Regulatory

Subscribe to Regulatory via RSS

On April 30,2018, the Federal Trade Commission (FTC) announced a settlement with mobile phone manufacturer BLU Products and its owner over allegations that the company failed to implement appropriate procedures to oversee their service providers’ security practices, which allowed the service provider to install software containing commonly known security vulnerabilities on consumers’ mobile devices and to collect detailed personal information about consumers, such as text messages and location information, without consumers’ notice and consent.

According to the FTC’s complaint, BLU and its owner contracted with China-based ADUPS Technology to preinstall certain security software on BLU devices. The complaint alleged that, unbeknownst to consumers, the ADUPS software on BLU devices transmitted their personal information to ADUPS servers, including contents of text messages, real-time location data, call and text message logs, contact lists, and a list of applications installed on the device. The FTC did not allege that ADUPS used or disclosed consumers’ personal information.Continue Reading Feeling BLU: What You Need to Know About Overseeing Your Service Providers

The U.S. District Court for the Northern District of California recently ruled that a certified class action on behalf of Illinois Facebook users alleging that the social network unlawfully collects biometric data from photo tagging will go forward, denying both parties’ summary judgment motions. This case is one of the first major tests of the scope of Illinois’s Biometric Information Privacy Act (BIPA).1 The litigation was originally filed in 2015, in response to Facebook’s launch of its “Tag Suggestions” feature, which used facial recognition algorithms to deliver suggested names for individuals in photos. Specifically, Facebook’s Tag Suggestions feature matched photos of an individual against other photos the individual was tagged in to suggest the name of the individual in the photo.

Illinois’s BIPA is one of only three state biometric privacy statutes on the books in the U.S., and the only one that allows for a private right of action.2 BIPA, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s biometric information unless it satisfies certain notice, consent, and data retention requirements. For example, entities must notify the person that their biometric information is being collected and stored; state the purpose for collecting, storing, and using the biometric information; and state the length of time the biometric information will be retained. The entity must also obtain written consent from the individual before it obtains the biometric information. Biometric information is defined as a retina or iris scan, fingerprint, voiceprint, or scan of face geometry. BIPA authorizes damages of $1,000 per violation for negligent violations of the law, and $5,000 per violation for intentional or reckless violations. Damages in the Facebook case could amount to billions.Continue Reading Facebook Biometric Suit Moves Forward

In a surprising twist, the California legislature rushed last week to pass one of the most comprehensive privacy laws in the country. The bill was introduced only a week prior, and within hours of passage,
Continue Reading California Enacts Sweeping Privacy Law to Avert Potential Ballot Measure

The U.S. Court of Appeals for the Eleventh Circuit recently released its highly anticipated decision in the long-running case pitting the now-defunct medical laboratory LabMD against the Federal Trade Commission (FTC), vacating the FTC’s data
Continue Reading Eleventh Circuit LabMD Decision Significantly Restrains FTC’s Remedial Powers in Data Security and Privacy Actions

On April 12, 2018, the Federal Trade Commission (FTC) announced that it was withdrawing its proposed August 2017 privacy and data security settlement with Uber Technologies and issuing a new and expanded proposed settlement.1 According to the FTC, the reason for this extraordinary step was to address additional allegations of misconduct by the ride-sharing company in connection with a data breach it suffered in 2016. The revised complaint includes new factual allegations regarding that breach,2 and the revised consent order includes significant new reporting obligations for the company regarding future breaches, new obligations for the order’s mandated privacy program, and additional reporting and recordkeeping obligations that will last for longer periods of time.3

Those that closely follow the FTC know that any modifications to consumer protection settlements after they have been proposed by the FTC are extremely rare, so it’s worth taking a closer look at what triggered this unusual action and the important new insight it provides into the FTC’s current thinking on what it considers unreasonable security practices. Additionally, the FTC’s revised complaint provides, for the first time, concrete guidance on what it considers “legitimate” uses of a bug bounty program.
Continue Reading What’s Old Is New Again: FTC Takes Rare Step of Withdrawing and Reissuing Expanded Data Security Settlement with Uber in Light of 2016 Data Breach

In a novel interpretation of the Federal Trade Commission (FTC) Act, the U.S. District Court for the District of Delaware recently held in FTC v. Shire ViroPharma that the FTC had failed to plead the facts necessary to invoke its authority to sue for permanent injunction in federal court because it did not allege an ongoing or imminent violation of the FTC Act. This ruling could broadly impact the FTC’s authority to litigate cases in federal court for past violations of the FTC Act and prevent the FTC from seeking permanent injunctive relief in federal court unless the defendant is currently violating, or is about to violate, the act.

Factual Background

The FTC had brought suit against Shire for anti-competitive use of the U.S. Food and Drug Administration’s (FDA’s) citizen petition process to delay generic competition. The FTC alleged that the company exploited the FDA’s petition process to an extraordinary degree, submitting more than 46 regulatory and court filings. The company’s attempts to delay competition were ultimately unsuccessful, as Shire lost its legal challenges to the FDA, and the company was no longer engaged in the practice at the time the FTC’s complaint was filed. Nevertheless, the FTC’s complaint alleged that Shire had succeeded in delaying generic entry at great cost to consumers and demanded relief.
Continue Reading Federal Court Challenges FTC’s Litigation Authority in FTC v Shire ViroPharma