Privacy

Subscribe to Privacy via RSS

On February 16, 2022, the Federal Trade Commission (FTC) filed a proposed settlement order in federal court in its case against WW International, Inc (formerly known as Weight Watchers International, Inc.) and its subsidiary Kurbo, Inc. (Kurbo) to resolve allegations that the defendants violated the Children’s Online Privacy Protection Act and its implementing rules (COPPA).1 The FTC alleged that the defendants violated COPPA by failing to provide required notices and obtain verifiable parental consent prior to collecting, using, and disclosing personal information from children using their weight loss app. As part of the proposed settlement, the defendants are required to, among other things: 1) update their procedures to ensure that they obtain verifiable parental consent before collecting personal information from children, 2) destroy all of the personal information they obtained in violation of COPPA as well as any models or algorithms based on that information, and 3) pay a civil penalty of $1.5 million.
Continue Reading FTC Settles with Weight Watchers in First Children’s Privacy Case Requiring Deletion of Algorithms

On February 2, 2022, the UK privacy regulator (i.e., the Information Commissioner’s Office or the ICO) issued new model clauses to support data transfers from the UK. Subject to approval by the UK Parliament, the new model clauses will become effective March 21, 2022. Companies transferring personal data outside the UK will have until March 21, 2024 to update existing contracts, but should use the new model clauses for any new contracts they sign as of September 21, 2022.

Background
Continue Reading New Model Clauses for Personal Data Transfers Outside the UK

On February 2, 2022, the Belgian Data Protection Authority (DPA) found that the Interactive Advertising Bureau Europe (IAB) Transparency & Consent Framework (TCF), a tool used to record individuals’ online ad preferences, violates the General Data Protection Regulation (GDPR). The DPA fined IAB Europe €250,000 (approx. USD 280,000), and required IAB Europe to present an action plan to bring the TCF into compliance within two months. To reach this conclusion, the DPA concluded that:
Continue Reading Belgian DPA Finds That IAB Europe’s Cookie Consent Framework Violates the GDPR

The Colorado Attorney General’s office is poised to begin the rulemaking process for the Colorado Privacy Act (ColoPA).1 On January 28, 2022, Colorado Attorney General Phil Weiser issued prepared remarks outlining key rulemaking topics and announcing plans to seek input from Colorado consumers, businesses, and other stakeholders over the coming months. Although the ColoPA does not come into force until July 1, 2023, the Attorney General noted that his office “expect[s] to be in a position to adopt final rules around a year from now.”
Continue Reading Colorado Attorney General Announces Privacy Rulemaking

Imagine you receive an inquiry from a state Attorney General (AG) about your privacy or security practices, and you aren’t sure what to do next. Maybe it’s because you have been concentrating on compliance efforts related to the California Privacy Rights Act (CPRA) and other new state privacy laws coming into effect, and you haven’t focused as extensively on the existing suite of state privacy or security laws, or on state AG enforcement of federal privacy laws, that may in fact apply to you. In this advisory, we provide a snapshot of recent privacy and security enforcement efforts by state AGs.1 Next, we offer some general tips on how to avoid getting into trouble with state regulators. Finally, we suggest what to do if, despite your best efforts, you become the subject of an inquiry.

Recent significant state AG enforcement efforts include:
Continue Reading Privacy and Security Enforcement: State AGs Flex Their Muscles