On November 29, 2017, the U.S. Court of Appeals for the Ninth Circuit joined the Third Circuit in narrowly defining “personally identifiable information” under the Video Privacy Protection Act (VPPA), holding in Eichenberger v. ESPN that the disclosure of a unique device identifier does not violate the act.1 The VPPA was passed in 1988 in … Continue Reading
The Federal Trade Commission (FTC) has provided new guidance on how it will enforce the Children’s Online Privacy Protection Act (COPPA) against companies collecting voice recordings from children, loosening the rules on how companies can collect and use voice data. Under the guidance, online services covered by COPPA can now collect voice recordings from children … Continue Reading
On December 4, 2017, the Network Advertising Initiative (NAI), a self-regulatory body comprised of more than 100 digital advertising companies that collect and use consumer information for online behavioral advertising (OBA),1 issued an update to its Code of Conduct (the “Code”). The Code imposes notice, choice, accountability, data security, and use limitation requirements on NAI … Continue Reading
On December 12, 2017, the Federal Trade Commission (FTC) held a workshop to examine consumer injury in the context of privacy and data security. The motivation for the workshop, according to Acting FTC Chairman Maureen Ohlhausen, was to help the FTC better understand consumer informational injury, weigh effectively the benefits of intervention against its inevitable … Continue Reading
In November 2017, Judge Edward J. Davila dismissed a major multidistrict litigation accusing Facebook of unlawfully tracking users’ browsing activity across websites while they were signed out of their accounts.1 The plaintiffs originally asserted several common law, tort, and statutory claims. Judge Davila dismissed most of those claims pursuant to earlier motions, leaving only the … Continue Reading
Nearly a year ago, in February 2017, the IRS issued a warning regarding phishing attacks targeting a broad range of companies. The scam involves a hacker impersonating an employee of a company, usually the CEO, and sending an email asking for a list of employees and their W-2 forms. The hacker would then make fraudulent … Continue Reading
The Federal Trade Commission (FTC) is seeking public comment on a petition by Sears Holding Management requesting that the FTC reopen and modify a 2009 FTC order settling charges that Sears failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app. For more information, click here to see our … Continue Reading
On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo, Inc., regarding the company’s practice of pre-loading advertising software on its laptops that compromised consumers’ cybersecurity and privacy.1 In many respects, the case was reasonably straightforward: the facts as alleged were clear, and … Continue Reading
The biggest question looming over every class-action case filed in response to a data breach is: Will the plaintiffs have standing? The answer has divided courts in recent cases across the country. Last year, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that Congress could not confer standing to plaintiffs based on a … Continue Reading
The expanding use of mobile technologies, cloud computing, and the Internet of Things has greatly increased the amount of available consumer data. The ability to efficiently process this information has the potential to provide countless consumer benefits. Nevertheless, companies must navigate an ever-expanding patchwork of domestic and foreign laws and uncertainty regarding the application of … Continue Reading
Last year, the U.S. Supreme Court issued a decision in Spokeo Inc. v. Robins, holding that a plaintiff bears the burden of establishing Article III standing by alleging an injury in fact that is concrete, particularized, and actual or imminent.1 The Court stated that “Article III standing requires a concrete injury even in the context … Continue Reading
Complying with UK and EU data privacy regulations often presents a significant challenge for start-ups based in those regions. UK and EU start-ups expanding to the U.S. similarly need to be aware of U.S. data privacy regulations and whether their existing efforts will be sufficient. While the precise guidance will vary depending on the start-up, … Continue Reading
On October 18, 2017, the European Commission (EU Commission) published its report on the first annual review of the EU-U.S. Privacy Shield Framework (Privacy Shield). The EU Commission confirms that the Privacy Shield ensures an adequate level of protection for EU personal data that is transferred to the U.S., but calls on the U.S. government … Continue Reading
On October 3, 2017, the High Court of Ireland issued its decision in Data Protection Commissioner vs Facebook and Schrems concerning the validity of the EU Standard Contractual Clauses (SCCs)—a mechanism used by a very large number of companies to transfer personal data outside of the European Union. The Irish High Court referred this question to … Continue Reading
On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo regarding the company’s practice of pre-loading software on its laptops that compromised consumers’ cybersecurity and privacy. As part of the settlement, Lenovo agreed to pay $3.5 million in penalties to the states, and per an … Continue Reading
On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1 Specifically, the FTC levied two deception counts against Uber: (1) that the company had … Continue Reading
On July 3, 2017, the Federal Trade Commission (FTC) announced that it had settled charges that defendants Blue Global, an operator of dozens of consumer loan lead generation websites, and its founder and CEO, Christopher Kay, violated the FTC Act. The FTC alleges that the defendants had, among other practices, misled consumers about Blue Global’s … Continue Reading
On January 10, 2017, the European Commission published a Proposal for a Regulation (Proposal) relating to privacy rules for the electronic communications sector. The Proposal will impose new, more rigorous privacy regulatory obligations on nearly all companies doing business in the EU over the Internet. It will address a host of important issues including the … Continue Reading
As connected devices become ubiquitous, it comes as no surprise that interactive toys that connect to the internet are more popular than ever. At the same time, regulators have taken note of the privacy and security concerns raised by lawmakers and privacy advocates about the proliferation of smart toys that collect personal information from kids. … Continue Reading
On July 21, 2017, Judge John A. Ross of the U.S. District Court for the Eastern District of Missouri issued a preliminary approval of a settlement agreement between the owner of AshleyMadison.com and the class representing former users whose personal information was breached in July 2015. Under terms of the settlement, Ruby Corp, the operator … Continue Reading
The EU Parliament Committee in charge of reviewing the EU Commission’s Proposal for an e-Privacy Regulation (Proposal) recently released a Draft Report proposing amendments to the regulation. The e-Privacy Regulation will regulate new electronic communication services such as instant messaging, VOIP services, web-based email, and IoT devices, and will impose significant additional obligations on Internet … Continue Reading
On January 10, 2017, the European Commission published a Proposal for a Regulation that if adopted would have significant and far-reaching implications for Internet-based services and technologies. The proposal seeks to revise the current EU ePrivacy Directive. It creates strict new rules regarding confidentiality of electronic communications, including content and metadata. In addition, the proposal … Continue Reading
As expected, the Federal Communications Commission (FCC) has handed down sweeping new privacy and security rules for Internet service providers (ISPs). On Thursday, October 27, 2016, a sharply divided commission voted to enact these new rules, which impose strict new requirements for ISPs’ collection, use, sharing, and protection of their customers’ information, including information ISPs … Continue Reading
On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to have some of the concerns raised in its April 2016 opinion, and the Privacy Shield will most likely face legal … Continue Reading
