading

EU Reaches Political Agreement on Additional New Rules for Digital Platforms in the Digital Services Act

The EU is close to finalizing the adoption of the Digital Services Act (DSA), which will impose new obligations on digital platforms regarding content moderation, due diligence for illegal content, and advertising transparency. It will entail significant changes to existing EU law in these areas and will impose substantial new compliance burdens on companies in … Continue Reading

U.S. Supreme Court May End Key FTC Consumer Protection Enforcement Practice

Justices Considered Whether Certain Court-Imposed Monetary Remedies Are Legal On Wednesday, January 13, 2021, the U.S. Supreme Court heard arguments in the much-anticipated case of AMG v. FTC, which challenges the Federal Trade Commission’s (FTC’s) authority to obtain monetary relief in court under Section 13(b) of the FTC Act. The Court’s decision is likely to have a significant … Continue Reading

The Privacy Impact of the New Brexit Deal

On December 24, 2020, the European Commission (EC) and UK government announced the long-awaited EU-UK Trade and Cooperation Agreement (the Brexit Agreement), which sets out the future relations between the EU and the UK. If approved, the Brexit Agreement will become effective on January 1, 2021, and will have the following repercussions:… Continue Reading

European Commission Issues New SCCs for Data Transfers to Third Countries

On November 12, 2020, the European Commission (EC) issued a draft version of a new set of Standard Contractual Clauses (New SCCs). The long-awaited New SCCs include several modules that companies can use depending on the transfer scenarios, such as controller-to-controller, controller-to-processor, and processor-to-processor data exports. The New SCCs have also been updated to reflect the high … Continue Reading

EDPB Publishes Draft Recommendations on Supplementary Measures for Data Transfers

On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.… Continue Reading

France’s Administrative High Court Greenlights Microsoft’s Hosting of Health Data in Face of CNIL’s Schrems II Concerns

On October 13, 2020, France’s high administrative court (Conseil d’État, “the Court”) rejected a request to suspend France’s centralized health data platform—the Health Data Hub—currently hosted by Microsoft in its data center in the Netherlands. In essence, the Court rejected the French DPA’s (CNIL) argument that in light of the important public interest of maintaining … Continue Reading

EDPB Issues Guidelines on Social Media Targeting Under GDPR

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish … Continue Reading

Initial Reaction of European Data Protection Regulators to Schrems 2.0 Judgment

Over the last few days, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and various Supervisory Authorities (SAs) across Europe issued statements addressing the decision of the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield framework (Schrems 2.0). Below we summarize some of the main reactions. The EDPB … Continue Reading

Liu v. SEC: Foreshadowing a Challenge to the FTC’s Disgorgement Authority

In Liu v. Securities & Exchange Commission,1 the Supreme Court upheld, but circumscribed, the Securities and Exchange Commission’s (SEC’s) disgorgement authority by holding 8-1 that the SEC may seek disgorgement through its equitable relief power only if the award does not exceed a wrongdoer’s net profits and is awarded to victims. Although this decision is important in … Continue Reading

FTC Announces Unusually Stringent Consent Order in Privacy Shield Case Settlement

On June 30, 2020 the Federal Trade Commission (FTC) announced that it reached a settlement in its litigation against NTT Global Data Centers (formerly RagingWire Data Centers) over allegations that the company misled customers about its adherence to the EU-U.S. Privacy Shield framework.1 As part of the settlement, the cloud service provider is required to hire … Continue Reading

FTC Outlines Potential Changes to Enhance Privacy and Security Enforcement Efforts If Given More Resources

On June 19, 2020, the Federal Trade Commission (FTC) submitted to Congress two reports that Congress requested in connection with the spending bill that funds the FTC. One of these reports (the “Resources Report”) describes the resources used and needed by the FTC to protect consumer privacy and security, and the second (the “Authorities Report”) describes … Continue Reading

Website Operator Jointly Liable for Data Collection and Transmission Through Facebook “Like” Button

On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the … Continue Reading

The ICO Publishes Its Stance on Adtech and Real-Time Bidding

On June 20, 2019, the UK’s Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation’s (GDPR’s) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space. Background … Continue Reading

CJEU Advocate General Opinion Calls for Active and Separate Cookie Consents

On March 21, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued an opinion (opinion) in the Planet49 case[1] on what constitutes valid consent for cookies under the Data Protection Directive, the GDPR, and the e-Privacy Directive. In particular, the AG opines that: 1) … Continue Reading

What’s Old Is New Again: FTC Takes Rare Step of Withdrawing and Reissuing Expanded Data Security Settlement with Uber in Light of 2016 Data Breach

On April 12, 2018, the Federal Trade Commission (FTC) announced that it was withdrawing its proposed August 2017 privacy and data security settlement with Uber Technologies and issuing a new and expanded proposed settlement.1 According to the FTC, the reason for this extraordinary step was to address additional allegations of misconduct by the ride-sharing company … Continue Reading

Starting Up the CFPB’s No-Action Letter Program

The expanding use of mobile technologies, cloud computing, and the Internet of Things has greatly increased the amount of available consumer data. The ability to efficiently process this information has the potential to provide countless consumer benefits. Nevertheless, companies must navigate an ever-expanding patchwork of domestic and foreign laws and uncertainty regarding the application of … Continue Reading

The European Start-Up’s Guide to U.S. Data Privacy

Complying with UK and EU data privacy regulations often presents a significant challenge for start-ups based in those regions. UK and EU start-ups expanding to the U.S. similarly need to be aware of U.S. data privacy regulations and whether their existing efforts will be sufficient. While the precise guidance will vary depending on the start-up, … Continue Reading

European Court of Justice to Rule on Validity of Standard Contractual Clauses

On October 3, 2017, the High Court of Ireland issued its decision in Data Protection Commissioner vs Facebook and Schrems concerning the validity of the EU Standard Contractual Clauses (SCCs)—a mechanism used by a very large number of companies to transfer personal data outside of the European Union. The Irish High Court referred this question to … Continue Reading

Lenovo Settles FTC Charges Regarding Pre-Installed Software That Compromised Consumers’ Cybersecurity and Privacy

On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo regarding the company’s practice of pre-loading software on its laptops that compromised consumers’ cybersecurity and privacy. As part of the settlement, Lenovo agreed to pay $3.5 million in penalties to the states, and per an … Continue Reading

Key New Takeaways from Uber’s Privacy and Data Security Settlement with the FTC

On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1 Specifically, the FTC levied two deception counts against Uber: (1) that the company had … Continue Reading
LexBlog