RSS Print Email

Federal Trade Commission (FTC)

FTC Updates Guidelines for Obtaining Parental Consent Applicable to Website Operators and Developers of Children’s Apps

On July 16, 2014, the Federal Trade Commission (“FTC”) issued revised guidance regarding compliance with the Children's Online Privacy Protection Act (“COPPA”). COPPA and the rules promulgated thereunder regulate the collection, use, and disclosure of personal information from children under age 13 by operators of commercial websites and online services, including mobile apps. The recent changes to the FTC’s Complying with COPPA: Frequently Asked Questions document clarify parental consent requirements with respect to such websites and services.

Read More

ComScore Reaches $14 Million Settlement in Electronic Privacy Class Action

June 17, 2014 | Posted by Dominique Shelton & Kim Chemerinsky | Topic(s): Federal Trade Commission (FTC), Privacy, Class Action, Big Data

On May 30, 2014, comScore Inc. announced that it has reached a $14 million settlement in the largest class ever certified in an Internet privacy lawsuit, composed of users who claim that comScore installed analytics software on their computers and sold their personal data to media outlets without their knowledge or consent. ComScore, a publicly-traded company, faced upwards of $1 billion in liability under various federal statutes aimed at protecting consumer privacy. This made it one of the largest (if not the largest) privacy class action certified in the country.

Read More

Eleventh Circuit Paves the Way for the FTC’s Administrative Action to Proceed; FTC denies LabMD’s Motion for Summary Decision

Two decisions from last week have provided clarity – at least regarding which tribunal will first decide whether LabMD violated Section 5 – in the ongoing battle between the FTC and LabMD. In the first decision, the Eleventh Circuit refused to stay, pending appellate review, the FTC’s administrative action against LabMD. This decision came on the heels of the district court refusing to enjoin the FTC’s administrative action due to a lack of jurisdiction to do so. In the second decision, the FTC refused to grant LabMD’s Motion for Summary Decision. The net result of these decisions is twofold. First, the trial of the FTC’s administrative proceeding against LabMD is now in progress. Second, no federal court will likely address the merits of LabMD’s arguments until after the FTC’s administrative action concludes.

Read More

DOJ Issues White Paper on Cybersecurity Information Sharing Under the SCA

On Friday, May 9 the Department of Justice (DOJ) released a white paper stating that under its interpretation of the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., communications companies are permitted to disclose “non-content information to the government” as long as that information is in its “aggregate form.” The lynchpin of the DOJ’s analysis is whether the shared information identifies or provides information regarding particular subscribers or customers. Under that standard, data that “is aggregated but still provides information about a particular subscriber or customer” is prohibited from disclosure under the SCA. In releasing its white paper, the DOJ recognized that “information sharing is a critical component of bolstering public and private network owners’ and operators’ capacity to protect their networks against evolving and increasingly sophisticated cyber threats.” As such, “the private sector would benefit from a better understanding of whether the electronic communications statutes [DOJ enforces] prohibit them from voluntarily sharing useful cybersecurity information with the government.”

Read More

American Apparel Settles FTC Charge on Falsely Claiming Compliance with Safe Harbor Privacy Framework

On May 9, 2014, the Federal Trade Commission (the “FTC”) announced that American Apparel, Inc. (“American Apparel”) agreed to settle FTC charges that American Apparel falsely claimed it was compliant with the U.S.-European Union Safe Harbor (the “US-EU Safe Harbor Framework”).

The FTC’s complaint alleged that American Apparel, a clothing manufacturer and retailer with more than 200 stores worldwide, falsely represented that it was a “current” participant in the US-EU Safe Harbor Framework on its website when it was not a “current” participant from June 2013 until December 2013 as it had allowed its certification to lapse during that time.

Read More

Mobile Apps in the Spotlight during Upcoming GPEN International Privacy Sweep

On May 6, the Office of the Privacy Commissioner of Canada (the “Commissioner”) announced mobile apps as the Global Privacy Enforcement Network’s (“GPEN’s”) focus area during the upcoming International Privacy Sweep (the “Sweep”). The Sweep will be held from May 12 to 18, 2014, involving 27 privacy enforcement authorities from around the world. The news release describes that this year’s Sweep will aim at “shedding light on the collection and use of personal information on mobile apps.”

Read More

LabMD Wins Discovery Disputes Against FTC; FTC Compelled to Disclose Data Security Standards

In the latest chapter of the ongoing battle between the FTC and LabMD, Inc. (“LabMD”) about the FTC’s claim that LabMD violated the FTC Act’s Section 5 bar on “unfair” acts or practices because of its allegedly inadequate data security practices, an administrative law judge overseeing the FTC’s administrative action against LabMD recently issued two discovery orders. These discovery orders may, at least to some extent, force the FTC to outline its sometimes opaque standards for data security.

Read More

FTC Invites Public Comments on Mobile Security

On April 17, 2014, the Federal Trade Commission (“FTC”) issued a press release, announcing that the FTC is seeking public comments to explore mobile security issues. The press release refers to the mobile security forum held last year to examine the state of mobile security (the “Forum”). In the press release, the FTC invites comments from the public to expand on a number of complex issues discussed at the Forum with an eye towards a report.

