On October 16, the Federal Trade Commission (“FTC”) announced a final “click-to-cancel” rule that amends the previous Negative Option Rule to “make it as easy for consumers to cancel their enrollment as it was to sign up.” The Rule also imposes extensive requirements regarding misrepresentations, disclosures, and consent, among others. Most of the provisions will go into effect 180 days after publication in the Federal Register. As of today, the final rule has not yet been published. This final rule is the culmination of a five-year proceeding including the FTC’s issuance of a notice of proposed rulemaking (“NPRM”) in March 2023 and an advanced notice of proposed rulemaking in October 2019. We previously analyzed the proposed rule presented in the NPRM.Continue Reading FTC Issues Final “Click-to-Cancel” Rule
Advertising & Marketing
FTC Issues Final Rule on Reviews and Testimonials
On August 14, the FTC announced a final rule that, according to the FTC, is intended to “combat fake reviews and testimonials.” The rule will go into effect on October 21, 2024. This final rule is the culmination of the FTC’s issuance of an advance notice of proposed rulemaking (ANPRM)…
Continue Reading FTC Issues Final Rule on Reviews and TestimonialsNew York AG Issues Guidance on Website Privacy Controls
The New York Office of Attorney General (OAG) recently published guidance for website privacy controls. Although New York does not have a comprehensive privacy law, business’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the OAG noted that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”Continue Reading New York AG Issues Guidance on Website Privacy Controls
UK ICO Launches a Consultation on “Consent or Pay” Business Models
On 6 March 2024, the ICO issued a call for views on so-called “Consent or pay” models, where a user of a service has the option to consent to processing of their data for one or more purposes (typically targeted advertising), or pay a (higher) fee to access the service without their data being processed for those purposes. This is sometimes referred to as “pay or okay”.
The ICO has provided an “initial view” of these models, stating that UK data protection law does not outright prohibit them. It also sets out factors to consider when implementing these models and welcomes the views of publishers, advertisers, intermediaries, civil society, academia and other interested stakeholders. The consultation is open until 17 April 2024.Continue Reading UK ICO Launches a Consultation on “Consent or Pay” Business Models
CJEU Decides the IAB Europe Case, Expanding the Concept of Controllership
On March 7, 2024, the CJEU rendered its judgement in the IAB Europe case (C-604/22). The case relates to role of IAB Europe, a sector organization, in its Transparency and Consent Framework (“TCF”) used by companies to record the GDPR consent granted (or not granted) by a user and to document compliance with their GDPR transparency obligations. The framework is widely used in digital advertising, including in real-time bidding scenarios; below, we set out the court’s three main findings.Continue Reading CJEU Decides the IAB Europe Case, Expanding the Concept of Controllership
Rules on Targeted Advertising: What do the Digital Markets Act and Digital Services Act Say?
2023 was marked by the adoption of key EU legislation in the field of data privacy, such as the Digital Services Act (“DSA”) and Digital Markets Act (“DMA”). Both introduce limitations and obligations on online platforms that process personal data for digital advertising. Ahead of the DSA and DMA’s implementation deadlines in February and March 2024 respectively, we will discuss below the key requirements they introduce specifically in relation to online targeted advertising. This blog post complements our previous blog post on the EU’s targeted advertising rules.Continue Reading Rules on Targeted Advertising: What do the Digital Markets Act and Digital Services Act Say?
Federal and State Telemarketing Legislative Updates
Federal and State Telemarketing Legislative Updates
This blog post summarizes recent telemarketing developments emerging at the federal level and from Missouri, Wisconsin and West Virginia.Continue Reading Federal and State Telemarketing Legislative Updates
Belgian Supervisory Authority Sanctions Data Broker
On January 16, 2024, the Belgian Supervisory Authority sanctioned a data broker for violating several provisions of the GDPR. In particular, the data broker processed personal data without an appropriate legal basis and in violation of its transparency obligation.
The more than 100-page decision explains that until July 2021 the data broker collected personal data from different sources and sold the data to interested third parties (“data delivery services”). The company also provided “data quality services” aimed at improving the quality and relevance of the personal data held by its clients. The relevant data were mainly used for advertising by postal mail.Continue Reading Belgian Supervisory Authority Sanctions Data Broker
EDPB Issues Draft Guidelines on Technical Scope of ePrivacy Directive Rules for Storage and Access
On November 16, 2023, the European Data Protection Board (“EDPB”) issued draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (“Guidelines”). Article 5(3) is the provision that requires consent before storing or accessing information on an end user’s device. Over the years it has become known as the “cookie rule,” but it is technology-agnostic. The Guidelines expand upon guidance issued by the Article 29 Working Group in 2014, and are intended to clarify when the requirement applies to new tracking methods. The Guidelines are open to public consultation through December 28, 2023.
The Guidelines identify and explain the four key elements that trigger the obligation to obtain opt-in consent under Article 5(3) of the ePrivacy Directive (“ePD”). The Guidelines set forth an extremely broad interpretation of what constitutes “storing” and “accessing” information on a user’s device that arguably goes beyond the plain meaning of these terms. This interpretation is likely to be relevant for companies considering how to approach the discontinuation of third-party cookies on many browsers. Continue Reading EDPB Issues Draft Guidelines on Technical Scope of ePrivacy Directive Rules for Storage and Access
Oregon Legislature Passes Update to State Telemarketing Law
In late June, the Oregon Legislature passed HB 2759, which would amend the state’s existing “do not call” law. The bill currently is awaiting action by the governor.
If enacted, the bill would make a person “liable for any loss and subject to any penalty” to the same extent…
Continue Reading Oregon Legislature Passes Update to State Telemarketing Law