FTC Grants Sears’ Petition to Reopen and Modify 2009 Order Concerning Online Browsing Tracking

The Federal Trade Commission (FTC) recently granted a petition by Sears Holding Management requesting that the FTC reopen and modify a 2009 FTC order settling charges that Sears failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app.

Sears’ 2009 Order

On August 31, 2009, the FTC entered a final order in In the Matter of Sears Holdings Management Corporation after determining that from approximately April 2007 to January 2008, Sears disseminated a desktop software application through its websites that collected sensitive information, such as online bank statements, drug prescription records, and video rental records, yet Sears failed to disclose the scope of the application’s data collection. Among other things, the order required Sears to disseminate all future “tracking applications” in a specified manner, including by making certain disclosures and obtaining express opt-in consent using processes stipulated by the order, for a 20-year term. Continue Reading

Alabama Becomes Final State to Enact Data Breach Notification Law

On June 1, 2018, the Alabama Data Breach Notification Act of 2018 will take effect. In addition to being the last state to enact a breach notification law, Alabama’s new law distinguishes itself in a variety of unique ways.

Consistent with other state breach notification laws, the new law defines “sensitive personally identifying information” maintained in electronic form (covered information) broadly. In addition to government issued forms of identification and financial account numbers, covered information includes an individual’s medical history, mental or physical condition, or medical treatment or diagnostic information when combined with the resident’s name. In addition, usernames or email addresses, in combination with a password or security question and answer, are also classified as covered information, but only if the account is affiliated with the entity that experienced the breach, and only if such credentials would permit access to an online account that is “reasonably likely to contain or is used to obtain” sensitive personally identifying information (i.e., if the username or email address and password grant access to covered information that triggers the notification requirement). These important caveats limit the circumstances in which entities that maintain covered information (covered entities) must notify Alabama residents of breaches involving usernames or email addresses and passwords. Continue Reading

Regulating Big Tech: Top of Mind Interview with Christopher Kuner

In a new interview appearing in “Regulating Big Tech,” published by Goldman Sachs Global Macro Research, Dr. Christopher Kuner, Senior Privacy Counsel at Wilson Sonsini Goodrich & Rosati, discusses the European Union’s upcoming General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018. In the article, Dr. Kuner explores the global implications of the GDPR, the interconnections between data privacy and antitrust regulation, and the ongoing tensions between people’s desire to use technology and their concerns about privacy.

Click here to read the interview.

 

“Two Cops on the Beat is Nothing Unusual”: Ninth Circuit Reverses Panel Decision, Rules FTC Act’s “Common Carrier” Exemption is Activity-Based

On February 26, 2018, the U.S. Court of Appeals for the Ninth Circuit issued an en banc decision in FTC v. AT&T holding that the Federal Trade Commission (FTC) Act’s “common carrier” exemption is activity-based, reversing the panel’s decision that the exemption is status-based, which would have opened a large enforcement gap for telecommunications companies like AT&T. This is an important decision in terms of FTC jurisdiction: it means that the FTC can and will continue to regulate common carriers to the extent that they provide non-common-carrier services, such as mobile internet services.

Section 5 of the FTC Act gives the commission enforcement authority over unfair and deceptive acts or practices, but exempts “common carriers subject to the Acts to regulate commerce.” Unsurprisingly, the question of whether a company qualifies as a “common carrier” under the exemption is a loaded and complicated one. If an entity falls within the exemption, the FTC cannot bring an enforcement action against it for conduct it considers harmful to consumers. Conversely, companies that fall outside the exemption are subject to FTC regulation, leaving them open to liability for unfair or deceptive conduct, and requiring that they comply with a long list of FTC rules. Continue Reading

FTC Announces Settlement with PayPal for Alleged FTC Act and GLBA Violations by Venmo

On February 27, 2018, the Federal Trade Commission (FTC) announced1 that it had reached an agreement with PayPal to settle allegations that its peer-to-peer payment service, Venmo, engaged in deceptive acts and practices and violated the Gramm-Leach-Bliley Act (GLBA)’s Safeguards Rule2 and Privacy Rule.3 Since 2011, Venmo has offered peer-to-peer payment services through an app that consumers can download, link to their external bank accounts, and use to transfer and receive money to and from other users. In its complaint, the FTC alleged that PayPal, through Venmo, failed to adequately disclose that: (1) it could freeze or remove funds credited to a customer’s account; (2) the Default Audience Setting did not ensure that future transactions were visible only to chosen audiences; and (3) the Individual Audience Setting did not ensure that any single transaction was visible only to the chosen audience. The FTC also alleged that PayPal, through Venmo: (1) misrepresented that it protected consumers’ information with “bank-grade security systems;” (2) failed to protect the security, confidentiality, and integrity of customer information in violation of the GLBA’s Safeguards Rule; and (3) failed to send an adequate initial privacy notice to customers detailing its privacy policies and practices in violation of the GLBA’s Privacy Rule.4 Continue Reading

To Text or Not to Text? That Is the Question

Let’s face it: The residential phone line is on the verge of suffering the same fate as the 8-track tape. Anyone who doesn’t know what an 8-track tape is most assuredly uses a cell phone—and only a cell phone—to communicate. Email takes too long. And younger generations don’t even use the actual phone part of their cell phones.

The reality is that if you want to communicate with a very large segment of the U.S. population, you have to text. This explains why everyone is doing it. Doctors, dentists, veterinary practices, hair salons, airlines, car dealerships—businesses that make appointments—all send text reminders. Schools notify parents of school cancellations by texts. Hotels offer “virtual concierge” services entirely by texts. Retailers offer special discounts via texts. Should your business jump on the text message bandwagon? Maybe. The reward is high, but so is the risk.

Continue Reading

LexBlog