Read More

District Court Denies Wyndham Motion to Dismiss and Supports FTC's Authority in Data Breach Cases

In Federal Trade Commission v. Wyndham Worldwide Corp., et al., No. 13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014), Judge Esther Salas of the U.S. District Court for the District of New Jersey denied Wyndham’s request for dismissal of the FTC’s lawsuit against the hotel resort chain as a result of getting hacked.* Wyndham had challenged the FTC’s power to assert an unfairness claim under Section 5 of the FTC Act. Although the Court’s ruling focused solely on the FTC’s authority to bring the lawsuit, and offered no opinion on the underlying merits of the allegations, the ruling could have broad ramifications on the FTC’s ability to pursue companies for unfair and deceptive trade practices when a data breach occurs.

Read More

LabMD’s Federal Court Actions Against the FTC Dismissed

LabMD is back in the news. This time, however, it’s not the FTC’s administrative action against LabMD that’s making headlines. (For information about the administrative action, please see our prior posts here and here.) Instead, LabMD’s federal court actions against the FTC – one in the United States Court of Appeals for the Eleventh Circuit and one in United States District Court for the District of Columbia – are now making news. Both have recently been dismissed. This means that, at least for now, the FTC’s administrative action will likely settle the parties’ disputes.

Read More

FTC Denies LabMD’s Motion to Dismiss

February 20, 2014 | Posted by Paula Stannard, Zach Neal, & Claire Readhead | Topic(s): Federal Trade Commission (FTC), Enforcement, Data Security

The FTC – in a decision that should surprise no one – refused to dismiss its administrative complaint (“Complaint”) against LabMD. This case – like the FTC’s case against Wyndham Worldwide – illustrates the continuing fight regarding the scope of the FTC’s power for regulate inadequate data security practices. In particular, this decision is important because it further explains the FTC’s rationale for regulating allegedly inadequate data security practices pursuant to its “unfair” acts or practices authority in Section 5 of the FTC Act. The decision also sets forth the FTC’s view as to why its Section 5 authority permits it to regulate and enforce data security when other statutes – such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) administrative simplification provisions addressing the privacy and security of health information – already regulate data security in a particular area. Because the FTC increasingly uses this Section 5 authority to regulate what it views as inadequate data security practices, businesses of any size which deal with data security – essentially all businesses to some degree – should closely review this decision. The bottom line: Unless the courts or Congress limit the FTC’s power in this context, the FTC is likely to expand the exercise of its Section 5 “unfair” acts or practices authority to regulate allegedly “unfair” data security practices by means of case-by-case enforcement actions – without issuing regulations or guidance to inform businesses and industries of the data security standards they must meet to comply with the FTC Act.

Read More

FTC Settles With Children’s Entertainment Company Over Safe Harbor Lapse

February 11, 2014 – The FTC today announced a proposed settlement with Fantage.com Inc., a children’s online entertainment company that allegedly misrepresented its adherence to the U.S.-European Union Safe Harbor Framework (the “Framework”).

Read More

Kim Peretti Quoted in Washington Post Article “Target Security Breach: Eric Holder Vows to Find Hackers”

February 5, 2014 | Posted by Privacy & Data Security Team | Topic(s): Federal Trade Commission (FTC), Security Breach, Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in the Washington Post article “Target Security Breach: Eric Holder Vows to Find Hackers.” Attorney General Eric Holder confirmed that his agency is investigating the holiday heist on Target, which exposed weaknesses in the nation’s credit card system. As a result of the breach, the FTC was urged to launch an investigation into Target’s security practices. According to the article, the FTC can “bring an enforcement action against any company that fails to safeguard their customers’ personal information.”

Peretti stated that “most cases result in consent orders that force the company to establish tighter controls and subject it to routine audits.” “It’s been relatively common that companies that disclose consumer data breaches face inquiries by either the FTC or state attorneys general,” she said. “They are very active in that space and have been increasingly active in that space.”

To read the complete article, please click here.

Posted by Privacy and Data Security Team | Alston & Bird LLP

Senator Leahy Reintroduces “Personal Data Privacy and Security Act”: Federal Data Breach Notification Law Includes Criminal Penalties for Failure to Notify

On January 8, 2014, Senator Leahy (D-VT) reintroduced the “Personal Data Privacy and Security Act” (S. 1897) in an effort to both enhance criminal penalties for computer hacking, and create a tough Federal data breach notification statute. The bill was originally cosponsored (at the time of its introduction) by Senators Chuck Schumer (D-NY), Al Franken (D-MN) and Richard Blumenthal (D-CT), and has since been cosponsored by Senator Robert Menendez (D-NJ). The bill has been referred to the Senate Judiciary Committee for consideration, and the committee is expected to hold a hearing on data security breach issues within the coming weeks.

Read More

Apple Agrees to Settle FTC Complaint Regarding In-App Purchases

January 15, 2014 - The Federal Trade Commission today announced that Apple has entered a settlement agreement containing a consent order to settle the FTC’s complaint alleging that the company billed consumers for charges incurred by children in kids’ mobile apps without their parents’ consent. Under the agreement, Apple will refund at least $32.5 million to customers whose children made in-app purchases without adequate parental consent.

Read More

123