The Federal Trade Commission (FTC) has settled its first-ever complaint against social media influencers for deceptive endorsements.1 According to the FTC’s complaint, Trevor “TmarTn” Martin and Thomas “Syndicate” Cassell, two influencers who have wide followings in the online gaming community, promoted an online gambling service called CSGO Lotto on YouTube and Twitter without disclosing that they jointly owned the company.2 The complaint also charges that they paid other gaming influencers thousands of dollars to promote the service on social media platforms, while prohibiting them from saying anything that might impair its reputation.3
Complying with UK and EU data privacy regulations often presents a significant challenge for start-ups based in those regions. UK and EU start-ups expanding to the U.S. similarly need to be aware of U.S. data privacy regulations and whether their existing efforts will be sufficient.
While the precise guidance will vary depending on the start-up, in a new article from Notion Capital, WSGR’s privacy and data protection team, and Dan Glazer, a partner in the firm’s U.S. expansion practice, offer a brief guide to help point you in the right direction on a few fundamental U.S. privacy questions.
Click here to view the complete article.
On October 18, 2017, the European Commission (EU Commission) published its report on the first annual review of the EU-U.S. Privacy Shield Framework (Privacy Shield). The EU Commission confirms that the Privacy Shield ensures an adequate level of protection for EU personal data that is transferred to the U.S., but calls on the U.S. government to implement a number of recommendations.
Certified companies can continue to rely on the Privacy Shield to receive EU personal data in compliance with EU data protection law. This is an important validation of a key mechanism used by EU and U.S. companies transferring data to the U.S., particularly in light of the current uncertainty around data transfers arising from court challenges to the Standard Contractual Clauses and the Privacy Shield.
For more information, please see our complete WSGR Alert on the new report.
On October 3, 2017, the High Court of Ireland issued its decision in Data Protection Commissioner vs Facebook and Schrems concerning the validity of the EU Standard Contractual Clauses (SCCs)—a mechanism used by a very large number of companies to transfer personal data outside of the European Union.
The Irish High Court referred this question to the Court of Justice of the European Union (CJEU). This is the second time that the CJEU has been asked to determine the validity of a data transfer mechanism. In 2015, the CJEU invalidated the EU-U.S. Safe Harbor Framework. If the CJEU invalidates the SCCs, thousands of companies that rely on this data transfer mechanism could be left without a legal basis for the data transfers on which their businesses rely.
Click here to read our complete WSGR Alert discussing the background of the court’s decision, today’s ruling, and next steps.
On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo regarding the company’s practice of pre-loading software on its laptops that compromised consumers’ cybersecurity and privacy. As part of the settlement, Lenovo agreed to pay $3.5 million in penalties to the states, and per an agreement with the FTC, Lenovo will be required to implement a comprehensive software security program for most consumer software preloaded on its laptops for the next 20 years. The settlement highlights the ongoing interest by the FTC and state attorneys general regarding cybersecurity vulnerabilities in software and makes clear the FTC’s position that hardware manufacturers have an obligation to evaluate the security of third-party software they preinstall on their devices.
Click here to read our complete WSGR Alert about Lenovo’s settlement with the FTC.
On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1 Specifically, the FTC levied two deception counts against Uber: (1) that the company had failed to consistently monitor and audit internal access to consumers’ personal information, despite public promises to do so; and (2) that the company had failed to provide reasonable security for consumers’ personal information stored in its databases, despite its security promises. Under the resulting proposed consent order, Uber will be prohibited from misrepresenting how it monitors or audits internal access to consumers’ personal information and how it protects and secures that data. Uber will also be required to implement a comprehensive privacy program that will be subject to independent biennial audits for the next 20 years, and will need to comply with the standard set of consent order recordkeeping and compliance reporting and monitoring requirements. Continue Reading