On May 3, 2023, the Federal Trade Commission (FTC) announced that it issued an order to show cause (the “show cause order”) to Meta Platforms, Inc. (formerly Facebook, Inc., “Meta”). The show cause order proposes major changes to the April 2020 order (the “2020 order”) pursuant to which Meta agreed to make substantial changes to its privacy program and pay a … Continue Reading
On October 24, 2022, the Federal Trade Commission (FTC) announced a proposed consent order against Drizly and its CEO, James Cory Rellas, over the online alcohol marketplace company’s data breach incident in 2020, which exposed personal information of about 2.5 million customers. The order is noteworthy in that it 1) personally names and requires Drizly’s … Continue Reading
Last week, the Federal Trade Commission (FTC) and the District Attorneys of Los Angeles County and Riverside County agreed to an order to settle claims against Frontier Communications Intermediate, LLC and its parent company, Frontier Communications Parent, Inc. (collectively, Frontier). The plaintiffs alleged that Frontier promised internet speeds that Frontier did not deliver. The order, approved by … Continue Reading
On April 12, 2022, the U.S. Consumer Financial Protection Bureau (CFPB) filed a lawsuit against TransUnion, two of its subsidiaries, and former TransUnion executive John Danaher in his individual capacity for violating an enforcement order. That order, from January 2017, was part of a settlement in which TransUnion agreed to pay $16.9 million in restitution … Continue Reading
The EU is close to finalizing the adoption of the Digital Services Act (DSA), which will impose new obligations on digital platforms regarding content moderation, due diligence for illegal content, and advertising transparency. It will entail significant changes to existing EU law in these areas and will impose substantial new compliance burdens on companies in … Continue Reading
Justices Considered Whether Certain Court-Imposed Monetary Remedies Are Legal On Wednesday, January 13, 2021, the U.S. Supreme Court heard arguments in the much-anticipated case of AMG v. FTC, which challenges the Federal Trade Commission’s (FTC’s) authority to obtain monetary relief in court under Section 13(b) of the FTC Act. The Court’s decision is likely to have a significant … Continue Reading
On December 24, 2020, the European Commission (EC) and UK government announced the long-awaited EU-UK Trade and Cooperation Agreement (the Brexit Agreement), which sets out the future relations between the EU and the UK. If approved, the Brexit Agreement will become effective on January 1, 2021, and will have the following repercussions:… Continue Reading
On November 12, 2020, the European Commission (EC) issued a draft version of a new set of Standard Contractual Clauses (New SCCs). The long-awaited New SCCs include several modules that companies can use depending on the transfer scenarios, such as controller-to-controller, controller-to-processor, and processor-to-processor data exports. The New SCCs have also been updated to reflect the high … Continue Reading
On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.… Continue Reading
On October 13, 2020, France’s high administrative court (Conseil d’État, “the Court”) rejected a request to suspend France’s centralized health data platform—the Health Data Hub—currently hosted by Microsoft in its data center in the Netherlands. In essence, the Court rejected the French DPA’s (CNIL) argument that in light of the important public interest of maintaining … Continue Reading
On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish … Continue Reading
Over the last few days, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and various Supervisory Authorities (SAs) across Europe issued statements addressing the decision of the European Court of Justice (ECJ) to invalidate the EU-U.S. Privacy Shield framework (Schrems 2.0). Below we summarize some of the main reactions. The EDPB … Continue Reading
In Liu v. Securities & Exchange Commission,1 the Supreme Court upheld, but circumscribed, the Securities and Exchange Commission’s (SEC’s) disgorgement authority by holding 8-1 that the SEC may seek disgorgement through its equitable relief power only if the award does not exceed a wrongdoer’s net profits and is awarded to victims. Although this decision is important in … Continue Reading
On June 30, 2020 the Federal Trade Commission (FTC) announced that it reached a settlement in its litigation against NTT Global Data Centers (formerly RagingWire Data Centers) over allegations that the company misled customers about its adherence to the EU-U.S. Privacy Shield framework.1 As part of the settlement, the cloud service provider is required to hire … Continue Reading
On June 19, 2020, the Federal Trade Commission (FTC) submitted to Congress two reports that Congress requested in connection with the spending bill that funds the FTC. One of these reports (the “Resources Report”) describes the resources used and needed by the FTC to protect consumer privacy and security, and the second (the “Authorities Report”) describes … Continue Reading
On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the … Continue Reading
On June 20, 2019, the UK’s Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation’s (GDPR’s) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space. Background … Continue Reading
On March 21, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued an opinion (opinion) in the Planet49 case[1] on what constitutes valid consent for cookies under the Data Protection Directive, the GDPR, and the e-Privacy Directive. In particular, the AG opines that: 1) … Continue Reading
On April 12, 2018, the Federal Trade Commission (FTC) announced that it was withdrawing its proposed August 2017 privacy and data security settlement with Uber Technologies and issuing a new and expanded proposed settlement.1 According to the FTC, the reason for this extraordinary step was to address additional allegations of misconduct by the ride-sharing company … Continue Reading
The expanding use of mobile technologies, cloud computing, and the Internet of Things has greatly increased the amount of available consumer data. The ability to efficiently process this information has the potential to provide countless consumer benefits. Nevertheless, companies must navigate an ever-expanding patchwork of domestic and foreign laws and uncertainty regarding the application of … Continue Reading
Complying with UK and EU data privacy regulations often presents a significant challenge for start-ups based in those regions. UK and EU start-ups expanding to the U.S. similarly need to be aware of U.S. data privacy regulations and whether their existing efforts will be sufficient. While the precise guidance will vary depending on the start-up, … Continue Reading
On October 3, 2017, the High Court of Ireland issued its decision in Data Protection Commissioner vs Facebook and Schrems concerning the validity of the EU Standard Contractual Clauses (SCCs)—a mechanism used by a very large number of companies to transfer personal data outside of the European Union. The Irish High Court referred this question to … Continue Reading
On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo regarding the company’s practice of pre-loading software on its laptops that compromised consumers’ cybersecurity and privacy. As part of the settlement, Lenovo agreed to pay $3.5 million in penalties to the states, and per an … Continue Reading
On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1 Specifically, the FTC levied two deception counts against Uber: (1) that the company had … Continue Reading
